Business Intelligence

BUSINESS INTELLIGENCE
N.S.A. & BUSINESS NETWORKING

ECHELONS
[ Click Image (above) To Learn More About EPM ]
National Information Systems Security

U.S.A., Washington, D. C. - November 1, 2001: The National
Information Systems Security Conference (aka) NISSC holds special
annual conferences where handpicked representatives of top corporate
America and top intelligence agencies get together on a variety of
subjects which relates to industrial modeling information systems and
security management. Such a curious intertwining of business leaders
channeling and brainstorming directly with intelligence hierarchy
officials is absolutely amazing, as shown in detail here.
This think tank of sorts, conducts its business intelligence

brainstorming in any one of a variety of pre-scheduled meeting
places around the World. As an example, one year it met be held at
what once was (until 2001) one of the many U.S. National Security
Agency (aka) N.S.A. listening post for the global ECHELON
telecommunication satellite surveillance intelligence station at Bad
Aibling Station (aka) BAS, located inside the little village of
Mietraching, Germany while the following year, it could meet at the
Hyatt Regency Hotel & Convention Center in Orlando, Florida.
The National Security Agency (aka) N.S.A., is NISSC's "host" and

working participant along with a few "handpicked" American and
foreign firms, i.e. I.B.M., FUJITSU, BOEING, SIEMENS, LOCKHEED-
GRUMAN, SAAB, ARINC, BAES SYSTEMS, PTC, AIRBUS, ROCKWELL-
COLLINS, MICROSOFT, MITRE, and even ESTEE LAUDER (a cosmetics
firm), to name just a few.
The collective, goes over "in detail", what they submitted in their
lengthy papers sent ahead of time to, the N.S.A. for its review. The
N.S.A. with a few sponsored firms then select their specific personnel
to study the reports these handpicked firms address. Some topics may
have an N.S.A. mission need and/pr, impact so in most all instances of
these meetings, NSA staff are present. Security is tremendous, to say
the least.
The focus on "information system security" a subject matter the N.S.A.

no doubt has already written the book on - provides this co-joint think
tank workshop exercises the time to study how a new information
security management system will best serve their future needs.
The prime subject matter's intelligence, deals with encryption codes,

dictionary standards and, methods for using and/or modifying a new
form of high-technology information management transference which,
is already designed to provide heightened security when handshaking
of data occurs over the internet and other means via satellite system
links for all these firm's current and future information requirements.
EPM - The Software Mastermind Firm
The purpose of EPM TECHNOLOGY, a JOTNE firm, based out of Oslo, Norway,
is distributing - with the blessing of the N.S.A. - its form of modularly innovative
high-tech data management technology throughout global organizations in a
variety of industries.
Specifically, the focus is on EPM Technology's, EXPRESS Data Manager (aka)

EDM based tools, designed for the many uses for its global multi-user customer's
Management Information Systems (aka) M.I.S..
These organizations are now gradually moving away from managing information
"on paper" and toward, being able to exchange and share huge amounts of data
electronically via extremely fast digital formats using computers which, the N.S.A.
has an interest in.
EPM's technology creation management system tools enable product data to be

effectively managed, exchanged and shared across radically different systems,
independent of location, type or network design. It allows access to this data
throughout the life cycle of the product and ensures that the information is in a
form that can be accessed and interpreted for decades to come.
It is already quick, easy and inexpensive to transfer or access basic, everyday

information via Databases, E-Mail, Internet Websites and, Intranet.
It is nearly impossible, however, to accurately and reliably exchange, share and

manipulate complex, technical data about a product - its design, properties and
structures, its development and history, its costs and maintenance, etc..
Problems arise because:
1. Different systems are used to design, analyze, manufacture and document a

product.;
2. Each system has its own way of representing data.;
3. Each group or organization tends to choose its own systems.;
4. Systems in use change over time, making some data inaccessible.; and,
5. Different hardware and software environments are a fact of computer life.
The ability to efficiently transfer and translate sophisticated product data,

independent of hardware and software environments, is now recognized
worldwide as the next, natural and vital step in the evolution of product data
technology and product information management. This ability is considered
essential for effective communication and cooperation, not only within work
groups and among colleagues but with customers, suppliers, users and business
partners. It is considered absolutely critical if an organization wants to archive
and maintain a competitive advantage well into the 21st century.
EPM sees the 21st century as significant for the deployment of its EDM set of
tools for Electronic Commerce and Product Data Technology standards - in
particular ISO 10303 - the international standard for the representation and
exchange of product model data, also known as STEP and EXPRESS-compliant
products EXPRESS, is a product suite that contains the tools needed to begin
implementing the product data technology standards for the 21st century by,
creating and managing EXPRESS schemata, customizing data models, and
establishing product-data databases and archives. EXPRESS products from
EPM Technology are available today to meet crucial needs for future success.
EDM is modular by design, enabling a firm to mix and match the products and
options they want, and to easily expand or update the system as their needs
change and as the standard continues to evolve. EDM products are available for
UNIX or Microsoft Windows platforms.
EDM is designed to make all product details, not just visual details, available to a
variety of users during all phases of engineering, development, production,
operation and maintenance. Ultimately, the EXPRESS Data Manager helps
transform many business theories into realistic business goals; goals which will
ensure a strategic, competitive edge for projects and companies, large or small:
1. Minimize product life-cycle costs.;
2. Provide continuous acquisition and life-cycle support (CALS).;
3. Ensure data integrity.;
4. Collaborate in virtual or extended enterprises;
5. Shorten product development cycles.;
6. Support concurrent product and process development.; and,
7. Respond with agility to changing customer needs.
The information handled by the EXPRESS Data Manager is contained in data

models rather than in paper-based blueprints or application-specific programs,
databases or texts. These models are created and defined in EXPRESS, the
information modeling language specified in STEP (ISO 10303-11).
Like other computer languages, EXPRESS has a well-defined syntax, structure

and set of language rules. In sharp contrast to other languages, however, in an
EXPRESS-based approach to product data the models are totally independent of
any underlying implementation tools.
As the foundation for EPM Technology's EDM, EXPRESS makes it possible to
link pieces of information that were once isolated from one another by
incompatible formats. Together, EXPRESS and the EXPRESS Data Manager
make it possible to overcome one of the main obstacles in true business and
process integration for the future.
NSA-EDM Cast Of Business Character Interests
To demonstrate a few examples of which EDM character firms might be

represented and how they might interact with the N.S.A. in being
casted for tutorials in an N.S.A. workshop workgroup and, in what the subject
areas of information management security focus might specifically be, is
ascertained by reviewing the minutes of previous meetings, studying a 1997
NISSC pre-scheduled meeting’s itineraries, topics and subject matter along with
their chairman's and panelists, as follows:
The Secret and Below Interoperability (aka) SABI Process
Continuing the Discovery of Community Risk

Monday, 1:30 Rooms: ____ - ____
Chairman: Mark Loepker, National Security Agency
Panelists: Curtis Dukes, National Security Agency; Charles Schreiner, National

Security Agency; Willard Unkenholz, National Security Agency; Corky Parks,
National Security Agency; Dallas Pearson, National Security Agency; Warner
Brake, Defense Information Systems Agency.
Topic Chairman and Panelist's Biographies
Mark Loepker: The Chief, Information Assurance Process Special Project Office,
Information Assurance Solutions, National Security Agency. He is responsible for
all matters impacting the development, refinement, and implementation of the
information assurance solution process. In this capacity, Mr. Loepker leads the
Secret and Below Interoperability (SABI) project. He last served with the
Command, Control, Communications, and Computer Systems Directorate, U.S.
European Command, as Chief, Information Systems Security Division,
responsible for all European theater policy and policy enforcement concerning
information warfare and communications and computer security. During this tour,
he led INFOSEC actions in support of Operation Provide Comfort, Joint
Endeavor, and Combined Endeavor (Partnership for Peace).;
Curtis Dukes: is the Deputy Chief, Architectures and Applications Division of the
Systems and Network Attack Center, National Security Agency. He is responsible
for the technical direction of the Intrusion Detection and Enterprise Management
System's vulnerability research within the Center. In this capacity, he leads the
Joint Vulnerability Assessment Process of the Secret and Below Interoperability
(SABI) Initiative. He previously served in an Intelligence Community assignment
in the Directorate of Operations, Central Intelligence Agency.;
Chuck Schreiner: the Chief of the Solution Security Analysis Division, National
Security Agency, which provides customers with vulnerability analysis and test
services to support their local risk decisions. He has held previous positions as
NSA Representative to the Pentagon, Technical Director for Fielded Systems,
and Deputy Chief of the RF Communications Division. ;
Willard Unkenholz: a Technical Director for the System Security Guidance and
Evaluation Division, National Security Agency. His current duties involve
developing and leading the DoD risk analysis capabilities applied to the Secret
and Below Interoperability Initiative.;
Corky Parks: a risk analyst in the System Security Guidance and Evaluation
Division, National Security Agency. His areas of interest include the theory and
practice of information risk management, and decision theory.;
Dallas Pearson: the Technical Director for Security and Evaluations in National
Security Agency’s Office of Information Assurance Solutions Deployment and
Maintenance. All of Dallas’ 29 years at NSA have been in technical roles in
COMSEC and INFOSEC. He received a Bachelor of Science in Physics from the
University of Southern Mississippi in 1970 and a Master of Science in Systems
Engineering from Johns Hopkins University in 1995. He is a co-author of NSA’s
Information Systems Security Engineering (ISSE) Handbook and teaches an in-
house introduction to ISSE course.;
Warner Brake: the Deputy Chief, Information Assurance Implementation Branch

of the Information Assurance Program Management Office, Defense Information
Systems Agency. He is the senior certification test director and advisor for
certification team members, who perform in-depth technical certification testing
and compliance validation of DISA pillar, Joint, and NATO programs. He is also
responsible for the periodic review and update of DOD Instruction 5200.40, DOD
Information Technology Security Connection Approval Process (DITSCAP), and
the operation of the Information Assurance Support Environment information
desk and website.
Secret and Below Interoperability (aka) SABI, is an Information Assurance

initiative mandated by the Assistant Secretary of Defense for Command, Control,
Communications, and Intelligence (ASD/C3I) and sponsored by the Joint Chiefs
of Staff, Command, Control, Communications, and Computer Systems (JS/J6).
SABI improves the security posture of all secret and below DoD systems by
using a community-based risk acceptance approach. SABI utilizes proven
system security engineering to address the risks to the community, and employs
mission-oriented risk management in making sound community decisions.
The goal of SABI is to ensure secure secret and below interoperability solutions
for the Warfighter within community-acceptable risks. It is a network-centric
process with procedures to review interconnections and leverage proven solution
reuse. It is founded on information system security engineering (ISSE) principles
whereby information systems security (INFOSEC) is integrated as a part of
systems engineering and systems acquisition processes, strong customer
participation in support of mission needs, and the optimal use of INFOSEC
disciplines to provide security solutions. Documentation implements the DoD
Instruction 5200.40, Defense Information Technology Security Certification and
Accreditation Process (DITSCAP).
The SABI process teams the local site customer with appropriate engineering,
risk, vulnerability, training and programmatic community risk-focused support
necessary to develop the right solution for the customer's SABI requirement.
SABI maintains this community team throughout the system security engineering
process. This strengthens the community risk acceptability of a specific site
solution through continued dialog and participation of all relevant stakeholders.
During the discussion about the current status of the SABI program, the panel
will focus on the progress and impact of the National Information Assurance
Certification and Accreditation Process (NIACAP), NSTISSI 1000.
Topic Workgroup Meeting Examples
Depicted below, are just some examples only, of how an NISSC topic workgroup
itinerary meeting outline might appear which, could also begin with a background
of information, as follows:
National Computer Security Center (aka) NCSC
In 1978, the Assistant Secretary of Defense for Command, Control,

Communications, and Intelligence (aka) C3I, established the Department of
Defense, Computer Security Initiative (aka) CSI, to ensure the widespread
availability of trusted Automatic Data Processing (aka) ADP systems for use
within the DoD.
In January 1981, the National Computer Security Center (aka) NCSC, was
established and assumed responsibility for the activities of the Initiative. The
NCSC encourages the development of trusted computing system products,
develops computer security standards and guidelines for interested users, and
sponsors basic research in this robust field.
In order to encourage the widespread availability of trusted systems, the NCSC

has developed an industry-government relationship, called the Trusted Product
Evaluation Program (aka) TPEP. This effort focuses on the technical protection
capabilities of commercially produced and supported systems, based on the
Department of Defense, Trusted Computer Security Evaluation Criteria (aka)
TCSEC.
Three (3) important interpretations are used to assist in this program:
1. Trusted Network Interpretation (aka) TNI;
2. Computer Security Subsystem Interpretation (aka) CSSI; and,

3. Trusted Database Interpretation (aka) TDI.
The NCSC also promotes information security education and cooperates with the
National Institute of Standards and Technology (aka) NIST, to provide computer
security assistance to other government departments and agencies.
In support of the above, the NCSC operates a B2 Level Of Trust computer

system, i.e. DOCKMASTER, which provides on-line service to the information
security [intelligence] community.
NIST built a new Information Technology Laboratory (aka) ITL, in response to the
growing need for measurement and testing technology to support the
development of computing and communications systems that are usable,
scalable, interoperable, and secure. This need has come into sharper focus in
recent years with the national effort to develop an information infrastructure and
to support U. S. Industry in a global information marketplace.
The lTL seeks to enable the usability, scalability, interoperability, and security of
information technology through a focus on three (3) areas:
1. Development of tests for human-machine interfaces, software diagnostics and

performance, mathematical software, security, and conformance to standards.;
2. Collaborating, consulting and operational services for other NIST laboratories

in computational sciences and information services; and,
3. Federal government activities, especially security.
Since 1972, NIST has played a vital role in protecting the security and integrity of
information in computer systems in the public and private sectors. The Computer
Security Act of 1987 reaffirmed NIST's leadership role in the federal government
for the protection of unclassified information. NIST assists industry and
government by promoting and supporting better security planning, technology,
awareness, and training. In addition, NIST fosters the development of national
and international standards for security technology and commercial off-the-shelf
(aka) COTS security products.
Finally, NIST has an active, laboratory-based research program in computer and

network security with special technical emphasis in cryptography, authentication,
public-key infrastructure, internetworking, and security criteria and assurance.
NIST also has a special program in support of government key escrow activities.
On October 24, 2001 a conference was held at the Hyatt Regency and the
itinerary was scheduled as follows:
Track A Criteria & Assurance Ballroom 2
PANEL: Trust Technology Assessment Program (aka) TTAP (643)
Chairman: T. Anderson, National Security Agency
Panelists: P. Toth, N.I.S.T. (644); TTAP Working Group Members
This panel will focus on the progress of the TTAP initiative including the lessons
learned from the prototype effort to validate the process, procedures, and
documentation to support the program in a commercial environment.
Track B Electronic Commerce Ballroom 3
PANEL: Using Security to Meet Business Needs - An Integrated View From the
United Kingdom (677)
Chairman: A. McIntosh, PC Security, Ltd.
Panelists: D. Brewer, Gamma Secure Systems, Ltd. (679); N. Hickson,

Department of Trade & Industry (682); D. Anderton, Barclays Bank PLC (684); J.
Hodsdon, CESG (685); M. Stubbings, Government Communications
Headquarters (aka) G.C.H.Q. [ British agency equivalent to the U.S. National
Security Agency (NSA) ], UK (686)
This panel discusses the use of risk management techniques in the identification,
accreditation, and maintenance of appropriate security profiles for single
organization systems dispersed across a wide range of sites.
Track C In Depth Room: ___ - ___
Best of the New Security Paradigms Workshop
Chairman: T. Haigh, Secure Computing Corporation (693)
Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer
Science, Sweden (701); W. Wulf, University of Virginia (704)
This year's workshop focuses on the need to identify new approaches for proving
security in very heterogenous, highly internetworked environments.
Track D--Internet--Ballroom 1
OVERVIEW
Chair: C. Bythewood, NCSC
Introduction to Infowarfare Terminology (718): F. Bondoc, Klein & Stump
This overview is aimed at the newcomer to Information Warfare (IW), and

introduces the terminology, threats and countermeasures of Information Warfare
(aka) IW.
Track E Legal Perspectives Ballroom 4
Legal Issues for the User
Chairman: Special Agent John Lewis, United States Secret Service
Intellectual Property Rights and Computer Software (296): D. Bowman,

University of Maryland
Case Study of Industrial Espionage Through Social Engineering (306): I. Winkler,

National Computer Security Association
Legal Aspects of Ice-Pick Testing (313): B. Gabrielson, Department of the Navy
Track F Management & Administration Room: ___ - ___
PANEL: Ethical and Responsible Behavior for Children to Senior Citizens in the
Information Age - Community Responsibilities
Chairman: J. Lisi, National Security Agency
Panelists: R. Koenig, ISC2; G. Warshawsky, International Community

Interconnected Computing eXchange
Track G Research & Development Room: ___ - ___
PANEL: Database Systems Today - Safe Information at My Fingertips? (842)
Chairman: J. Campbell, National Security Agency
Panelists: T. Ehrsam, Oracle; R. O'Brien, SCC; T. Parenty, Sybase; J.

Worthington, Informix Software Company; Lt. Colonel Pointdexter, D.I.S.A.; S.
Sahni, 3S Group Incorporated
This panel will address distributed and web database system security issues and
solutions.
Track H--Solutions Room--343-344
Future Activities
Chairman: J. Tippett, National Security Agency
Computer Virus Response Using Autonomous Agent Technology (471): C.

Trently, MITRETEK Systems
Security Across the Curriculum - Using Computer Security to Teach Computer

Science Principles (483): Major General White, USAF Academy
U.S. Government Wide Incident Response Capability (489): M. Swanson, NIST
Track I--Tutorials Room--327-328
Introduction to Information System Security: L. Smith and D. Strickland, National

Cryptologic School
This tutorial will use an interactive computer-based training course to present the
basics of information system security (INFOSEC). The course is composed of
five instructional units: information systems overview, threats, INFOSEC
solutions, INFOSEC techniques, and risks management.
A CD-ROM with this and other courses will be provided to attendees.
Tuesday, October 22nd------------4:00 P.M. -- 6:00 P.M.

Track A--Criteria & Assurance--Ballroom 2
Gaining Assurance though Evaluations
Chairman: H. Holm, National Security Agency
E4 ITSEC Evaluation of PR/SM on ES/9000 Processors (1): R. Nasser,

International Business Machines
A High-Performance Hardware-Based High Assurance Trusted Windowing

System (12): J. Epstein, Cordant, Inc.
WWW Technology in the Formal Evaluation of Trusted Systems (22): E.

McCauley, Silicon Graphics, Inc.
Track B--Electronic Commerce--Ballroom 3
Electronic Commerce: International Security
Chairman: V. Gibson, Computer Science Corporation
EDI Moves from the VAN to the Internet (98): B. Bradford, University of Maryland
An International Standard for the Labeling of Digital Products (109): V. Hampel,

Hampel Consulting
The Business-LED Accreditor - OR...How to Take Risks and Survive (123): M.

Stubbings, Government Communications Headquarters (aka) G.C.H.Q., UK
Integration of Digital Signatures into the European Business Register (131): H.

Kurth, Industricanlagen Betriebsghesellschaft mbH (IABG), Germany
Track C--In Depth Room--349-350
PANEL
Best of the New Security Paradigms Workshop (continued from 2:00) (693)
Chairman: T. Haigh, Secure Computing Corporation
Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer
Science, Sweden (701); W. Wulf, University of Virginia (704)
This year's workshop focuses on the need to identify new approaches for proving
security in very heterogenous, highly internetworked environments.
Track D--Internet-- Ballroom 1
PANEL
Information Warfare: Real Threats, Definition Changes, and Science Fiction

(725)*
Chairman: W. Madsen, Computer Sciences Corporation
Panelists: M. Hill, Office of the Assistant Secretary of Defense C3/Information

Warfare; F. Tompkins, Science Applications International Corporation; S. Shane,
The Baltimore Sun; J. Stanton, Journal of Technology Transfer
This panel will discuss the Information Warfare scenario, which has received a
great deal of attention from national security planners, legislators, the military,
intelligence agencies, the media, and industry.
Track E--Legal Perspectives--Ballroom 4
PANEL: Electronic Data: Privacy, Security, Confidentiality Issues
Chairman: K. Blair, Esq., Duvall, Harrington, Hale and Hassan (740)
Panelists: The Honorable L. Alden, Judge, Fairfax County Circuit Court (741); S.
Mandell, Esq., The Mandell Law Firm (749); R. Palenski, Esq., Gordon and
Glickson, P.C. (749); S. Ray, Esq., Kruchko & Fries (800)
This panel will discuss how the legal system is dealing with crimes involving the
use of computers. Because computers are relatively new in the world of
established criminal law, many of the illegal events associated with the use of
computers did not come with definitions established by legislation or case law.
Track F--Management & Administration--Room 341-342
New Workplace Paradigms for Security
Chairman: C. Hash, National Security Agency
Security Through Process Management (323): J. Bayuk, Price Waterhouse
Malicious Data and System Security (334): O. Sibert, Oxford Systems, Inc.
Security Issues for Telecommuting (342): L. Carnahan, NIST
Track G--Research & Development Room--345-346
PANEL
Webware: Nightmare or Dream Come True? (844)
Chairman: P. Neumann, SRI International
Panelists: S. Bellovin, AT&T Laboratories (845); E. Felten, Princeton University

(846); P. Karger, International Business Machines (847); J. Roskind, Netscape
(849)
This panel will discuss the risks involved in the open-ended security problem
introduced by world-wide web browsers and programming languages sauch as
Java and JavaScript, as well as other languages with similar problems - such as
ActiveX, Microsoft WORD macros, and PostScript. Specific attention will be
spent on how to intelligently succeed.
Track H Solutions Room: ___ - ___
PANEL: Information Systems Security Research Joint Technology Office
Chairman: R. Schaeffer, National Security Agency
Panelists: T. Lunt and H. Frank, Defense Advanced Research Projects Agency

(aka) DARPA; R. Meushaw, National Security Agency
This panel will discuss its successes since the first (1st) year of this joint
partnership to develop and integrate security technology. The partnership will
maximize security solutions for building the DII & NII.
Track I Tutorials Room: 327-328
Trusted Systems Concepts: C. Abzug, Institute for Computer and Information

Sciences
This tutorial focuses on the fundamental concepts and terminology of trust
technology. It includes descriptions of the Trusted Computer System Evaluation
Criteria (TCSEC) classes, how the classes differ, and how to determine the
appropriate class for your operation environment.
Wednesday, October -----------23rd 8:30 A.M. -- 10:00 A.M.
PANEL: Alternative Assurance: There's Gotta Be a Better Way! (644)*
Chairman: D. Landoll, ARCA Systems, Inc.
Panelists: J. Adams, NSA; Speaker TBD, WITAT System Analysis & Operational
Assurance Subgroup Chair; M. Abrams, The MITRE Organization, WITAT Impact
Mitigation Subgroup Chair; Speaker TBD, WITAT Determining Assurance Mix
Subgroup Chair
A Workshop report about the evolving development of practical solutions for

business and industry in need of confidence in their information systems.
PANEL
Information Security - Transforming the Global Marketplace: D. Gary, Booz-Allen

& Hamilton
Panelists: J. M. Anderson, Morgan Stanley; K. Panker, American Bankers

Association; P. Freund, CertCo
Technology resources are means to achieve organizational goals --- not solutions
in their own right. New dimensions will be discussed of commercial interchange
in a highly networked marketplace.
Track C--In Depth Room--349-350
PANEL
Public Key Infrastructure: From Theory to Implementation
Public Key Infrastructure Technology (707)
Chairman: D. Dodson, NIST
Panelists: R. Housley, Spyrus; C. Martin, Government Accounting Office; W.

Polk, NIST; S. Chokani, Cygnacom Solutions, Inc.; V. Hampel, Hampel
Consulting; W. Ford, Independent Consultant
This panel will familiarize the audience with PKI standards, interoperability
solutions, and implementation issues. This session will concentrate on technical
specifications and standards; the session that follows will review lessons learned
during implementation of existing PKIs.
PANEL
Security in World Wide Web Browsers - More than Visa cards? (737)
Chairman: R. Dobry, N.S.A.

Panelists: C. Kolcun, Microsoft; B. Atkins, NSA; K. Rowe, NCSA; Speaker TBD,
Netscape
This panel will discuss the security problems and solutions required to handle
electronic commerce via the Internet.
PANEL
Computer Crime on the Internet - Sources and Methods (817)
Chairman: C. Axsmith, The Orkand Corporation
Panelists: Special Agent M. Pollitt, Federal Bureau of Investigation (F.B.I.); P.

Reitinger, Esq., Department of Justice; B. Fraser, CERT, Carnegie Mellon
University
This panel will discuss some case studies of system break-ins, what information
system administrators should focus on saving for the evidentiary trail, and some
resources available to the system administrator should a break-in be attempted.
Track F--Management & Administration Room--341-342
PANEL
Current Challenges in Computer Security Program Management (828)
Chairman: M. Wilson, NIST

Panelists: L. McNulty, McNulty and Associates; P. Connelly, White House
Communications Agency; A. Miller, Fleet and Industrial Supply Center; B.
Gutmann, NIST
This panel will discuss managing a computer security program in light of budget
constraints, reorganizing and downsizing, and the continuous decentralization of
ever increasing complex computing and communications environments.
Track G--Research & Development--Room 345-346
PANEL
Availability Policies: The Forgotten INFOSEC Pillar
Chairman: V. Gligor, University of Maryland
Panelists: H. Hosmer, Data Security, Inc.; J. Millen, The MITRE Corporation; R.

Nelson, Information System Security; M. Reiter, AT&T
This panel will discuss various kinds of availability policies, highlighting impact
assumptions and potential conflicts with other kinds of security policies.
Track H--Solutions--Room343-344
PANEL
Security Management Infrastructure Deployment and Operations (871)
Chairman: A. Arsenault, N.S.A.
Panelists: D. Heckman, NSA; S. Capps, NSA; S. Hunt, NSA

This panel will focus on lessons learned from the deployment of MISSI security
management infrastructure at NSA and GSA.
Track I--Tutorials--Room 327-328
OS Security: M. Weidner, ARCA Systems
This tutorial focuses on security issues for commercial operating systems. Topics
include common vulnerabilities, security services, and potential safeguards.
Specific capabilities of several commercially available operating systems will be
discussed.
Wednesday, October 23rd------------10:30 A.M.-- 12:00 Noon
Track A---Criteria & Assurance--Ballroom 2
PANEL
Current Perspective on Strategies for the (646) Certification & Accreditation

Processes
Chairman: B. Stauffer, CORBETT Technologies, Inc. (653)
Panelists: P. Wisniewski, NSA (647); C. Stark, Computer Science Corporation

(648); R. Snouffer. NIST (652); J. Eller, DISA, CISS (ISBEC) (646)
Paper
The Certification of the Interim Key Escrow System (26): R. Snouffer, NIST

PANEL
Security APIs: CAPIs and Beyond (687)
Chairman: A. Reiss, N.S.A.
Panelists: J. Centafont, NSA; Speaker TBD, Microsoft; L. Dobranski,

Communications Security Establishment (aka) C.S.E., Canada; D. Balenson,
Trusted Information Systems, Inc.
The panelists will discuss Cryptographic Application Program Interfaces,

FORTEZZA, Public Key Infrastructures, the International Cryptography
Experiment, and the Microsoft Internet Security Framework.
Paper
NIST Proposal for a Generic Authentication Module Interface: J. Dray, NIST
Track C-In Depth--Room 349-350
PANEL
Public Key Infrastructure: From Theory to Implementation (continued from 8:30)

(707)
Public Key Infrastructure Implementations
Chairman: W. Polk, NIST
Panelists: P. Edfors, Government Information Technology Services (GITS) Board;

D. Heckman, NSA; D. Dodson, NIST; J. Galvin, CommerceNet; W. Redden,
Communications Security Establishment (aka) C.S.E.; R. Kemp, General
Services Administration SI-PMO
OVERVIEW
Chairman: M. Schaffer, ARCA Systems
Secure Business on the Internet: Looking Ahead with Electronic Data

Interchange: D. Federman, Premenos
The speaker will discuss the history of Electronic Data Interchange and how
today's marketplace on the Internet needs cost effective and secure business
solutions to function over the World Wide Web.
PANEL
Legal Liability for Information System Security Compliance Failures - New

Recipes for Electronic Sachertorte Algorithms (818)
Chairman: F. Smith, Esq., Private Practice, Santa Fe, New Mexico
Panelists: J. Montjoy, BBN Corporation; E. Tenner, Princeton University; D.

Loundy, Esq., Private Practice, Highland Park, Illinois
This panel will discuss the liabilities associated with the increased expansion of
increasingly complex computer networks and associated services.
PANEL
Achieving Vulnerability Data Sharing (830)*
Chairman: L. Carnahan, NIST
Panelists: M. Bishop, University of California, Davis, CA.; J. Ellis, CERT,

Carnegie Mellon University; I. Krsul, COAST Laboratory, Purdue University
This panel will discuss security issues to be addressed when building a data
repository that will be shared by different communities of interest.
PANEL
Secure Systems and Access Control (851)
Chairman: T. Lunt, Defense Advanced Research Projects Agency (DARPA)
Panelists: D. Sterne, Trusted Information Systems, Inc. (852); R. Thomas, ORA

(854); M. Zurko, OSF (855); J. Lepreau, University of Utah (857); J. Rushby, SRI
International
The panelists will discuss their respective security programs.
Track H--Solutions--Room 343-344

Future of Trust in Commercial Operating Systems (872)
Chairman: T. Inskeep, NSA
Panelists: K. Moss, Microsoft; J. Alexander, Sun Microsystems; J. Spencer, Data

General; M. Branstad, Trusted Information Systems, Inc.; G. Liddle, Hewlett
Packard
This panel will discuss where assurance and functionality in commercial systems
are going.
Network Security: J. Wool, ARCA Systems
This tutorial focuses on basic issues in network security and gives an overview of
the implementing process. Topics include network security concerns and
services, vendor qualification issues, system composition and interconnection,
and cascading.
Wednesday, October 23rd---------12:45 p.m. -- 1:45 p.m.
Midday Seminar--Room 327-328
War Stories
Speaker: James P. Anderson, J. P. Anderson & Co.

Wednesday, October 23rd-----------2:00 P.M. -- 3:30 P.M.

PANEL
Firewall Testing and Rating (655)
Chairman: J. Wack, NIST
Panelists: I. Winkler, National Computer Security Association; K. Dolan, NSA; J.

McGowen, National Computer Security Association; C. Costack, Computer
Science Corporation
This panel will discuss whether firewalls can be effectively rated, what the rating
criteria is, characteristics of firewalls that don't lend themselves to rating, and
how well rating and testing actually work.
PANEL
Are Cryptosystems Really Unbreakable? (691)
Chairman: D. Denning, Georgetown University
Panelists: S. Bellovin, AT&T Research; P. Kocher, Independent Cryptography

Consultant; A. Lenstra, Citibank (692); E. Thompsom, AccessData Corporation
The panelists will explore the strengths of existing cryptosystems in terms of

potential weaknesses in algorithms, protocols, implementation, and application
environments.
Track C--In Depth--Room 349-350

Chairman: T. Zmudzinski, Defense Information Systems Agency
Establishing an Enterprise Virus Response Program (709): C. Trently,

MITRETEK Systems; Laboratory Assistants: E. Hawthorn, MITRETEK Systems;
D. Black, MITRETEK Systems
The speakers will provide practical information that can be used to understand
the virus threat; institute low cost preventative mechanisms; develop and
implement enterprise response mechanisms, including when to contact the
experts; and monitor the effectiveness of the tools and program within the
enterprise. Thirty attendees will be able to get hands-on practice in the lab in
Room 330 during Part 2 of the lecture.
This In-depth tutorial will be repeated at 8:30 a.m. on Thursday.
Security Issues in a Networked Environment
Chairman: D. Branstad, Trusted Information Systems, Inc.
The Advanced Intelligent Network -- A Security Opportunity (221): T. Casey, Jr.,

GTE Laboratories, Inc.
Security Issues in Emerging High Speed Networks (233): V. Varadharajan,

University of Western Sydney, Australia
A Case Study of Evaluating Security in an Open Systems Environment (250): D.

Tobat, TASC

PANEL
The Next Generation of Cyber Criminals
Chairman: M. Gembicki, WARROOM RESEARCH LLC.
Panelists: J. Christie, AFOSI; K. Geide, Federal Bureau of Investigation ( FBI );

D. Waller, Time Magazine
The panelists will address cybercrime issues and how it affects legal competitive
intelligence, the National Information Infrastructure, information warriors, and the
commercial business environment. Examples of traditional organized crime
elements to individual "Cyber-Terrorists" as well as proposed changes in
Government strategies will be presented.
PANEL
Incident Handling Policy, Procedures, and Tools (831)
Chairman: M. Swanson, NIST
Panelists: K. Cooper, BBN Planet; T. Longstaff, Computer Emergency Response

Team; P. Richards, Westinghouse Savannah River Company; K. van Wyk,
Science Applications International Corporation ( SAIC )
This panel will discuss the incident handling policy and procedures that have
been implemented within their organizations. They will also discuss a new
methodology that system administrators can use for characterizing network
security tools.
Network Attacks, Protections, and Vulnerabilities
Chairman: W. Murray, Deloitte & Touche
An Isolated Network for Research (349): M. Bishop, University of California,

Davis, CA.
GrIDS-A Graph-Based Intrusion Detection System for Large Networks (361): S.

Staniford-Chen, University of California, Davis, CA.
Attack Class - Address Spoofing (371): T. Heberlein, University of California,

Davis, CA.
PANEL
Vendors Experience with Security Evaluations (873)
Chairman: J. DeMello, Oracle Corporation
Panelists: J. Caywood, Digital Equipment Corporation (DEC); D. Harris, Oracle

Corporation (874); K. Moss, Microsoft Corporation (876); I. Prickett, Sun
Microsystems (877)
This panel will discuss their experiences in achieving successful evaluations,

identifying what has worked well for them, and not-so-well, in the process.
Database Security: W. Wilson, Arca Systems
This tutorial focuses on database security issues from the standpoint of using
database management systems to meet the organization's security requirements.
Topics include data security requirements, vulnerabilities, database design
considerations, and implementation issues.
Wednesday, October 23rd----------4:00 P.M. -- 6:00 P.M.
Track A Criteria & Assurance--Ballroom 2
PANEL
The Trusted Product Evaluation Program: Direction for the Future (656)
Chairman: J. Pedersen, N.S.A.
Representatives from various initiatives within the Trusted Product Evaluation

Program will discuss the overall strategy for the future of TPEP, including specific
steps for moving the program to a new evaluation criteria, mechanisms for
commercial advice to vendors, and new types of products which will be
evaluated.
Information Security in the Business World
Chairman: N. Pantiuk, IIT Research Institute

Industrial Espionage Today and Information Wars of Tomorrow (139): P. Joyal,
INTEGER Inc.
B is for Business - Mandatory Security Criteria & the OECD Guidelines for
Information Systems Security (152): W. Caelli, Queensland University of
Technology, Australia
Marketing & Implementing Computer Security (163): M. Wilson, NIST
Secure Internet Commerce - Design and Implementation of the Security

Architecture of Security First Network Bank, FSB (173)
N. Hammond, NJH Security Consulting, Inc.
Concerns in the Cryptographic Arenas
Chairman: P. Woodie, NSA
Automatic Formal Analyses of Cryptographic Protocols (181): S. Brackin, ARCA

Systems, Inc.
Surmounting the Effects of Lossy Compression on Steganography (194): C.

Irvine, Naval Postgraduate School
Key Escrowing Systems and Limited One Way Functions (202): W. T. Jennings,
E-Systems
The Keys to a Reliable Escrow Agreement (215): R. Sheffield, Fort Knox Escrow
Services, Inc.
WWW: The Case for Having a Security Policy and Measuring It
Chairman: R. Wood, National Cryptologic School
Internet Firewalls Policy Development and Technology Choices (259): L. D'Alotto,

GTE Laboratories
A Case for Avoiding Security-Enhanced HTTP Tools to Improve Security for Web
Based Applications (267): B. Wood, Sandia National Laboratories
Applying the Eight Stage Risk Assessment Methodology to Firewalls (276): D.

Drake, Science Applications International Corporation
Lessons Learned: An Examination of Cryptographic Security Services in a

Federal Automated Information System (288): J. Foti, NIST
PANEL
Legal Aspects of the Internet - Rights and Obligations of Users and Vendors
Chairman: C. Castagnoli, Esq., Haystack Labs
Panelists: C. Merrill, Esq., Carter & English; M. Lemley, Esq., Professor of Law,
University of Texas; M. Godwin, Esq., Electronic Frontier Foundation
The panelists will discuss digital signatures, on-line contracting and the liability
issues for the operator and the user.
PANEL
Interdisciplinary Perspectives on INFOSEC: Mandatory Reporting (833)
Chairman: M. Kabay, National Computer Security Association
Panelists: B. Butterworth, Federal Aviation Administration; B. Smith Jacobs,

Securities and Exchange Commision (SEC); R. Whitmore, Occupational Health
and Safety Administration (OSHA); S. Wetterhall, Centers for Disease Control
and Prevention
(C.D.C.&P.)
This panel will discuss their experiences from other disciplines with mandatory
reporting of security incidents and accidents, with an eye to avoiding known
pitfalls and benefiting from their years of experience.
PANEL
Facing the Challenge: Secure Network Technology for the 21st Century (867)
Chairman: R. Schaeffer, NSA
Panelists: R. Meushaw, NSA; C. McBride, NSA; D. Muzzy, NSA; B. Burnham,

NSA
This panel discusses current initiatives and collaborations within the research
communities in government, industry, and academia. Additionally, room 347-348
is set up to demonstrate examples of core technologies to include Token
Technology, Voice Verification, Real-time Encrypted Voice, Firewalls, Secure
Wireless Communications, and others.
Security with COTS (Commercial-Off-The-Shelf) Products
Chairman: S. Kougoures, N.S.A.
MLS DBMS Interoperability Study (495): R. Burns, ESC/ENS
MISSI Compliance for Commercial-Off-The-Shelf Firewalls (505): M. Hale, NSA
Designing & Operating a Multilevel Security Network Using Standard Commercial

Products (515): M. McGregor, Air Force C4 Technology Validation Office
Information Systems Security Officer's Challenges: C. Breissinger, Department of

Defense Security Institute
This tutorial focuses on the continued protection and accreditation of operational

information systems. Topics include: virus prevention and eradication; access
control evaluation and configuration; media clearing and purging; intrusion
detection and handling; and dealing with risk.
Thursday, October 24th-----------------8:30 A.M. -- 10:00 A.M.

PANEL
Common Criteria Project Implementation Status (657)
Chairman: L. Ambuel, BDM International
Panelists: M. Donaldson, Communications-Electronics Security Group, UK; R.

Harland, Communications Security Establishment (aka) C.S.E., Canada; K.
Keus, BSI/GISA, Germany; F. Mulder, Netherlands National Communications
Security Agency; J. Smith, Gamma Secure Systems, UK
The panelists will discuss the Common Criteria trial version's structure and
content, the status and results to date of the trial-use and implementation
activities, the planned future of the project, and the expected impact of all this
work on US and international IT security communities.
OVERVIEW
Security Concerns in the Private Sector - Banking: S. Ross, Deloitte & Touche
OVERVIEW
Chairman: S. Lipner, Trusted Information Systems, Inc.
Establishing an Enterprise Virus Response Program (709): C. Trently,

MITRETEK Systems; Laboratory Assistants: E. Hawthorn; MITRETEK Systems;
D. Black, MITRETEK Systems
The speakers will provide practical information that can be used to understand
the virus threat; institute low cost preventative mechanisms; develop and
implement enterprise response mechanisms, including when to contact the
experts; and monitor the effectiveness of the tools and program within the
enterprise. Thirty attendees will be able to get hands-on practice in the lab in
Room 330 during part 2 of the lecture.
This In Depth tutorial is a live encore presentation from Wednesday at 2:00.
PANEL
Secure Use of the World Wide Web: Moving From Sandbox to Infrastructure
Chairman: R. Bagwill, NIST
Panelists: J. Pescatore, IDC Government; S. Smaha
This panel will explore the current state of practice in WWW security practices
and standards, and provide predictions for the evolution of these security
services in the commercial environment.
PANEL
V-Chip: Policies and Technology (822)
Chairman: H. Hosmer, Data Security, Inc.

Panelists: D. Moulton, Esq., Chief of Staff, Office of Congressman Markey, HR;
D. Brody, MD, American Academy of Child and Adolescent Psychiatry; S.
Goering, Esq., American Civil Liberties Union; W. Diffie, Sun Microsystems
This panel will address a variety of legal and technical issues concerning the V-
chip, a hardware device inserted into new televisions which can identify labels
attached to movies, etc.
PANEL
Industrial Espionage Today and Information Wars of Tomorrow
Chairman: P. Joyal, Interger, Inc.
Panelists: Ret. Major General O. Kalugin, Russia; S. Baker, Esq.; M. Lajman,

Author on French Intelligence; E. O'Malley, retired F.B.I..
This panel will discuss the perspectives of Industrial Espionage as the focus of a
multi-national problem which affects everyone.
Implementations of the Security Policy
Chairman: D. Gambel, General Research Corporation
Generic Model Interpretations: POSIX.1 and SQL (378): D. Elliott Bell,

MITRETEK Systems
The Privilege Control Table Toolkit: An Implementation of the System Build
Approach (389): T. Woodall, Hughes Aircraft Company
Use of the Zachman Architecture for Security Engineering (398): R. Henning,

Harris Corporation
New Test Methodologies
Chairman: R. Lau, N.S.A.
Real World Anti-Virus Product Reviews and Evaluation - The Current State of
Affairs (526): S. Gordon, Command Systems, Inc.
Security Proof of Concept Keystone (SPOCK) (539): J. McGehee, COACT, Inc.
Use of a Taxonomy of Security Faults (551): I. Krsul, Coast Laboratory, Purdue

University
Information Systems Security Engineering: P. Boudra, NSA; D. Pearson, NSA
Thursday, October 24th-----------10:30 A.M. -- 12:00 Noon
Views of Assurances
Chairman: D. Kinch, N.S.A.
Configuration Management in Security related Software Engineering Processes

(34): K. Keus, Bundesamt fur Sicherheit in der Informationstechnik, Germany
The Department of Defense Information Technology Security Certification and

Accreditation Process (DITSCAP)(46): B. Stauffer, CORBETT Technologies, Inc.
Trusted Process Classes (54): W. Steffan, Tracor Applied Science, Inc.
OVERVIEW
Security Concerns in the Private Sector: Brokerage: D. Gary, Booz-Allen &

Hamilton
PANEL
Information Security Policy: There has to be a Better Way
Chairman: J. Pescatore, Trusted Information Systems, Inc.
Panelists: K. Kasprzak, Maryland Bancorp; S. Smaha, Haystack Labs; R.

Stratton, Wheelgroup Inc.
The panelists will discuss new ideas for transforming organizational needs into
security controls and policies.
PANEL
Attack/Defense (738)
Chairman: J. David, The Fortress
Panelists: S. Bellovin, AT&T; W. Cheswick, AT&T; P. Peterson, Lockheed-Martin;

M. Ranum, V-One
The panel will discuss how the role of the Internet security practitioner has
changed. Keep-ing the bad guys out is no longer the prime goal of security,
rather the prompt and accurate identification of intrusions (or, preferably, intrusion
attempts) and minimizing the damages. This session examines these "popular"
attacks and presents ways to effectively defend your site against them.
PANEL
Protecting Medical Records and Health Information (824)
Chairman: J. Winston, Trusted Information Systems, Inc.
Panelists: G. Belles, VA Medical Information Security Service; B. Braithwaite, US

Department of Health and Human Services*; P. Bruening, Information Policy
Consultant; P. Taylor, US General Accounting Office
This panel will examine the technical, policy, and legal issues involved in
establishing and implementing appropriate protections for patient medical
records and other types of health information.
Track F --Management & Administration --Room 341-342
PANEL
International Perspectives on Cryptography Policy (835)
Chairman: D. Denning, Georgetown University
Panelists: P. Ford, Attorney General's Office, Australia; D. Herson, Commission

of the European Communities, Belgium; N. Hickson, Department of Trade and
Industry, UK
Panelists from outside the United States will discuss their views on cryptography
policy and national and international proposals and initiatives.
Mechanisms in Understanding Security
Chairman: H. Weiss, SPARTA, Inc.
Developing Secure Objects (410): D. Frincke, University of Idaho
Deriving Security Requirements for Applications on Trusted Systems (420): R.

Spencer, Secure Computing Corporation
Security Implications of the Choice of Distributed Database Management

Systems Model: Relational vs. Object-Oriented: S. Coy, University of Maryland
Defenses in Networks
Chairman: M. Woodcock, National Cryptologic School
Protecting Collaboration (561): G. Wiederhold, Stanford University
Design and Management of A Secure Networked Administration System: A

Practical Solution (570): Prof. V. Varadharajan, University of Western Sydney,
Australia
Information Warfare - INFOSEC and Dynamic Information Defense (581): V.

Winkler, PRC Inc.
Systems Security Engineering Capability Maturity Model: K. Ferraiolo, ARCA

Systems
A capability maturity model (CMM) has been developed to help organizations

improve their security engineering capability. This tutorial will describe the model,
why it was developed, how it is being used, and plans for its use in the future.
Thursday, October 24th----------12:45 P.M. -- 1:45 P.M.
Midday Seminar--Room 343-344
PANEL
Security Protocols/Protocol Security

Chairman: D. Maughan, N.S.A.
Panelists: TBD
This panel will discuss why standards and protocols are needed for the increased
use of the Internet by personal as well as business ventures.
Thursday, October 24th --------------2:00 P.M. -- 3:30 P.M.
Evolution of Criteria Requirements and User Needs
Chairman: J. Arnold, Science Applications International Corporation
Design Analysis in Evaluations Against the TCSEC C2 Criteria (67): D. Bodeau,

The MITRE Corporation
System Security Engineering Capability Maturity Model and Evaluations -

Partners within the Assurance Framework(76): C. Menk III, NSA
Applying the TCSEC Guidelines in a Real-Time Embedded System Environment

(89): D. Frincke, University of Idaho
OVERVIEW
Security Concerns in the Private Sector - Communications: J. Klein, Wizards

Keys

OVERVIEW & PANEL
Data Warehousing I: An Introduction to Data Warehousing, Data Mining and

Security (711)
Chairman: J. Campbell, N.S.A.
Panelists: B. Thuraisingham, The MITRE Corporation; J. Worthington, Informix

Software, Inc.; P. Lambert, Oracle Corporation
These sessions will investigate Data Warehousing from what it is to what are the
security issues associated with it. These sessions will provide a basis for a Friday
afternoon workshop co-sponsored by the IEEE Mass Storage Committee. The
goal of the workshop is to provide direction in future R&D efforts ensuring optimal
security for Data Warehousing and Data Mining environments.
PANEL
The Web - What is it? Why/How is it Vulnerable? (739)*
Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D.

Dean, Department of Computer Science, Princeton University
The speakers will formally describe what the web is/does, indicate how it differs
from "normal" Internet use, show it is used in typical/popular operational modes,
and point out the nature and magnitude of primary vulnerabilities.
PANEL
Crimes in Cyberspace: Case Studies (827)
Chairman: W. Galkin, Esq., Law Office of William S. Galkin
Panelists: A. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & Allen; K. Bass,
III, Venable, Baetjer, Howard & Civeletti
The panel will present, discuss, and analyze the legal issues involving several
actual criminal incidents that have occurred in Cyberspace.
PANEL
Surviving the Year 2000 Time Bomb (839): G. Hammonds, AGCS, Inc.
Panelists: J. White, OAO Corporation; A. Hodyke, ESC/AXS/USAF
This panel will identify the complexity and magnitude of the Year 2000 Problem,
why so many people will likely be affected, and some practical near and long-
term solutions.
PANEL
Toward a Common Framework for Role-Based Access Control (868)*
Chairman: D. Ferraiolo, NIST
Panelists: R. Sandhu, George Mason University; V. Gligor, University of

Maryland; R. Kuhn, NIST
This panel will discuss the issues related to the development of a common
reference model for Role-Based Access Control.
PANEL
Workshop Report on the Role of Optical Systems and Devices for Security (879)
Chairman: T. Mayfield, Institute for Defense Analyses
Panelists: M. Medard, MIT Lincoln Laboratory; J. Ingles, NSA; M. Krawczewicz,

NSA; B. Javidi, University of Connecticut
This panel will address security and vulnerabilities in all-optical networks, discuss
the use of optics for information encoding, and introduce some applications that
might take advantage of optical technology.
Common Criteria: K. Britton, NSA; L. Ambuel, BDM International
The Common Criteria has been developed as the next generation of IT Security
Criteria replacing the TCSEC, ITSEC, and CTCPEC. This session will provide a
working knowledge of the concepts and contents of the Common Criteria.
Thursday, October 24th------------4:00 P.M. -- 6:00 P.M.
Track A-- Criteria & Assurance--Ballroom 2
PANEL
Assurance Measures in Evaluation Assurance Level 3 of the Common Criteria

(660)*
Chairman: M. Schanken, N.S.A.
Panelists: S. Katzke, NIST; K. Keus, GISA; Y. Klein, France
The Common Criteria Sponsoring Organizations are investigating alternative

approaches for gaining assurance that products and systems meet their security
requirements. The initial phase of the activity maps several alternative assurance
approaches to Evaluation Assurance Level 3 (EAL 3) of the Common Criteria.
OVERVIEW
Security Concerns in the Private Sector - Manufacturing: S. Meglathery, Estee

Lauder (Cosmetics)
OVERVIEW & PANEL

Data Warehousing II: The Security Issues
Chairman: D. Kinch, N.S.A.
This session continues discussing current data warehousing security issues.
PANEL
Securing the Web (739)
Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D.

Dean, Department of Computer Science, Princeton University
The speakers will show how to treat the vulnerabilities uncovered in the first
session in and of themselves, and as a part of both Internet security programs
and total security programs.
(OPEN)
Track F--Management & Administration --Room 341-342
PANEL
Security Siblings
Chairman: C. Pfleeger, Trusted Information Systems, Inc.
Panelist: W. Agresti, MITRETEK Systems
This panel will discuss other venues of assurance developed in the reliability,
safety critical, fault-tolerant as well as the security communities. By working
together, we can reduce the expense of repeating each other errors and share
our successes.
Security Policy & PKI Certification
Chairman: H. Highland, FICS
Management Model for the Federal Public Key Infrastructure (438): N. Nazario,
NIST
Security Policies for the Federal Public Key Infrastructure (445): N. Nazario,
NIST
A Proposed Federal PKI using X.509 V3 Certificates (452): W. Burr, NIST
A Security Flaw in the X.509 Standard (463): S. Chokani, Cygnacom Solutions,

Inc.
PANEL
Cryptography's Role in Securing the Information Society

Chairman: H. Lin, National Research Council (N.R.C.)
Panelists: W. Ware, The Rand Corporation, Emeritus; P. Neumann, SRI

International
The panel will discuss the National Research Council (N.R.C.) report on
Cryptography and its role.
Education Technology: R. Quane, National Cryptologic School

Friday, October 25th------------8:30 A.M. -- 10:00 A.M.
PANEL
Secure Networking and Assurance Technologies (661)*
Chairman: T. Lunt, Defense Advanced Research Projects Agency (D.A.R.P.A.)
Panelists: K. Levitt, University of California, Davis, CA; J. McHugh, Portland

State University (663); S. Kent, BBN; J. Voas, Reliable Software Technologies
(669); D. Weber, Key Software (666); L. Badger, Trusted Information Systems,
Inc. (667)
The speakers will discuss their goals for secure networking and assurance
technologies in the following areas: Intrusion Detection, Secure Mobile
Computing, and new inroads to Internet Security.
PANEL
ISSO as a Vendor Partner in a Changing World
Chairman: B. Snow, N.S.A.
Panelists: C. Baggett, NSA, S. Barnett, NCSC, M. Fleming, NSA, R. George,

NSA, R. Marshall, Esq., NSA, H. Novitsky, NSA, R. Schaffer, NSA
This panel of technical leaders from the Information Systems Security

Organization will discuss their organizational plans for vendor interaction and
support, and under what terms, with the stress on how the ISSO is changing to
better accomplish the ISSO mission.
Track F--Management & Administration--Ballroom 4
PANEL
The Assessment Methodology in the Corporate Sector
Chairman: R. Lopez, N.S.A.
Panelists: J. Jackson, N.S.A., V. Moseley, N.S.A.. G. Hale, N.S.A., S.

Dombkowski, NSA
The panelists will provide a background of the methodology and tools used by
reviewers of information assets in the corporate environment.

Execution of Security Policies
Chairman: D. Arnold, N.S.A.
Security for Mobile Agents: Issues and Requirements (591), V. Swarup, The
MITRE Corporation
Extended Capability: A Simple Way to Enforce Complex Security Policies in

Distributed Systems (598), I-Lung Kao, IBM Corporation
IGOR: The Intelligence Guard for ONI Replication (607), R. Shore, The ISX
Corporation
Friday, October 25th-----------------10:20 A.M. -- 12:30 P.M.
Closing Plenary Ballrooms 1 & 3
Information Systems Security - Directions and Challenges
Moderator: Willis H. Ware, Corporate Research Staff, Emeritus -- The Rand

Corporation
Distinguished Panelists: C. Thomas Cook (889)*, Executive Vice President --

Banc One Services Corporation; William P. Crowell, Deputy Director -- National
Security Agency; John Lainhart (890), Inspector General -- U.S. House of
Representatives; J. F. Mergen, Principal Scientist -- BBN; Stephen Smaha, Chief
Executive Officer/President -- Haystack Labs; Charles Stuckey, Chief Executive
Officer -- Security Dynamics
The need for seamless value-added, yet end-to-end secure and cost-effective,
information systems and networks in a rapidly evolving technological world that is
globally competitive, has created extraordinary demands and challenges for the
public, academic, and private sectors. Each is asking itself how to meet the
future with a stalwart information infrastructure, and wondering what roles and
contributions of the other two sectors will or should be.
This distinguished panel is convened to address such over-arching issues and to

engage the audience in a dialogue on such questions as the following:
* What challenges do you perceive for your own business or end-user community
with respect to information system security?
* What are the security-relevant challenges for your organization? What is

security's strategic role in your organization? How are you making the tradeoffs?
* As you move into new technology, how do you see the challenges changing,
evolving, or growing more serious?
* How do you think these challenges can best be dealt with -- from a
management view; from a public policy view; from a technical view; from a
business view?
* What do you see as the respective roles for government, industry, and
academia as the country and the world move into an ever more information-
intensive future?
* What do you see that industry, government, and academia should be doing in
computer security? What is each doing well or not so well now?
Demonstrations and Activities
Wednesday - Thursday ---Information Systems Security Exposition -----Hall G
The Armed Forces Communications and Electronics Association will host, in

parallel with the Conference, an exhibition of security products and services. This
exposition provides a forum for industry to showcase information systems
security technology and hands-on demonstrations of products and services that
are potential solutions to many network and computer security products.
Wednesday - Friday -----Research and Development Demonstrations -----Room

347-348
As a follow-up to the "INFOSEC Research and Technology, Facing the

Challenge: Secure Network Technology for the 21st Century," the National
Security Agency will demonstrate some of the techniques coming down the future
trails. Conference attendees are invited to see the demonstration of future
solutions to the 21st Century challenges.
Tuesday - Friday ------European Community ------Registration Area
The Information Technology Security Evaluation Facilities (ITSEF) in Europe and

the European Certification Bodies invite the attendees to learn about the
European system and security product evaluations and will demonstrate the
product evaluation methodology.
Tuesday - Friday -----NIST Clearinghouse -----Room 347-348
A wide variety of information security information is available to federal agencies

and to the public through the NIST Clearinghouse. Information posted to this
system include an events calendar, computer-based training, software reviews,
publication, bibliographies, lists of organization with points of contact, and other
government bulletin board numbers and WWW pointers.
Tuesday - Friday -----NSA INFOSEC Awareness ------Booth Registration Area
The booth offers a variety of INFOSEC publications most frequently requested by

users, developers, operators, and administrators of products and services.
Publications available include the INFOSEC Products and Services Catalog and
the National Computer Security Center's computer security technical guidelines --
the RAINBOW Series. The National Cryptologic Museum is also represented at
this booth.
Tuesday - Friday------DOCKMASTER I ------Room 347-348
The National Computer Security Center, DOCKMASTER I, is a focal point for

nationwide dissemination and exchange of information security data through
electronic mail and bulletin boards. Over 2,000 users from federal government,
private companies, and academic institutions participate in its electronic forums
and retrieve data on INFOSEC products, conferences, and training.
Tuesday - Friday ------Information Systems Security Association Booth ------

Registration Area
The Information Systems Security Association (ISSA) is an international

association of information security practitioners whose aim is to enhance
professionalism through education, information exchange, and sharing among
those who do INFOSEC day-to-day. The booth contains newsletters, resource
guides, Guidelines for Information Valuation, and the Draft of "Generally
Accepted System Security Principles."
Tuesday - Friday ------NIST Publication --------Booth Registration Area
NIST's Publication Booth will distribute information and publications on a variety

of information systems security issues, including the latest issues of the CSL
Bulletin. Each bulletin discusses a relevant information security topic in depth. A
catalog of our current publications will also be available, as well as instructions
for accessing our Computer Security Resource Clearinghouse electronically.
Tuesday - Thursday -------Book Exhibition --------Registration Area

A book exhibit display representing selections from leading worldwide publishers
dealing specifically with information security is presented by: Association Book
Exhibit, 693 S. Washington Street, Alexandria, VA 22314
Wednesday - Thursday ---Establishing an Enterprise Virus Response Program ----Laboratory

Room 330
MITRETEK Systems is providing a hands on demonstration of tools discussed in the

overview session for "Establishing an Enterprise Virus Response Program." The
Enterprise Virus Response is designed to help the organization develop a proactive
program for the prevention, detection, containment, management, and recovery of
computer virus incidents. The workshop will demonstrate the processes needed to prepare
for an incident or infection, to detect and contain a virus exposure or infection, to recover
from an infection, and to manage the response program.
Friday -----IEEE Data Warehouse Security Workshop -----Room 349-350
The Workshop follows from the two Thursday sessions on Data Warehousing. The output
of the workshop should be research directions for future Data Warehousing security
solutions. The workshop is co-sponsored by the IEEE Mass Storage Committee and will
become a component of the next IEEE Mass Storage Symposium.
General Information
Meeting Site: The conference will be held at the Baltimore Convention Center, 1 West
Pratt Street. Baltimore, Maryland, close to Baltimore Inner Harbor area. The Opening
Plenary Session will be held in Ballroom I, on the Ballroom Level (enter the Pratt Street
lobby). Registration and information services, and all technical sessions, will be held on
the third floor Meeting Room Level and the fourth floor Ballroom Level. The Convention
Center is conveniently located close to hotels, major highways, and numerous restaurants,
shops, and sightseeing attractions.
Transportation: For those attendees not staying in Baltimore, daily bus service will be
provided from the parking lot across from the National Computer Security Center
(NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, MD. The buses will run in a
round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the
NCSC at the end of the sessions each day, following the banquet, and periodically
throughout the awards reception.
Communications: Messages will be taken for conference attendees between the hours of
8 a.m. and 5 p.m. Tuesday through Thursday, and between the hours of 8 a.m. and 12
noon on Friday. Messages will be posted on a message board adjacent to the
Registration/Information Area. Attendees will not be called out of a meeting except for
emergencies. The phone numbers for leaving messages will be posted on the message
board.
Evaluation Forms: Evaluation forms are provided in your conference folder for your
comments. Please leave the completed forms in the boxes provided at the registration
area. We thank you in advance for your comments since your comments help the
committee to develop and improve the conference program each year.
Volunteers: If you would like to serve as a referee for the 20th National Information
Systems Security Conference being planned for October 1997 please E-MAIL:
NISSConference@dockmaster.ncsc.mil or call (410) 850-0272.
Special Interest Rooms: There will be a limited number of rooms available for special
interest discussions ("Birds of a Feather," etc.). These rooms may be reserved in one-hour
increments and must not be used for commercial purposes. To reserve a room, please stop
at the registration area. Breaks and Lunches
Coffee service: Provided to all the attendees during registration each morning and at mid-
morning and mid-afternoon breaks. Attendees will be free at lunch time to explore the
convenient restaurants or other sites near the Convention Center.
On Wednesday, box lunches will be provided to the first 1,500 attendees on a first-come,
first-served basis at the AFCEA exhibit in Hall G.
Banquet: The conference banquet will be held on Wednesday, October 23, beginning with
a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is
Kenneth Chenault, Vice Chairman, American Express Co., Inc. A coupon for this event,
which may be exchanged for a dinner ticket on a first-come first-served basis, will be
included in each attendee's registration kit.
Awards Ceremony and Reception: On Thursday, October 24, at 2:00 pm in rooms 337-
338, awards will be presented to vendors that have successfully developed security
product lines that have been approved by the NIST Validation Program or the NCSC
Trusted Computer System Evaluation Program. Following the award presentation,
conference participants will have an opportunity to learn more about these products as
each vendor hosts a display. Awards also will be presented to companies that have
participated in Systems Security Engineering Capability Maturity Model (SSE-CMM)
pilot appraisals. You are invited to visit the SSE-CMM project display for more
information regarding this community-supported initiative. An awards reception will
begin at 6 p.m. in the lower lobby. A ticket for the reception will be included in the
registration kit of each registered attendee.
Housing: See map of the conference hotels in the area
20th National Information Systems Security Conference ( October 6 - 9, 1997 in

Baltimore, MD )

Business Intelligence

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Intelligence

Uploaded by

Copyright:

Available Formats

BUSINESS INTELLIGENCE

N.S.A. & BUSINESS NETWORKING

[ Click Image (above) To Learn More About EPM ]

National Information Systems Security

This think tank of sorts, conducts its business intelligence

The National Security Agency (aka) N.S.A., is NISSC's "host" and

The focus on "information system security" a subject matter the N.S.A.

The prime subject matter's intelligence, deals with encryption codes,

Specifically, the focus is on EPM Technology's, EXPRESS Data Manager (aka)

EPM's technology creation management system tools enable product data to be

It is already quick, easy and inexpensive to transfer or access basic, everyday

It is nearly impossible, however, to accurately and reliably exchange, share and

1. Different systems are used to design, analyze, manufacture and document a

2. Each system has its own way of representing data.;

3. Each group or organization tends to choose its own systems.;

5. Different hardware and software environments are a fact of computer life.

The ability to efficiently transfer and translate sophisticated product data,

1. Minimize product life-cycle costs.;

2. Provide continuous acquisition and life-cycle support (CALS).;

3. Ensure data integrity.;

4. Collaborate in virtual or extended enterprises;

5. Shorten product development cycles.;

6. Support concurrent product and process development.; and,

7. Respond with agility to changing customer needs.

The information handled by the EXPRESS Data Manager is contained in data

Like other computer languages, EXPRESS has a well-defined syntax, structure

NSA-EDM Cast Of Business Character Interests

To demonstrate a few examples of which EDM character firms might be

The Secret and Below Interoperability (aka) SABI Process

Continuing the Discovery of Community Risk

Chairman: Mark Loepker, National Security Agency

Panelists: Curtis Dukes, National Security Agency; Charles Schreiner, National

Topic Chairman and Panelist's Biographies

Warner Brake: the Deputy Chief, Information Assurance Implementation Branch

Secret and Below Interoperability (aka) SABI, is an Information Assurance

National Computer Security Center (aka) NCSC

In 1978, the Assistant Secretary of Defense for Command, Control,

In order to encourage the widespread availability of trusted systems, the NCSC

Three (3) important interpretations are used to assist in this program:

1. Trusted Network Interpretation (aka) TNI;

2. Computer Security Subsystem Interpretation (aka) CSSI; and,

In support of the above, the NCSC operates a B2 Level Of Trust computer

1. Development of tests for human-machine interfaces, software diagnostics and

2. Collaborating, consulting and operational services for other NIST laboratories

3. Federal government activities, especially security.

Finally, NIST has an active, laboratory-based research program in computer and

Track A Criteria & Assurance Ballroom 2

PANEL: Trust Technology Assessment Program (aka) TTAP (643)

Chairman: T. Anderson, National Security Agency

Panelists: P. Toth, N.I.S.T. (644); TTAP Working Group Members

Track B Electronic Commerce Ballroom 3

Chairman: A. McIntosh, PC Security, Ltd.

Panelists: D. Brewer, Gamma Secure Systems, Ltd. (679); N. Hickson,

Track C In Depth Room: ___ - ___

Best of the New Security Paradigms Workshop

Chairman: T. Haigh, Secure Computing Corporation (693)

Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Chair: C. Bythewood, NCSC

Introduction to Infowarfare Terminology (718): F. Bondoc, Klein & Stump

This overview is aimed at the newcomer to Information Warfare (IW), and

Legal Issues for the User

Chairman: Special Agent John Lewis, United States Secret Service

Intellectual Property Rights and Computer Software (296): D. Bowman,

Track C In Depth Room: _ - _

Track F Management & Administration Room: _ - _

Track G Research & Development Room: _ - _

Track H Solutions Room: _ - _