Professional Documents
Culture Documents
The collective, goes over "in detail", what they submitted in their
lengthy papers sent ahead of time to, the N.S.A. for its review. The
N.S.A. with a few sponsored firms then select their specific personnel
to study the reports these handpicked firms address. Some topics may
have an N.S.A. mission need and/pr, impact so in most all instances of
these meetings, NSA staff are present. Security is tremendous, to say
the least.
These organizations are now gradually moving away from managing information
"on paper" and toward, being able to exchange and share huge amounts of data
electronically via extremely fast digital formats using computers which, the N.S.A.
has an interest in.
4. Systems in use change over time, making some data inaccessible.; and,
EPM sees the 21st century as significant for the deployment of its EDM set of
tools for Electronic Commerce and Product Data Technology standards - in
particular ISO 10303 - the international standard for the representation and
exchange of product model data, also known as STEP and EXPRESS-compliant
products EXPRESS, is a product suite that contains the tools needed to begin
implementing the product data technology standards for the 21st century by,
creating and managing EXPRESS schemata, customizing data models, and
establishing product-data databases and archives. EXPRESS products from
EPM Technology are available today to meet crucial needs for future success.
EDM is modular by design, enabling a firm to mix and match the products and
options they want, and to easily expand or update the system as their needs
change and as the standard continues to evolve. EDM products are available for
UNIX or Microsoft Windows platforms.
EDM is designed to make all product details, not just visual details, available to a
variety of users during all phases of engineering, development, production,
operation and maintenance. Ultimately, the EXPRESS Data Manager helps
transform many business theories into realistic business goals; goals which will
ensure a strategic, competitive edge for projects and companies, large or small:
Mark Loepker: The Chief, Information Assurance Process Special Project Office,
Information Assurance Solutions, National Security Agency. He is responsible for
all matters impacting the development, refinement, and implementation of the
information assurance solution process. In this capacity, Mr. Loepker leads the
Secret and Below Interoperability (SABI) project. He last served with the
Command, Control, Communications, and Computer Systems Directorate, U.S.
European Command, as Chief, Information Systems Security Division,
responsible for all European theater policy and policy enforcement concerning
information warfare and communications and computer security. During this tour,
he led INFOSEC actions in support of Operation Provide Comfort, Joint
Endeavor, and Combined Endeavor (Partnership for Peace).;
Curtis Dukes: is the Deputy Chief, Architectures and Applications Division of the
Systems and Network Attack Center, National Security Agency. He is responsible
for the technical direction of the Intrusion Detection and Enterprise Management
System's vulnerability research within the Center. In this capacity, he leads the
Joint Vulnerability Assessment Process of the Secret and Below Interoperability
(SABI) Initiative. He previously served in an Intelligence Community assignment
in the Directorate of Operations, Central Intelligence Agency.;
Chuck Schreiner: the Chief of the Solution Security Analysis Division, National
Security Agency, which provides customers with vulnerability analysis and test
services to support their local risk decisions. He has held previous positions as
NSA Representative to the Pentagon, Technical Director for Fielded Systems,
and Deputy Chief of the RF Communications Division. ;
Willard Unkenholz: a Technical Director for the System Security Guidance and
Evaluation Division, National Security Agency. His current duties involve
developing and leading the DoD risk analysis capabilities applied to the Secret
and Below Interoperability Initiative.;
Corky Parks: a risk analyst in the System Security Guidance and Evaluation
Division, National Security Agency. His areas of interest include the theory and
practice of information risk management, and decision theory.;
Dallas Pearson: the Technical Director for Security and Evaluations in National
Security Agency’s Office of Information Assurance Solutions Deployment and
Maintenance. All of Dallas’ 29 years at NSA have been in technical roles in
COMSEC and INFOSEC. He received a Bachelor of Science in Physics from the
University of Southern Mississippi in 1970 and a Master of Science in Systems
Engineering from Johns Hopkins University in 1995. He is a co-author of NSA’s
Information Systems Security Engineering (ISSE) Handbook and teaches an in-
house introduction to ISSE course.;
The goal of SABI is to ensure secure secret and below interoperability solutions
for the Warfighter within community-acceptable risks. It is a network-centric
process with procedures to review interconnections and leverage proven solution
reuse. It is founded on information system security engineering (ISSE) principles
whereby information systems security (INFOSEC) is integrated as a part of
systems engineering and systems acquisition processes, strong customer
participation in support of mission needs, and the optimal use of INFOSEC
disciplines to provide security solutions. Documentation implements the DoD
Instruction 5200.40, Defense Information Technology Security Certification and
Accreditation Process (DITSCAP).
The SABI process teams the local site customer with appropriate engineering,
risk, vulnerability, training and programmatic community risk-focused support
necessary to develop the right solution for the customer's SABI requirement.
SABI maintains this community team throughout the system security engineering
process. This strengthens the community risk acceptability of a specific site
solution through continued dialog and participation of all relevant stakeholders.
During the discussion about the current status of the SABI program, the panel
will focus on the progress and impact of the National Information Assurance
Certification and Accreditation Process (NIACAP), NSTISSI 1000.
Topic Workgroup Meeting Examples
Depicted below, are just some examples only, of how an NISSC topic workgroup
itinerary meeting outline might appear which, could also begin with a background
of information, as follows:
In January 1981, the National Computer Security Center (aka) NCSC, was
established and assumed responsibility for the activities of the Initiative. The
NCSC encourages the development of trusted computing system products,
develops computer security standards and guidelines for interested users, and
sponsors basic research in this robust field.
The NCSC also promotes information security education and cooperates with the
National Institute of Standards and Technology (aka) NIST, to provide computer
security assistance to other government departments and agencies.
NIST built a new Information Technology Laboratory (aka) ITL, in response to the
growing need for measurement and testing technology to support the
development of computing and communications systems that are usable,
scalable, interoperable, and secure. This need has come into sharper focus in
recent years with the national effort to develop an information infrastructure and
to support U. S. Industry in a global information marketplace.
The lTL seeks to enable the usability, scalability, interoperability, and security of
information technology through a focus on three (3) areas:
Since 1972, NIST has played a vital role in protecting the security and integrity of
information in computer systems in the public and private sectors. The Computer
Security Act of 1987 reaffirmed NIST's leadership role in the federal government
for the protection of unclassified information. NIST assists industry and
government by promoting and supporting better security planning, technology,
awareness, and training. In addition, NIST fosters the development of national
and international standards for security technology and commercial off-the-shelf
(aka) COTS security products.
On October 24, 2001 a conference was held at the Hyatt Regency and the
itinerary was scheduled as follows:
This panel will focus on the progress of the TTAP initiative including the lessons
learned from the prototype effort to validate the process, procedures, and
documentation to support the program in a commercial environment.
PANEL: Using Security to Meet Business Needs - An Integrated View From the
United Kingdom (677)
This panel discusses the use of risk management techniques in the identification,
accreditation, and maintenance of appropriate security profiles for single
organization systems dispersed across a wide range of sites.
This year's workshop focuses on the need to identify new approaches for proving
security in very heterogenous, highly internetworked environments.
Track D--Internet--Ballroom 1
OVERVIEW
PANEL: Ethical and Responsible Behavior for Children to Senior Citizens in the
Information Age - Community Responsibilities
Future Activities
This tutorial will use an interactive computer-based training course to present the
basics of information system security (INFOSEC). The course is composed of
five instructional units: information systems overview, threats, INFOSEC
solutions, INFOSEC techniques, and risks management.
EDI Moves from the VAN to the Internet (98): B. Bradford, University of Maryland
PANEL
Best of the New Security Paradigms Workshop (continued from 2:00) (693)
This year's workshop focuses on the need to identify new approaches for proving
security in very heterogenous, highly internetworked environments.
PANEL
This panel will discuss the Information Warfare scenario, which has received a
great deal of attention from national security planners, legislators, the military,
intelligence agencies, the media, and industry.
Track E--Legal Perspectives--Ballroom 4
Panelists: The Honorable L. Alden, Judge, Fairfax County Circuit Court (741); S.
Mandell, Esq., The Mandell Law Firm (749); R. Palenski, Esq., Gordon and
Glickson, P.C. (749); S. Ray, Esq., Kruchko & Fries (800)
This panel will discuss how the legal system is dealing with crimes involving the
use of computers. Because computers are relatively new in the world of
established criminal law, many of the illegal events associated with the use of
computers did not come with definitions established by legislation or case law.
Malicious Data and System Security (334): O. Sibert, Oxford Systems, Inc.
PANEL
Webware: Nightmare or Dream Come True? (844)
This panel will discuss the risks involved in the open-ended security problem
introduced by world-wide web browsers and programming languages sauch as
Java and JavaScript, as well as other languages with similar problems - such as
ActiveX, Microsoft WORD macros, and PostScript. Specific attention will be
spent on how to intelligently succeed.
This panel will discuss its successes since the first (1st) year of this joint
partnership to develop and integrate security technology. The partnership will
maximize security solutions for building the DII & NII.
Panelists: J. Adams, NSA; Speaker TBD, WITAT System Analysis & Operational
Assurance Subgroup Chair; M. Abrams, The MITRE Organization, WITAT Impact
Mitigation Subgroup Chair; Speaker TBD, WITAT Determining Assurance Mix
Subgroup Chair
PANEL
PANEL
This panel will familiarize the audience with PKI standards, interoperability
solutions, and implementation issues. This session will concentrate on technical
specifications and standards; the session that follows will review lessons learned
during implementation of existing PKIs.
Track D--Internet--Ballroom 1
PANEL
Security in World Wide Web Browsers - More than Visa cards? (737)
This panel will discuss the security problems and solutions required to handle
electronic commerce via the Internet.
PANEL
This panel will discuss some case studies of system break-ins, what information
system administrators should focus on saving for the evidentiary trail, and some
resources available to the system administrator should a break-in be attempted.
PANEL
This panel will discuss managing a computer security program in light of budget
constraints, reorganizing and downsizing, and the continuous decentralization of
ever increasing complex computing and communications environments.
PANEL
This panel will discuss various kinds of availability policies, highlighting impact
assumptions and potential conflicts with other kinds of security policies.
Track H--Solutions--Room343-344
PANEL
This tutorial focuses on security issues for commercial operating systems. Topics
include common vulnerabilities, security services, and potential safeguards.
Specific capabilities of several commercially available operating systems will be
discussed.
Wednesday, October 23rd------------10:30 A.M.-- 12:00 Noon
PANEL
Paper
The Certification of the Interim Key Escrow System (26): R. Snouffer, NIST
Paper
PANEL
Track D--Internet--Ballroom 1
OVERVIEW
The speaker will discuss the history of Electronic Data Interchange and how
today's marketplace on the Internet needs cost effective and secure business
solutions to function over the World Wide Web.
PANEL
This panel will discuss the liabilities associated with the increased expansion of
increasingly complex computer networks and associated services.
Track F--Management & Administration--Room 341-342
PANEL
This panel will discuss security issues to be addressed when building a data
repository that will be shared by different communities of interest.
PANEL
This panel will discuss where assurance and functionality in commercial systems
are going.
This tutorial focuses on basic issues in network security and gives an overview of
the implementing process. Topics include network security concerns and
services, vendor qualification issues, system composition and interconnection,
and cascading.
War Stories
This panel will discuss whether firewalls can be effectively rated, what the rating
criteria is, characteristics of firewalls that don't lend themselves to rating, and
how well rating and testing actually work.
PANEL
The speakers will provide practical information that can be used to understand
the virus threat; institute low cost preventative mechanisms; develop and
implement enterprise response mechanisms, including when to contact the
experts; and monitor the effectiveness of the tools and program within the
enterprise. Thirty attendees will be able to get hands-on practice in the lab in
Room 330 during Part 2 of the lecture.
Track D--Internet--Ballroom 1
The panelists will address cybercrime issues and how it affects legal competitive
intelligence, the National Information Infrastructure, information warriors, and the
commercial business environment. Examples of traditional organized crime
elements to individual "Cyber-Terrorists" as well as proposed changes in
Government strategies will be presented.
PANEL
This panel will discuss the incident handling policy and procedures that have
been implemented within their organizations. They will also discuss a new
methodology that system administrators can use for characterizing network
security tools.
PANEL
This tutorial focuses on database security issues from the standpoint of using
database management systems to meet the organization's security requirements.
Topics include data security requirements, vulnerabilities, database design
considerations, and implementation issues.
Wednesday, October 23rd----------4:00 P.M. -- 6:00 P.M.
PANEL
The Trusted Product Evaluation Program: Direction for the Future (656)
B is for Business - Mandatory Security Criteria & the OECD Guidelines for
Information Systems Security (152): W. Caelli, Queensland University of
Technology, Australia
Key Escrowing Systems and Limited One Way Functions (202): W. T. Jennings,
E-Systems
The Keys to a Reliable Escrow Agreement (215): R. Sheffield, Fort Knox Escrow
Services, Inc.
Track D--Internet--Ballroom 1
A Case for Avoiding Security-Enhanced HTTP Tools to Improve Security for Web
Based Applications (267): B. Wood, Sandia National Laboratories
PANEL
Legal Aspects of the Internet - Rights and Obligations of Users and Vendors
Panelists: C. Merrill, Esq., Carter & English; M. Lemley, Esq., Professor of Law,
University of Texas; M. Godwin, Esq., Electronic Frontier Foundation
The panelists will discuss digital signatures, on-line contracting and the liability
issues for the operator and the user.
Track F--Management & Administration--Room 341-342
PANEL
This panel will discuss their experiences from other disciplines with mandatory
reporting of security incidents and accidents, with an eye to avoiding known
pitfalls and benefiting from their years of experience.
PANEL
Facing the Challenge: Secure Network Technology for the 21st Century (867)
This panel discusses current initiatives and collaborations within the research
communities in government, industry, and academia. Additionally, room 347-348
is set up to demonstrate examples of core technologies to include Token
Technology, Voice Verification, Real-time Encrypted Voice, Firewalls, Secure
Wireless Communications, and others.
The panelists will discuss the Common Criteria trial version's structure and
content, the status and results to date of the trial-use and implementation
activities, the planned future of the project, and the expected impact of all this
work on US and international IT security communities.
OVERVIEW
Security Concerns in the Private Sector - Banking: S. Ross, Deloitte & Touche
OVERVIEW
Track D--Internet--Ballroom 1
PANEL
Secure Use of the World Wide Web: Moving From Sandbox to Infrastructure
This panel will explore the current state of practice in WWW security practices
and standards, and provide predictions for the evolution of these security
services in the commercial environment.
PANEL
This panel will address a variety of legal and technical issues concerning the V-
chip, a hardware device inserted into new televisions which can identify labels
attached to movies, etc.
PANEL
This panel will discuss the perspectives of Industrial Espionage as the focus of a
multi-national problem which affects everyone.
Real World Anti-Virus Product Reviews and Evaluation - The Current State of
Affairs (526): S. Gordon, Command Systems, Inc.
Views of Assurances
Chairman: D. Kinch, N.S.A.
OVERVIEW
PANEL
The panelists will discuss new ideas for transforming organizational needs into
security controls and policies.
Track D--Internet--Ballroom 1
PANEL
Attack/Defense (738)
The panel will discuss how the role of the Internet security practitioner has
changed. Keep-ing the bad guys out is no longer the prime goal of security,
rather the prompt and accurate identification of intrusions (or, preferably, intrusion
attempts) and minimizing the damages. This session examines these "popular"
attacks and presents ways to effectively defend your site against them.
PANEL
This panel will examine the technical, policy, and legal issues involved in
establishing and implementing appropriate protections for patient medical
records and other types of health information.
PANEL
Panelists from outside the United States will discuss their views on cryptography
policy and national and international proposals and initiatives.
Defenses in Networks
PANEL
Panelists: TBD
This panel will discuss why standards and protocols are needed for the increased
use of the Internet by personal as well as business ventures.
Thursday, October 24th --------------2:00 P.M. -- 3:30 P.M.
OVERVIEW
These sessions will investigate Data Warehousing from what it is to what are the
security issues associated with it. These sessions will provide a basis for a Friday
afternoon workshop co-sponsored by the IEEE Mass Storage Committee. The
goal of the workshop is to provide direction in future R&D efforts ensuring optimal
security for Data Warehousing and Data Mining environments.
Track D--Internet--Ballroom 1
PANEL
The speakers will formally describe what the web is/does, indicate how it differs
from "normal" Internet use, show it is used in typical/popular operational modes,
and point out the nature and magnitude of primary vulnerabilities.
Track E--Legal Perspectives--Ballroom 4
PANEL
Panelists: A. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & Allen; K. Bass,
III, Venable, Baetjer, Howard & Civeletti
The panel will present, discuss, and analyze the legal issues involving several
actual criminal incidents that have occurred in Cyberspace.
PANEL
Surviving the Year 2000 Time Bomb (839): G. Hammonds, AGCS, Inc.
This panel will identify the complexity and magnitude of the Year 2000 Problem,
why so many people will likely be affected, and some practical near and long-
term solutions.
PANEL
Toward a Common Framework for Role-Based Access Control (868)*
This panel will discuss the issues related to the development of a common
reference model for Role-Based Access Control.
PANEL
Workshop Report on the Role of Optical Systems and Devices for Security (879)
This panel will address security and vulnerabilities in all-optical networks, discuss
the use of optics for information encoding, and introduce some applications that
might take advantage of optical technology.
The Common Criteria has been developed as the next generation of IT Security
Criteria replacing the TCSEC, ITSEC, and CTCPEC. This session will provide a
working knowledge of the concepts and contents of the Common Criteria.
PANEL
OVERVIEW
Track D--Internet--Ballroom 1
PANEL
The speakers will show how to treat the vulnerabilities uncovered in the first
session in and of themselves, and as a part of both Internet security programs
and total security programs.
(OPEN)
PANEL
Security Siblings
Chairman: C. Pfleeger, Trusted Information Systems, Inc.
This panel will discuss other venues of assurance developed in the reliability,
safety critical, fault-tolerant as well as the security communities. By working
together, we can reduce the expense of repeating each other errors and share
our successes.
Management Model for the Federal Public Key Infrastructure (438): N. Nazario,
NIST
Security Policies for the Federal Public Key Infrastructure (445): N. Nazario,
NIST
PANEL
The panel will discuss the National Research Council (N.R.C.) report on
Cryptography and its role.
PANEL
The speakers will discuss their goals for secure networking and assurance
technologies in the following areas: Intrusion Detection, Secure Mobile
Computing, and new inroads to Internet Security.
Track C--In Depth--Room 349-350
PANEL
PANEL
The panelists will provide a background of the methodology and tools used by
reviewers of information assets in the corporate environment.
Security for Mobile Agents: Issues and Requirements (591), V. Swarup, The
MITRE Corporation
IGOR: The Intelligence Guard for ONI Replication (607), R. Shore, The ISX
Corporation
Friday, October 25th-----------------10:20 A.M. -- 12:30 P.M.
The need for seamless value-added, yet end-to-end secure and cost-effective,
information systems and networks in a rapidly evolving technological world that is
globally competitive, has created extraordinary demands and challenges for the
public, academic, and private sectors. Each is asking itself how to meet the
future with a stalwart information infrastructure, and wondering what roles and
contributions of the other two sectors will or should be.
* What challenges do you perceive for your own business or end-user community
with respect to information system security?
* As you move into new technology, how do you see the challenges changing,
evolving, or growing more serious?
* How do you think these challenges can best be dealt with -- from a
management view; from a public policy view; from a technical view; from a
business view?
* What do you see as the respective roles for government, industry, and
academia as the country and the world move into an ever more information-
intensive future?
* What do you see that industry, government, and academia should be doing in
computer security? What is each doing well or not so well now?
Demonstrations and Activities
The Workshop follows from the two Thursday sessions on Data Warehousing. The output
of the workshop should be research directions for future Data Warehousing security
solutions. The workshop is co-sponsored by the IEEE Mass Storage Committee and will
become a component of the next IEEE Mass Storage Symposium.
General Information
Meeting Site: The conference will be held at the Baltimore Convention Center, 1 West
Pratt Street. Baltimore, Maryland, close to Baltimore Inner Harbor area. The Opening
Plenary Session will be held in Ballroom I, on the Ballroom Level (enter the Pratt Street
lobby). Registration and information services, and all technical sessions, will be held on
the third floor Meeting Room Level and the fourth floor Ballroom Level. The Convention
Center is conveniently located close to hotels, major highways, and numerous restaurants,
shops, and sightseeing attractions.
Transportation: For those attendees not staying in Baltimore, daily bus service will be
provided from the parking lot across from the National Computer Security Center
(NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, MD. The buses will run in a
round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the
NCSC at the end of the sessions each day, following the banquet, and periodically
throughout the awards reception.
Communications: Messages will be taken for conference attendees between the hours of
8 a.m. and 5 p.m. Tuesday through Thursday, and between the hours of 8 a.m. and 12
noon on Friday. Messages will be posted on a message board adjacent to the
Registration/Information Area. Attendees will not be called out of a meeting except for
emergencies. The phone numbers for leaving messages will be posted on the message
board.
Evaluation Forms: Evaluation forms are provided in your conference folder for your
comments. Please leave the completed forms in the boxes provided at the registration
area. We thank you in advance for your comments since your comments help the
committee to develop and improve the conference program each year.
Volunteers: If you would like to serve as a referee for the 20th National Information
Systems Security Conference being planned for October 1997 please E-MAIL:
NISSConference@dockmaster.ncsc.mil or call (410) 850-0272.
Special Interest Rooms: There will be a limited number of rooms available for special
interest discussions ("Birds of a Feather," etc.). These rooms may be reserved in one-hour
increments and must not be used for commercial purposes. To reserve a room, please stop
at the registration area. Breaks and Lunches
Coffee service: Provided to all the attendees during registration each morning and at mid-
morning and mid-afternoon breaks. Attendees will be free at lunch time to explore the
convenient restaurants or other sites near the Convention Center.
On Wednesday, box lunches will be provided to the first 1,500 attendees on a first-come,
first-served basis at the AFCEA exhibit in Hall G.
Banquet: The conference banquet will be held on Wednesday, October 23, beginning with
a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is
Kenneth Chenault, Vice Chairman, American Express Co., Inc. A coupon for this event,
which may be exchanged for a dinner ticket on a first-come first-served basis, will be
included in each attendee's registration kit.
Awards Ceremony and Reception: On Thursday, October 24, at 2:00 pm in rooms 337-
338, awards will be presented to vendors that have successfully developed security
product lines that have been approved by the NIST Validation Program or the NCSC
Trusted Computer System Evaluation Program. Following the award presentation,
conference participants will have an opportunity to learn more about these products as
each vendor hosts a display. Awards also will be presented to companies that have
participated in Systems Security Engineering Capability Maturity Model (SSE-CMM)
pilot appraisals. You are invited to visit the SSE-CMM project display for more
information regarding this community-supported initiative. An awards reception will
begin at 6 p.m. in the lower lobby. A ticket for the reception will be included in the
registration kit of each registered attendee.