Business Intelligence

BUSINESS INTELLIGENCEN.S.A. & BUSINESS NETWORKING

ECHELONS

[ Click Image (above) To Learn More About EPM ]

National Information Systems Security

U.S.A., Washington, D. C. - November 1, 2001: The National

Information Systems Security Conference (aka) NISSC holds special

annual conferences where handpicked representatives of top corporate

America and top intelligence agencies get together on a variety of

subjects which relates to industrial modeling information systems and

security management. Such a curious intertwining of business leaders

channeling and brainstorming directly with intelligence hierarchy

officials is absolutely amazing, as shown in detail here.

This think tank of sorts, conducts its business intelligence

brainstorming in any one of a variety of pre-scheduled meeting

places around the World. As an example, one year it met be held at

what once was (until 2001) one of the many U.S. National Security

Agency (aka) N.S.A. listening post for the global ECHELON

telecommunication satellite surveillance intelligence station at Bad

Aibling Station (aka) BAS, located inside the little village of

http://www.epmtech.jotne.com/

Mietraching, Germany while the following year, it could meet at the

Hyatt Regency Hotel & Convention Center in Orlando, Florida.

The National Security Agency (aka) N.S.A., is NISSC's "host" and

working participant along with a few "handpicked" American and

foreign firms, i.e. I.B.M., FUJITSU, BOEING, SIEMENS, LOCKHEED-

GRUMAN, SAAB, ARINC, BAES SYSTEMS, PTC, AIRBUS, ROCKWELL-

COLLINS, MICROSOFT, MITRE, and even ESTEE LAUDER (a cosmetics

firm), to name just a few.

The collective, goes over "in detail", what they submitted in their

lengthy papers sent ahead of time to, the N.S.A. for its review. The

N.S.A. with a few sponsored firms then select their specific personnel

to study the reports these handpicked firms address. Some topics may

have an N.S.A. mission need and/pr, impact so in most all instances of

these meetings, NSA staff are present. Security is tremendous, to say

the least.

The focus on "information system security" a subject matter the N.S.A.

no doubt has already written the book on - provides this co-joint think

tank workshop exercises the time to study how a new information

security management system will best serve their future needs.

The prime subject matter's intelligence, deals with encryption codes,

dictionary standards and, methods for using and/or modifying a new

form of high-technology information management transference which,

is already designed to provide heightened security when handshaking

of data occurs over the internet and other means via satellite system

links for all these firm's current and future information requirements.

EPM - The Software Mastermind Firm

The purpose of EPM TECHNOLOGY, a JOTNE firm, based out of Oslo, Norway,

is distributing - with the blessing of the N.S.A. - its form of modularly innovative

high-tech data management technology throughout global organizations in a

variety of industries.

Specifically, the focus is on EPM Technology's, EXPRESS Data Manager (aka)

EDM based tools, designed for the many uses for its global multi-user customer's

Management Information Systems (aka) M.I.S..

These organizations are now gradually moving away from managing information

"on paper" and toward, being able to exchange and share huge amounts of data

electronically via extremely fast digital formats using computers which, the N.S.A.

has an interest in.

EPM's technology creation management system tools enable product data to be

effectively managed, exchanged and shared across radically different systems,

independent of location, type or network design. It allows access to this data

throughout the life cycle of the product and ensures that the information is in a

form that can be accessed and interpreted for decades to come.

It is already quick, easy and inexpensive to transfer or access basic, everyday

information via Databases, E-Mail, Internet Websites and, Intranet.

It is nearly impossible, however, to accurately and reliably exchange, share and

manipulate complex, technical data about a product - its design, properties and

structures, its development and history, its costs and maintenance, etc..

Problems arise because:

1. Different systems are used to design, analyze, manufacture and document a

product.;

2. Each system has its own way of representing data.;

3. Each group or organization tends to choose its own systems.;

4. Systems in use change over time, making some data inaccessible.; and,

5. Different hardware and software environments are a fact of computer life.

The ability to efficiently transfer and translate sophisticated product data,

independent of hardware and software environments, is now recognized

worldwide as the next, natural and vital step in the evolution of product data

technology and product information management. This ability is considered

essential for effective communication and cooperation, not only within work

groups and among colleagues but with customers, suppliers, users and business

partners. It is considered absolutely critical if an organization wants to archive

and maintain a competitive advantage well into the 21st century.

EPM sees the 21st century as significant for the deployment of its EDM set of

tools for Electronic Commerce and Product Data Technology standards - in

particular ISO 10303 - the international standard for the representation and

exchange of product model data, also known as STEP and EXPRESS-compliant

products EXPRESS, is a product suite that contains the tools needed to begin

implementing the product data technology standards for the 21st century by,

creating and managing EXPRESS schemata, customizing data models, and

establishing product-data databases and archives. EXPRESS products from

EPM Technology are available today to meet crucial needs for future success.

EDM is modular by design, enabling a firm to mix and match the products and

options they want, and to easily expand or update the system as their needs

change and as the standard continues to evolve. EDM products are available for

UNIX or Microsoft Windows platforms.

EDM is designed to make all product details, not just visual details, available to a

variety of users during all phases of engineering, development, production,

operation and maintenance. Ultimately, the EXPRESS Data Manager helps

transform many business theories into realistic business goals; goals which will

ensure a strategic, competitive edge for projects and companies, large or small:

1. Minimize product life-cycle costs.;

2. Provide continuous acquisition and life-cycle support (CALS).;

3. Ensure data integrity.;

4. Collaborate in virtual or extended enterprises;

5. Shorten product development cycles.;

6. Support concurrent product and process development.; and,

7. Respond with agility to changing customer needs.

The information handled by the EXPRESS Data Manager is contained in data

models rather than in paper-based blueprints or application-specific programs,

databases or texts. These models are created and defined in EXPRESS, the

information modeling language specified in STEP (ISO 10303-11).

Like other computer languages, EXPRESS has a well-defined syntax, structure

and set of language rules. In sharp contrast to other languages, however, in an

EXPRESS-based approach to product data the models are totally independent of

any underlying implementation tools.

As the foundation for EPM Technology's EDM, EXPRESS makes it possible to

link pieces of information that were once isolated from one another by

incompatible formats. Together, EXPRESS and the EXPRESS Data Manager

make it possible to overcome one of the main obstacles in true business and

process integration for the future.

NSA-EDM Cast Of Business Character Interests

To demonstrate a few examples of which EDM character firms might be

represented and how they might interact with the N.S.A. in being

casted for tutorials in an N.S.A. workshop workgroup and, in what the subject

areas of information management security focus might specifically be, is

ascertained by reviewing the minutes of previous meetings, studying a 1997

NISSC pre-scheduled meeting’s itineraries, topics and subject matter along with

their chairman's and panelists, as follows:

The Secret and Below Interoperability (aka) SABI Process

Continuing the Discovery of Community Risk

Monday, 1:30 Rooms: ____ - ____

Chairman: Mark Loepker, National Security Agency

Panelists: Curtis Dukes, National Security Agency; Charles Schreiner, National

Security Agency; Willard Unkenholz, National Security Agency; Corky Parks,

National Security Agency; Dallas Pearson, National Security Agency; Warner

Brake, Defense Information Systems Agency.

Topic Chairman and Panelist's Biographies

Mark Loepker: The Chief, Information Assurance Process Special Project Office,

Information Assurance Solutions, National Security Agency. He is responsible for

all matters impacting the development, refinement, and implementation of the

information assurance solution process. In this capacity, Mr. Loepker leads the

Secret and Below Interoperability (SABI) project. He last served with the

Command, Control, Communications, and Computer Systems Directorate, U.S.

European Command, as Chief, Information Systems Security Division,

responsible for all European theater policy and policy enforcement concerning

information warfare and communications and computer security. During this tour,

he led INFOSEC actions in support of Operation Provide Comfort, Joint

Endeavor, and Combined Endeavor (Partnership for Peace).;

Curtis Dukes: is the Deputy Chief, Architectures and Applications Division of the

Systems and Network Attack Center, National Security Agency. He is

responsible for the technical direction of the Intrusion Detection and Enterprise

Management System's vulnerability research within the Center. In this capacity,

he leads the Joint Vulnerability Assessment Process of the Secret and Below

Interoperability (SABI) Initiative. He previously served in an Intelligence

Community assignment in the Directorate of Operations, Central Intelligence

Agency.;

Chuck Schreiner: the Chief of the Solution Security Analysis Division, National

Security Agency, which provides customers with vulnerability analysis and test

services to support their local risk decisions. He has held previous positions as

NSA Representative to the Pentagon, Technical Director for Fielded Systems,

and Deputy Chief of the RF Communications Division. ;

Willard Unkenholz: a Technical Director for the System Security Guidance and

Evaluation Division, National Security Agency. His current duties involve

developing and leading the DoD risk analysis capabilities applied to the Secret

and Below Interoperability Initiative.;

Corky Parks: a risk analyst in the System Security Guidance and Evaluation

Division, National Security Agency. His areas of interest include the theory and

practice of information risk management, and decision theory.;

Dallas Pearson: the Technical Director for Security and Evaluations in National

Security Agency’s Office of Information Assurance Solutions Deployment and

Maintenance. All of Dallas’ 29 years at NSA have been in technical roles in

COMSEC and INFOSEC. He received a Bachelor of Science in Physics from the

University of Southern Mississippi in 1970 and a Master of Science in Systems

Engineering from Johns Hopkins University in 1995. He is a co-author of NSA’s

Information Systems Security Engineering (ISSE) Handbook and teaches an in-

house introduction to ISSE course.;

Warner Brake: the Deputy Chief, Information Assurance Implementation Branch

of the Information Assurance Program Management Office, Defense Information

Systems Agency. He is the senior certification test director and advisor for

certification team members, who perform in-depth technical certification testing

and compliance validation of DISA pillar, Joint, and NATO programs. He is also

responsible for the periodic review and update of DOD Instruction 5200.40, DOD

Information Technology Security Connection Approval Process (DITSCAP), and

the operation of the Information Assurance Support Environment information

desk and website.

Secret and Below Interoperability (aka) SABI, is an Information Assurance

initiative mandated by the Assistant Secretary of Defense for Command, Control,

Communications, and Intelligence (ASD/C3I) and sponsored by the Joint Chiefs

of Staff, Command, Control, Communications, and Computer Systems (JS/J6).

SABI improves the security posture of all secret and below DoD systems by

using a community-based risk acceptance approach. SABI utilizes proven

system security engineering to address the risks to the community, and employs

mission-oriented risk management in making sound community decisions.

The goal of SABI is to ensure secure secret and below interoperability solutions

for the Warfighter within community-acceptable risks. It is a network-centric

process with procedures to review interconnections and leverage proven solution

reuse. It is founded on information system security engineering (ISSE) principles

whereby information systems security (INFOSEC) is integrated as a part of

systems engineering and systems acquisition processes, strong customer

participation in support of mission needs, and the optimal use of INFOSEC

disciplines to provide security solutions. Documentation implements the DoD

Instruction 5200.40, Defense Information Technology Security Certification and

Accreditation Process (DITSCAP).

The SABI process teams the local site customer with appropriate engineering,

risk, vulnerability, training and programmatic community risk-focused support

necessary to develop the right solution for the customer's SABI requirement.

SABI maintains this community team throughout the system security engineering

process. This strengthens the community risk acceptability of a specific site

solution through continued dialog and participation of all relevant stakeholders.

During the discussion about the current status of the SABI program, the panel

will focus on the progress and impact of the National Information Assurance

Certification and Accreditation Process (NIACAP), NSTISSI 1000.

Topic Workgroup Meeting Examples

Depicted below, are just some examples only, of how an NISSC topic workgroup

itinerary meeting outline might appear which, could also begin with a background

of information, as follows:

National Computer Security Center (aka) NCSC

In 1978, the Assistant Secretary of Defense for Command, Control,

Communications, and Intelligence (aka) C3I, established the Department of

Defense, Computer Security Initiative (aka) CSI, to ensure the widespread

availability of trusted Automatic Data Processing (aka) ADP systems for use

within the DoD.

In January 1981, the National Computer Security Center (aka) NCSC, was

established and assumed responsibility for the activities of the Initiative. The

NCSC encourages the development of trusted computing system products,

develops computer security standards and guidelines for interested users, and

sponsors basic research in this robust field.

In order to encourage the widespread availability of trusted systems, the NCSC

has developed an industry-government relationship, called the Trusted Product

Evaluation Program (aka) TPEP. This effort focuses on the technical protection

capabilities of commercially produced and supported systems, based on the

Department of Defense, Trusted Computer Security Evaluation Criteria (aka)

TCSEC.

Three (3) important interpretations are used to assist in this program:

1. Trusted Network Interpretation (aka) TNI;

2. Computer Security Subsystem Interpretation (aka) CSSI; and,

3. Trusted Database Interpretation (aka) TDI.

The NCSC also promotes information security education and cooperates with the

National Institute of Standards and Technology (aka) NIST, to provide computer

security assistance to other government departments and agencies.

In support of the above, the NCSC operates a B2 Level Of Trust computer

system, i.e. DOCKMASTER, which provides on-line service to the information

security [intelligence] community.

NIST built a new Information Technology Laboratory (aka) ITL, in response to the

growing need for measurement and testing technology to support the

development of computing and communications systems that are usable,

scalable, interoperable, and secure. This need has come into sharper focus in

recent years with the national effort to develop an information infrastructure and

to support U. S. Industry in a global information marketplace.

The lTL seeks to enable the usability, scalability, interoperability, and security of

information technology through a focus on three (3) areas:

1. Development of tests for human-machine interfaces, software diagnostics and

performance, mathematical software, security, and conformance to standards.;

2. Collaborating, consulting and operational services for other NIST laboratories

in computational sciences and information services; and,

3. Federal government activities, especially security.

Since 1972, NIST has played a vital role in protecting the security and integrity of

information in computer systems in the public and private sectors. The Computer

Security Act of 1987 reaffirmed NIST's leadership role in the federal government

for the protection of unclassified information. NIST assists industry and

government by promoting and supporting better security planning, technology,

awareness, and training. In addition, NIST fosters the development of national

and international standards for security technology and commercial off-the-shelf

(aka) COTS security products.

Finally, NIST has an active, laboratory-based research program in computer and

network security with special technical emphasis in cryptography, authentication,

public-key infrastructure, internetworking, and security criteria and assurance.

NIST also has a special program in support of government key escrow activities.

On October 24, 2001 a conference was held at the Hyatt Regency and the

itinerary was scheduled as follows:

Track A Criteria & Assurance Ballroom 2

PANEL: Trust Technology Assessment Program (aka) TTAP (643)

Chairman: T. Anderson, National Security Agency

Panelists: P. Toth, N.I.S.T. (644); TTAP Working Group Members

This panel will focus on the progress of the TTAP initiative including the lessons

learned from the prototype effort to validate the process, procedures, and

documentation to support the program in a commercial environment.

Track B Electronic Commerce Ballroom 3

PANEL: Using Security to Meet Business Needs - An Integrated View From the

United Kingdom (677)

Chairman: A. McIntosh, PC Security, Ltd.

Panelists: D. Brewer, Gamma Secure Systems, Ltd. (679); N. Hickson,

Department of Trade & Industry (682); D. Anderton, Barclays Bank PLC (684); J.

Hodsdon, CESG (685); M. Stubbings, Government Communications

Headquarters (aka) G.C.H.Q. [ British agency equivalent to the U.S. National

Security Agency (NSA) ], UK (686)

This panel discusses the use of risk management techniques in the identification,

accreditation, and maintenance of appropriate security profiles for single

organization systems dispersed across a wide range of sites.

Track C In Depth Room: ___ - ___

Best of the New Security Paradigms Workshop

Chairman: T. Haigh, Secure Computing Corporation (693)

Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer

Science, Sweden (701); W. Wulf, University of Virginia (704)

This year's workshop focuses on the need to identify new approaches for proving

security in very heterogenous, highly internetworked environments.

Track D--Internet--Ballroom 1

OVERVIEW

Chair: C. Bythewood, NCSC

Introduction to Infowarfare Terminology (718): F. Bondoc, Klein & Stump

This overview is aimed at the newcomer to Information Warfare (IW), and

introduces the terminology, threats and countermeasures of Information Warfare

(aka) IW.

Track E Legal Perspectives Ballroom 4

Legal Issues for the User

Chairman: Special Agent John Lewis, United States Secret Service

Intellectual Property Rights and Computer Software (296): D. Bowman,

University of Maryland

Case Study of Industrial Espionage Through Social Engineering (306): I. Winkler,

National Computer Security Association

Legal Aspects of Ice-Pick Testing (313): B. Gabrielson, Department of the Navy

Track F Management & Administration Room: ___ - ___

PANEL: Ethical and Responsible Behavior for Children to Senior Citizens in the

Information Age - Community Responsibilities

Chairman: J. Lisi, National Security Agency

Panelists: R. Koenig, ISC2; G. Warshawsky, International Community

Interconnected Computing eXchange

Track G Research & Development Room: ___ - ___

PANEL: Database Systems Today - Safe Information at My Fingertips? (842)

Chairman: J. Campbell, National Security Agency

Panelists: T. Ehrsam, Oracle; R. O'Brien, SCC; T. Parenty, Sybase; J.

Worthington, Informix Software Company; Lt. Colonel Pointdexter, D.I.S.A.; S.

Sahni, 3S Group Incorporated

This panel will address distributed and web database system security issues and

solutions.

Track H--Solutions Room--343-344

Future Activities

Chairman: J. Tippett, National Security Agency

Computer Virus Response Using Autonomous Agent Technology (471): C.

Trently, MITRETEK Systems

Security Across the Curriculum - Using Computer Security to Teach Computer

Science Principles (483): Major General White, USAF Academy

U.S. Government Wide Incident Response Capability (489): M. Swanson, NIST

Track I--Tutorials Room--327-328

Introduction to Information System Security: L. Smith and D. Strickland, National

Cryptologic School

This tutorial will use an interactive computer-based training course to present the

basics of information system security (INFOSEC). The course is composed of

five instructional units: information systems overview, threats, INFOSEC

solutions, INFOSEC techniques, and risks management.

A CD-ROM with this and other courses will be provided to attendees.

Tuesday, October 22nd------------4:00 P.M. -- 6:00 P.M.

Track A--Criteria & Assurance--Ballroom 2

Gaining Assurance though Evaluations

Chairman: H. Holm, National Security Agency

E4 ITSEC Evaluation of PR/SM on ES/9000 Processors (1): R. Nasser,

International Business Machines

A High-Performance Hardware-Based High Assurance Trusted Windowing

System (12): J. Epstein, Cordant, Inc.

WWW Technology in the Formal Evaluation of Trusted Systems (22): E.

McCauley, Silicon Graphics, Inc.

Track B--Electronic Commerce--Ballroom 3

Electronic Commerce: International Security

Chairman: V. Gibson, Computer Science Corporation

EDI Moves from the VAN to the Internet (98): B. Bradford, University of Maryland

An International Standard for the Labeling of Digital Products (109): V. Hampel,

Hampel Consulting

The Business-LED Accreditor - OR...How to Take Risks and Survive (123): M.

Stubbings, Government Communications Headquarters (aka) G.C.H.Q., UK

Integration of Digital Signatures into the European Business Register (131): H.

Kurth, Industricanlagen Betriebsghesellschaft mbH (IABG), Germany

Track C--In Depth Room--349-350

PANEL

Best of the New Security Paradigms Workshop (continued from 2:00) (693)

Chairman: T. Haigh, Secure Computing Corporation

Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer

Science, Sweden (701); W. Wulf, University of Virginia (704)

This year's workshop focuses on the need to identify new approaches for proving

security in very heterogenous, highly internetworked environments.

Track D--Internet-- Ballroom 1

PANEL

Information Warfare: Real Threats, Definition Changes, and Science Fiction

(725)*

Chairman: W. Madsen, Computer Sciences Corporation

Panelists: M. Hill, Office of the Assistant Secretary of Defense C3/Information

Warfare; F. Tompkins, Science Applications International Corporation; S. Shane,

The Baltimore Sun; J. Stanton, Journal of Technology Transfer

This panel will discuss the Information Warfare scenario, which has received a

great deal of attention from national security planners, legislators, the military,

intelligence agencies, the media, and industry.

Track E--Legal Perspectives--Ballroom 4

PANEL: Electronic Data: Privacy, Security, Confidentiality Issues

Chairman: K. Blair, Esq., Duvall, Harrington, Hale and Hassan (740)

Panelists: The Honorable L. Alden, Judge, Fairfax County Circuit Court (741); S.

Mandell, Esq., The Mandell Law Firm (749); R. Palenski, Esq., Gordon and

Glickson, P.C. (749); S. Ray, Esq., Kruchko & Fries (800)

This panel will discuss how the legal system is dealing with crimes involving the

use of computers. Because computers are relatively new in the world of

established criminal law, many of the illegal events associated with the use of

computers did not come with definitions established by legislation or case law.

Track F--Management & Administration--Room 341-342

New Workplace Paradigms for Security

Chairman: C. Hash, National Security Agency

Security Through Process Management (323): J. Bayuk, Price Waterhouse

Malicious Data and System Security (334): O. Sibert, Oxford Systems, Inc.

Security Issues for Telecommuting (342): L. Carnahan, NIST

Track G--Research & Development Room--345-346

PANEL

Webware: Nightmare or Dream Come True? (844)

Chairman: P. Neumann, SRI International

Panelists: S. Bellovin, AT&T Laboratories (845); E. Felten, Princeton University

(846); P. Karger, International Business Machines (847); J. Roskind, Netscape

(849)

This panel will discuss the risks involved in the open-ended security problem

introduced by world-wide web browsers and programming languages sauch as

Java and JavaScript, as well as other languages with similar problems - such as

ActiveX, Microsoft WORD macros, and PostScript. Specific attention will be

spent on how to intelligently succeed.

Track H Solutions Room: ___ - ___

PANEL: Information Systems Security Research Joint Technology Office

Chairman: R. Schaeffer, National Security Agency

Panelists: T. Lunt and H. Frank, Defense Advanced Research Projects Agency

(aka) DARPA; R. Meushaw, National Security Agency

This panel will discuss its successes since the first (1st) year of this joint

partnership to develop and integrate security technology. The partnership will

maximize security solutions for building the DII & NII.

Track I Tutorials Room: 327-328

Trusted Systems Concepts: C. Abzug, Institute for Computer and Information

Sciences

This tutorial focuses on the fundamental concepts and terminology of trust

technology. It includes descriptions of the Trusted Computer System Evaluation

Criteria (TCSEC) classes, how the classes differ, and how to determine the

appropriate class for your operation environment.

Wednesday, October -----------23rd 8:30 A.M. -- 10:00 A.M.


PANEL: Alternative Assurance: There's Gotta Be a Better Way! (644)*

Chairman: D. Landoll, ARCA Systems, Inc.

Panelists: J. Adams, NSA; Speaker TBD, WITAT System Analysis & Operational

Assurance Subgroup Chair; M. Abrams, The MITRE Organization, WITAT Impact

Mitigation Subgroup Chair; Speaker TBD, WITAT Determining Assurance Mix

Subgroup Chair

A Workshop report about the evolving development of practical solutions for

business and industry in need of confidence in their information systems.


PANEL

Information Security - Transforming the Global Marketplace: D. Gary, Booz-Allen

& Hamilton

Panelists: J. M. Anderson, Morgan Stanley; K. Panker, American Bankers

Association; P. Freund, CertCo

Technology resources are means to achieve organizational goals --- not

solutions in their own right. New dimensions will be discussed of commercial

interchange in a highly networked marketplace.

Track C--In Depth Room--349-350

PANEL

Public Key Infrastructure: From Theory to Implementation

Public Key Infrastructure Technology (707)

Chairman: D. Dodson, NIST

Panelists: R. Housley, Spyrus; C. Martin, Government Accounting Office; W.

Polk, NIST; S. Chokani, Cygnacom Solutions, Inc.; V. Hampel, Hampel

Consulting; W. Ford, Independent Consultant

This panel will familiarize the audience with PKI standards, interoperability

solutions, and implementation issues. This session will concentrate on technical

specifications and standards; the session that follows will review lessons learned

during implementation of existing PKIs.


PANEL

Security in World Wide Web Browsers - More than Visa cards? (737)

Chairman: R. Dobry, N.S.A.

Panelists: C. Kolcun, Microsoft; B. Atkins, NSA; K. Rowe, NCSA; Speaker TBD,

Netscape

This panel will discuss the security problems and solutions required to handle

electronic commerce via the Internet.


PANEL

Computer Crime on the Internet - Sources and Methods (817)

Chairman: C. Axsmith, The Orkand Corporation

Panelists: Special Agent M. Pollitt, Federal Bureau of Investigation (F.B.I.); P.

Reitinger, Esq., Department of Justice; B. Fraser, CERT, Carnegie Mellon

University

This panel will discuss some case studies of system break-ins, what information

system administrators should focus on saving for the evidentiary trail, and some

resources available to the system administrator should a break-in be attempted.

Track F--Management & Administration Room--341-342

PANEL

Current Challenges in Computer Security Program Management (828)

Chairman: M. Wilson, NIST

Panelists: L. McNulty, McNulty and Associates; P. Connelly, White House

Communications Agency; A. Miller, Fleet and Industrial Supply Center; B.

Gutmann, NIST

This panel will discuss managing a computer security program in light of budget

constraints, reorganizing and downsizing, and the continuous decentralization of

ever increasing complex computing and communications environments.

Track G--Research & Development--Room 345-346

PANEL

Availability Policies: The Forgotten INFOSEC Pillar

Chairman: V. Gligor, University of Maryland

Panelists: H. Hosmer, Data Security, Inc.; J. Millen, The MITRE Corporation; R.

Nelson, Information System Security; M. Reiter, AT&T

This panel will discuss various kinds of availability policies, highlighting impact

assumptions and potential conflicts with other kinds of security policies.

Track H--Solutions--Room343-344

PANEL

Security Management Infrastructure Deployment and Operations (871)

Chairman: A. Arsenault, N.S.A.

Panelists: D. Heckman, NSA; S. Capps, NSA; S. Hunt, NSA

This panel will focus on lessons learned from the deployment of MISSI security

management infrastructure at NSA and GSA.

Track I--Tutorials--Room 327-328

OS Security: M. Weidner, ARCA Systems

This tutorial focuses on security issues for commercial operating systems. Topics

include common vulnerabilities, security services, and potential safeguards.

Specific capabilities of several commercially available operating systems will be

discussed.

Wednesday, October 23rd------------10:30 A.M.-- 12:00 Noon

Track A---Criteria & Assurance--Ballroom 2

PANEL

Current Perspective on Strategies for the (646) Certification & Accreditation

Processes

Chairman: B. Stauffer, CORBETT Technologies, Inc. (653)

Panelists: P. Wisniewski, NSA (647); C. Stark, Computer Science Corporation

(648); R. Snouffer. NIST (652); J. Eller, DISA, CISS (ISBEC) (646)

Paper

The Certification of the Interim Key Escrow System (26): R. Snouffer, NIST


PANEL

Security APIs: CAPIs and Beyond (687)

Chairman: A. Reiss, N.S.A.

Panelists: J. Centafont, NSA; Speaker TBD, Microsoft; L. Dobranski,

Communications Security Establishment (aka) C.S.E., Canada; D. Balenson,

Trusted Information Systems, Inc.

The panelists will discuss Cryptographic Application Program Interfaces,

FORTEZZA, Public Key Infrastructures, the International Cryptography

Experiment, and the Microsoft Internet Security Framework.

Paper

NIST Proposal for a Generic Authentication Module Interface: J. Dray, NIST

Track C-In Depth--Room 349-350

PANEL

Public Key Infrastructure: From Theory to Implementation (continued from 8:30)

(707)

Public Key Infrastructure Implementations

Chairman: W. Polk, NIST

Panelists: P. Edfors, Government Information Technology Services (GITS)

Board; D. Heckman, NSA; D. Dodson, NIST; J. Galvin, CommerceNet; W.

Redden, Communications Security Establishment (aka) C.S.E.; R. Kemp,

General Services Administration SI-PMO


OVERVIEW

Chairman: M. Schaffer, ARCA Systems

Secure Business on the Internet: Looking Ahead with Electronic Data

Interchange: D. Federman, Premenos

The speaker will discuss the history of Electronic Data Interchange and how

today's marketplace on the Internet needs cost effective and secure business

solutions to function over the World Wide Web.


PANEL

Legal Liability for Information System Security Compliance Failures - New

Recipes for Electronic Sachertorte Algorithms (818)

Chairman: F. Smith, Esq., Private Practice, Santa Fe, New Mexico

Panelists: J. Montjoy, BBN Corporation; E. Tenner, Princeton University; D.

Loundy, Esq., Private Practice, Highland Park, Illinois

This panel will discuss the liabilities associated with the increased expansion of

increasingly complex computer networks and associated services.


PANEL

Achieving Vulnerability Data Sharing (830)*

Chairman: L. Carnahan, NIST

Panelists: M. Bishop, University of California, Davis, CA.; J. Ellis, CERT,

Carnegie Mellon University; I. Krsul, COAST Laboratory, Purdue University

This panel will discuss security issues to be addressed when building a data

repository that will be shared by different communities of interest.


PANEL

Secure Systems and Access Control (851)

Chairman: T. Lunt, Defense Advanced Research Projects Agency (DARPA)

Panelists: D. Sterne, Trusted Information Systems, Inc. (852); R. Thomas, ORA

(854); M. Zurko, OSF (855); J. Lepreau, University of Utah (857); J. Rushby, SRI

International

The panelists will discuss their respective security programs.

Track H--Solutions--Room 343-344

Future of Trust in Commercial Operating Systems (872)

Chairman: T. Inskeep, NSA

Panelists: K. Moss, Microsoft; J. Alexander, Sun Microsystems; J. Spencer, Data

General; M. Branstad, Trusted Information Systems, Inc.; G. Liddle, Hewlett

Packard

This panel will discuss where assurance and functionality in commercial systems

are going.


Network Security: J. Wool, ARCA Systems

This tutorial focuses on basic issues in network security and gives an overview of

the implementing process. Topics include network security concerns and

services, vendor qualification issues, system composition and interconnection,

and cascading.

Wednesday, October 23rd---------12:45 p.m. -- 1:45 p.m.

Midday Seminar--Room 327-328

War Stories

Speaker: James P. Anderson, J. P. Anderson & Co.

Wednesday, October 23rd-----------2:00 P.M. -- 3:30 P.M.


PANEL

Firewall Testing and Rating (655)

Chairman: J. Wack, NIST

Panelists: I. Winkler, National Computer Security Association; K. Dolan, NSA; J.

McGowen, National Computer Security Association; C. Costack, Computer

Science Corporation

This panel will discuss whether firewalls can be effectively rated, what the rating

criteria is, characteristics of firewalls that don't lend themselves to rating, and

how well rating and testing actually work.


PANEL

Are Cryptosystems Really Unbreakable? (691)

Chairman: D. Denning, Georgetown University

Panelists: S. Bellovin, AT&T Research; P. Kocher, Independent Cryptography

Consultant; A. Lenstra, Citibank (692); E. Thompsom, AccessData Corporation

The panelists will explore the strengths of existing cryptosystems in terms of

potential weaknesses in algorithms, protocols, implementation, and application

environments.

Track C--In Depth--Room 349-350

Chairman: T. Zmudzinski, Defense Information Systems Agency

Establishing an Enterprise Virus Response Program (709): C. Trently,

MITRETEK Systems; Laboratory Assistants: E. Hawthorn, MITRETEK Systems;

D. Black, MITRETEK Systems

The speakers will provide practical information that can be used to understand

the virus threat; institute low cost preventative mechanisms; develop and

implement enterprise response mechanisms, including when to contact the

experts; and monitor the effectiveness of the tools and program within the

enterprise. Thirty attendees will be able to get hands-on practice in the lab in

Room 330 during Part 2 of the lecture.

This In-depth tutorial will be repeated at 8:30 a.m. on Thursday.


Security Issues in a Networked Environment

Chairman: D. Branstad, Trusted Information Systems, Inc.

The Advanced Intelligent Network -- A Security Opportunity (221): T. Casey, Jr.,

GTE Laboratories, Inc.

Security Issues in Emerging High Speed Networks (233): V. Varadharajan,

University of Western Sydney, Australia

A Case Study of Evaluating Security in an Open Systems Environment (250): D.

Tobat, TASC


PANEL

The Next Generation of Cyber Criminals

Chairman: M. Gembicki, WARROOM RESEARCH LLC.

Panelists: J. Christie, AFOSI; K. Geide, Federal Bureau of Investigation ( FBI );

D. Waller, Time Magazine

The panelists will address cybercrime issues and how it affects legal competitive

intelligence, the National Information Infrastructure, information warriors, and the

commercial business environment. Examples of traditional organized crime

elements to individual "Cyber-Terrorists" as well as proposed changes in

Government strategies will be presented.


PANEL

Incident Handling Policy, Procedures, and Tools (831)

Chairman: M. Swanson, NIST

Panelists: K. Cooper, BBN Planet; T. Longstaff, Computer Emergency Response

Team; P. Richards, Westinghouse Savannah River Company; K. van Wyk,

Science Applications International Corporation ( SAIC )

This panel will discuss the incident handling policy and procedures that have

been implemented within their organizations. They will also discuss a new

methodology that system administrators can use for characterizing network

security tools.


Network Attacks, Protections, and Vulnerabilities

Chairman: W. Murray, Deloitte & Touche

An Isolated Network for Research (349): M. Bishop, University of California,

Davis, CA.

GrIDS-A Graph-Based Intrusion Detection System for Large Networks (361): S.

Staniford-Chen, University of California, Davis, CA.

Attack Class - Address Spoofing (371): T. Heberlein, University of California,

Davis, CA.


PANEL

Vendors Experience with Security Evaluations (873)

Chairman: J. DeMello, Oracle Corporation

Panelists: J. Caywood, Digital Equipment Corporation (DEC); D. Harris, Oracle

Corporation (874); K. Moss, Microsoft Corporation (876); I. Prickett, Sun

Microsystems (877)

This panel will discuss their experiences in achieving successful evaluations,

identifying what has worked well for them, and not-so-well, in the process.


Database Security: W. Wilson, Arca Systems

This tutorial focuses on database security issues from the standpoint of using

database management systems to meet the organization's security requirements.

Topics include data security requirements, vulnerabilities, database design

considerations, and implementation issues.

Wednesday, October 23rd----------4:00 P.M. -- 6:00 P.M.

Track A Criteria & Assurance--Ballroom 2

PANEL

The Trusted Product Evaluation Program: Direction for the Future (656)

Chairman: J. Pedersen, N.S.A.

Representatives from various initiatives within the Trusted Product Evaluation

Program will discuss the overall strategy for the future of TPEP, including specific

steps for moving the program to a new evaluation criteria, mechanisms for

commercial advice to vendors, and new types of products which will be

evaluated.


Information Security in the Business World

Chairman: N. Pantiuk, IIT Research Institute

Industrial Espionage Today and Information Wars of Tomorrow (139): P. Joyal,

INTEGER Inc.

B is for Business - Mandatory Security Criteria & the OECD Guidelines for

Information Systems Security (152): W. Caelli, Queensland University of

Technology, Australia

Marketing & Implementing Computer Security (163): M. Wilson, NIST

Secure Internet Commerce - Design and Implementation of the Security

Architecture of Security First Network Bank, FSB (173)

N. Hammond, NJH Security Consulting, Inc.


Concerns in the Cryptographic Arenas

Chairman: P. Woodie, NSA

Automatic Formal Analyses of Cryptographic Protocols (181): S. Brackin, ARCA

Systems, Inc.

Surmounting the Effects of Lossy Compression on Steganography (194): C.

Irvine, Naval Postgraduate School

Key Escrowing Systems and Limited One Way Functions (202): W. T. Jennings,

E-Systems

The Keys to a Reliable Escrow Agreement (215): R. Sheffield, Fort Knox Escrow

Services, Inc.


WWW: The Case for Having a Security Policy and Measuring It

Chairman: R. Wood, National Cryptologic School

Internet Firewalls Policy Development and Technology Choices (259): L.

D'Alotto, GTE Laboratories

A Case for Avoiding Security-Enhanced HTTP Tools to Improve Security for Web

Based Applications (267): B. Wood, Sandia National Laboratories

Applying the Eight Stage Risk Assessment Methodology to Firewalls (276): D.

Drake, Science Applications International Corporation

Lessons Learned: An Examination of Cryptographic Security Services in a

Federal Automated Information System (288): J. Foti, NIST


PANEL

Legal Aspects of the Internet - Rights and Obligations of Users and Vendors

Chairman: C. Castagnoli, Esq., Haystack Labs

Panelists: C. Merrill, Esq., Carter & English; M. Lemley, Esq., Professor of Law,

University of Texas; M. Godwin, Esq., Electronic Frontier Foundation

The panelists will discuss digital signatures, on-line contracting and the liability

issues for the operator and the user.


PANEL

Interdisciplinary Perspectives on INFOSEC: Mandatory Reporting (833)

Chairman: M. Kabay, National Computer Security Association

Panelists: B. Butterworth, Federal Aviation Administration; B. Smith Jacobs,

Securities and Exchange Commision (SEC); R. Whitmore, Occupational Health

and Safety Administration (OSHA); S. Wetterhall, Centers for Disease Control

and Prevention

(C.D.C.&P.)

This panel will discuss their experiences from other disciplines with mandatory

reporting of security incidents and accidents, with an eye to avoiding known

pitfalls and benefiting from their years of experience.


PANEL

Facing the Challenge: Secure Network Technology for the 21st Century (867)

Chairman: R. Schaeffer, NSA

Panelists: R. Meushaw, NSA; C. McBride, NSA; D. Muzzy, NSA; B. Burnham,

NSA

This panel discusses current initiatives and collaborations within the research

communities in government, industry, and academia. Additionally, room 347-348

is set up to demonstrate examples of core technologies to include Token

Technology, Voice Verification, Real-time Encrypted Voice, Firewalls, Secure

Wireless Communications, and others.


Security with COTS (Commercial-Off-The-Shelf) Products

Chairman: S. Kougoures, N.S.A.

MLS DBMS Interoperability Study (495): R. Burns, ESC/ENS

MISSI Compliance for Commercial-Off-The-Shelf Firewalls (505): M. Hale, NSA

Designing & Operating a Multilevel Security Network Using Standard Commercial

Products (515): M. McGregor, Air Force C4 Technology Validation Office


Information Systems Security Officer's Challenges: C. Breissinger, Department of

Defense Security Institute

This tutorial focuses on the continued protection and accreditation of operational

information systems. Topics include: virus prevention and eradication; access

control evaluation and configuration; media clearing and purging; intrusion

detection and handling; and dealing with risk.

Thursday, October 24th-----------------8:30 A.M. -- 10:00 A.M.


PANEL

Common Criteria Project Implementation Status (657)

Chairman: L. Ambuel, BDM International

Panelists: M. Donaldson, Communications-Electronics Security Group, UK; R.

Harland, Communications Security Establishment (aka) C.S.E., Canada; K.

Keus, BSI/GISA, Germany; F. Mulder, Netherlands National Communications

Security Agency; J. Smith, Gamma Secure Systems, UK

The panelists will discuss the Common Criteria trial version's structure and

content, the status and results to date of the trial-use and implementation

activities, the planned future of the project, and the expected impact of all this

work on US and international IT security communities.


OVERVIEW

Security Concerns in the Private Sector - Banking: S. Ross, Deloitte & Touche


OVERVIEW

Chairman: S. Lipner, Trusted Information Systems, Inc.

Establishing an Enterprise Virus Response Program (709): C. Trently,

MITRETEK Systems; Laboratory Assistants: E. Hawthorn; MITRETEK Systems;

D. Black, MITRETEK Systems

The speakers will provide practical information that can be used to understand

the virus threat; institute low cost preventative mechanisms; develop and

implement enterprise response mechanisms, including when to contact the

experts; and monitor the effectiveness of the tools and program within the

enterprise. Thirty attendees will be able to get hands-on practice in the lab in

Room 330 during part 2 of the lecture.

This In Depth tutorial is a live encore presentation from Wednesday at 2:00.


PANEL

Secure Use of the World Wide Web: Moving From Sandbox to Infrastructure

Chairman: R. Bagwill, NIST

Panelists: J. Pescatore, IDC Government; S. Smaha

This panel will explore the current state of practice in WWW security practices

and standards, and provide predictions for the evolution of these security

services in the commercial environment.


PANEL

V-Chip: Policies and Technology (822)

Chairman: H. Hosmer, Data Security, Inc.

Panelists: D. Moulton, Esq., Chief of Staff, Office of Congressman Markey, HR;

D. Brody, MD, American Academy of Child and Adolescent Psychiatry; S.

Goering, Esq., American Civil Liberties Union; W. Diffie, Sun Microsystems

This panel will address a variety of legal and technical issues concerning the V-

chip, a hardware device inserted into new televisions which can identify labels

attached to movies, etc.


PANEL

Industrial Espionage Today and Information Wars of Tomorrow

Chairman: P. Joyal, Interger, Inc.

Panelists: Ret. Major General O. Kalugin, Russia; S. Baker, Esq.; M. Lajman,

Author on French Intelligence; E. O'Malley, retired F.B.I..

This panel will discuss the perspectives of Industrial Espionage as the focus of a

multi-national problem which affects everyone.


Implementations of the Security Policy

Chairman: D. Gambel, General Research Corporation

Generic Model Interpretations: POSIX.1 and SQL (378): D. Elliott Bell,

MITRETEK Systems

The Privilege Control Table Toolkit: An Implementation of the System Build

Approach (389): T. Woodall, Hughes Aircraft Company

Use of the Zachman Architecture for Security Engineering (398): R. Henning,

Harris Corporation


New Test Methodologies

Chairman: R. Lau, N.S.A.

Real World Anti-Virus Product Reviews and Evaluation - The Current State of

Affairs (526): S. Gordon, Command Systems, Inc.

Security Proof of Concept Keystone (SPOCK) (539): J. McGehee, COACT, Inc.

Use of a Taxonomy of Security Faults (551): I. Krsul, Coast Laboratory, Purdue

University


Information Systems Security Engineering: P. Boudra, NSA; D. Pearson, NSA

Thursday, October 24th-----------10:30 A.M. -- 12:00 Noon


Views of Assurances

Chairman: D. Kinch, N.S.A.

Configuration Management in Security related Software Engineering Processes

(34): K. Keus, Bundesamt fur Sicherheit in der Informationstechnik, Germany

The Department of Defense Information Technology Security Certification and

Accreditation Process (DITSCAP)(46): B. Stauffer, CORBETT Technologies, Inc.

Trusted Process Classes (54): W. Steffan, Tracor Applied Science, Inc.


OVERVIEW

Security Concerns in the Private Sector: Brokerage: D. Gary, Booz-Allen &

Hamilton


PANEL

Information Security Policy: There has to be a Better Way

Chairman: J. Pescatore, Trusted Information Systems, Inc.

Panelists: K. Kasprzak, Maryland Bancorp; S. Smaha, Haystack Labs; R.

Stratton, Wheelgroup Inc.

The panelists will discuss new ideas for transforming organizational needs into

security controls and policies.


PANEL

Attack/Defense (738)

Chairman: J. David, The Fortress

Panelists: S. Bellovin, AT&T; W. Cheswick, AT&T; P. Peterson, Lockheed-Martin;

M. Ranum, V-One

The panel will discuss how the role of the Internet security practitioner has

changed. Keep-ing the bad guys out is no longer the prime goal of security,

rather the prompt and accurate identification of intrusions (or, preferably,

intrusion attempts) and minimizing the damages. This session examines these

"popular" attacks and presents ways to effectively defend your site against them.


PANEL

Protecting Medical Records and Health Information (824)

Chairman: J. Winston, Trusted Information Systems, Inc.

Panelists: G. Belles, VA Medical Information Security Service; B. Braithwaite, US

Department of Health and Human Services*; P. Bruening, Information Policy

Consultant; P. Taylor, US General Accounting Office

This panel will examine the technical, policy, and legal issues involved in

establishing and implementing appropriate protections for patient medical

records and other types of health information.

Track F --Management & Administration --Room 341-342

PANEL

International Perspectives on Cryptography Policy (835)

Chairman: D. Denning, Georgetown University

Panelists: P. Ford, Attorney General's Office, Australia; D. Herson, Commission

of the European Communities, Belgium; N. Hickson, Department of Trade and

Industry, UK

Panelists from outside the United States will discuss their views on cryptography

policy and national and international proposals and initiatives.


Mechanisms in Understanding Security

Chairman: H. Weiss, SPARTA, Inc.

Developing Secure Objects (410): D. Frincke, University of Idaho

Deriving Security Requirements for Applications on Trusted Systems (420): R.

Spencer, Secure Computing Corporation

Security Implications of the Choice of Distributed Database Management

Systems Model: Relational vs. Object-Oriented: S. Coy, University of Maryland


Defenses in Networks

Chairman: M. Woodcock, National Cryptologic School

Protecting Collaboration (561): G. Wiederhold, Stanford University

Design and Management of A Secure Networked Administration System: A

Practical Solution (570): Prof. V. Varadharajan, University of Western Sydney,

Australia

Information Warfare - INFOSEC and Dynamic Information Defense (581): V.

Winkler, PRC Inc.


Systems Security Engineering Capability Maturity Model: K. Ferraiolo, ARCA

Systems

A capability maturity model (CMM) has been developed to help organizations

improve their security engineering capability. This tutorial will describe the model,

why it was developed, how it is being used, and plans for its use in the future.

Thursday, October 24th----------12:45 P.M. -- 1:45 P.M.

Midday Seminar--Room 343-344

PANEL

Security Protocols/Protocol Security

Chairman: D. Maughan, N.S.A.

Panelists: TBD

This panel will discuss why standards and protocols are needed for the increased

use of the Internet by personal as well as business ventures.

Thursday, October 24th --------------2:00 P.M. -- 3:30 P.M.


Evolution of Criteria Requirements and User Needs

Chairman: J. Arnold, Science Applications International Corporation

Design Analysis in Evaluations Against the TCSEC C2 Criteria (67): D. Bodeau,

The MITRE Corporation

System Security Engineering Capability Maturity Model and Evaluations -

Partners within the Assurance Framework(76): C. Menk III, NSA

Applying the TCSEC Guidelines in a Real-Time Embedded System Environment

(89): D. Frincke, University of Idaho


OVERVIEW

Security Concerns in the Private Sector - Communications: J. Klein, Wizards

Keys


OVERVIEW & PANEL

Data Warehousing I: An Introduction to Data Warehousing, Data Mining and

Security (711)

Chairman: J. Campbell, N.S.A.

Panelists: B. Thuraisingham, The MITRE Corporation; J. Worthington, Informix

Software, Inc.; P. Lambert, Oracle Corporation

These sessions will investigate Data Warehousing from what it is to what are the

security issues associated with it. These sessions will provide a basis for a Friday

afternoon workshop co-sponsored by the IEEE Mass Storage Committee. The

goal of the workshop is to provide direction in future R&D efforts ensuring optimal

security for Data Warehousing and Data Mining environments.


PANEL

The Web - What is it? Why/How is it Vulnerable? (739)*


Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D.

Dean, Department of Computer Science, Princeton University

The speakers will formally describe what the web is/does, indicate how it differs

from "normal" Internet use, show it is used in typical/popular operational modes,

and point out the nature and magnitude of primary vulnerabilities.


PANEL

Crimes in Cyberspace: Case Studies (827)

Chairman: W. Galkin, Esq., Law Office of William S. Galkin

Panelists: A. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & Allen; K. Bass,

III, Venable, Baetjer, Howard & Civeletti

The panel will present, discuss, and analyze the legal issues involving several

actual criminal incidents that have occurred in Cyberspace.


PANEL

Surviving the Year 2000 Time Bomb (839): G. Hammonds, AGCS, Inc.

Panelists: J. White, OAO Corporation; A. Hodyke, ESC/AXS/USAF

This panel will identify the complexity and magnitude of the Year 2000 Problem,

why so many people will likely be affected, and some practical near and long-

term solutions.


PANEL

Toward a Common Framework for Role-Based Access Control (868)*

Chairman: D. Ferraiolo, NIST

Panelists: R. Sandhu, George Mason University; V. Gligor, University of

Maryland; R. Kuhn, NIST

This panel will discuss the issues related to the development of a common

reference model for Role-Based Access Control.


PANEL

Workshop Report on the Role of Optical Systems and Devices for Security (879)

Chairman: T. Mayfield, Institute for Defense Analyses

Panelists: M. Medard, MIT Lincoln Laboratory; J. Ingles, NSA; M. Krawczewicz,

NSA; B. Javidi, University of Connecticut

This panel will address security and vulnerabilities in all-optical networks, discuss

the use of optics for information encoding, and introduce some applications that

might take advantage of optical technology.


Common Criteria: K. Britton, NSA; L. Ambuel, BDM International

The Common Criteria has been developed as the next generation of IT Security

Criteria replacing the TCSEC, ITSEC, and CTCPEC. This session will provide a

working knowledge of the concepts and contents of the Common Criteria.

Thursday, October 24th------------4:00 P.M. -- 6:00 P.M.

Track A-- Criteria & Assurance--Ballroom 2

PANEL

Assurance Measures in Evaluation Assurance Level 3 of the Common Criteria

(660)*

Chairman: M. Schanken, N.S.A.

Panelists: S. Katzke, NIST; K. Keus, GISA; Y. Klein, France

The Common Criteria Sponsoring Organizations are investigating alternative

approaches for gaining assurance that products and systems meet their security

requirements. The initial phase of the activity maps several alternative assurance

approaches to Evaluation Assurance Level 3 (EAL 3) of the Common Criteria.


OVERVIEW

Security Concerns in the Private Sector - Manufacturing: S. Meglathery, Estee

Lauder (Cosmetics)


OVERVIEW & PANEL

Data Warehousing II: The Security Issues

Chairman: D. Kinch, N.S.A.

This session continues discussing current data warehousing security issues.


PANEL

Securing the Web (739)


Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D.

Dean, Department of Computer Science, Princeton University

The speakers will show how to treat the vulnerabilities uncovered in the first

session in and of themselves, and as a part of both Internet security programs

and total security programs.


(OPEN)

Track F--Management & Administration --Room 341-342

PANEL

Security Siblings

Chairman: C. Pfleeger, Trusted Information Systems, Inc.

Panelist: W. Agresti, MITRETEK Systems

This panel will discuss other venues of assurance developed in the reliability,

safety critical, fault-tolerant as well as the security communities. By working

together, we can reduce the expense of repeating each other errors and share

our successes.


Security Policy & PKI Certification

Chairman: H. Highland, FICS

Management Model for the Federal Public Key Infrastructure (438): N. Nazario,

NIST

Security Policies for the Federal Public Key Infrastructure (445): N. Nazario,

NIST

A Proposed Federal PKI using X.509 V3 Certificates (452): W. Burr, NIST

A Security Flaw in the X.509 Standard (463): S. Chokani, Cygnacom Solutions,

Inc.


PANEL

Cryptography's Role in Securing the Information Society

Chairman: H. Lin, National Research Council (N.R.C.)

Panelists: W. Ware, The Rand Corporation, Emeritus; P. Neumann, SRI

International

The panel will discuss the National Research Council (N.R.C.) report on

Cryptography and its role.


Education Technology: R. Quane, National Cryptologic School

Friday, October 25th------------8:30 A.M. -- 10:00 A.M.


PANEL

Secure Networking and Assurance Technologies (661)*

Chairman: T. Lunt, Defense Advanced Research Projects Agency (D.A.R.P.A.)

Panelists: K. Levitt, University of California, Davis, CA; J. McHugh, Portland

State University (663); S. Kent, BBN; J. Voas, Reliable Software Technologies

(669); D. Weber, Key Software (666); L. Badger, Trusted Information Systems,

Inc. (667)

The speakers will discuss their goals for secure networking and assurance

technologies in the following areas: Intrusion Detection, Secure Mobile

Computing, and new inroads to Internet Security.


PANEL

ISSO as a Vendor Partner in a Changing World

Chairman: B. Snow, N.S.A.

Panelists: C. Baggett, NSA, S. Barnett, NCSC, M. Fleming, NSA, R. George,

NSA, R. Marshall, Esq., NSA, H. Novitsky, NSA, R. Schaffer, NSA

This panel of technical leaders from the Information Systems Security

Organization will discuss their organizational plans for vendor interaction and

support, and under what terms, with the stress on how the ISSO is changing to

better accomplish the ISSO mission.

Track F--Management & Administration--Ballroom 4

PANEL

The Assessment Methodology in the Corporate Sector

Chairman: R. Lopez, N.S.A.

Panelists: J. Jackson, N.S.A., V. Moseley, N.S.A.. G. Hale, N.S.A., S.

Dombkowski, NSA

The panelists will provide a background of the methodology and tools used by

reviewers of information assets in the corporate environment.


Execution of Security Policies

Chairman: D. Arnold, N.S.A.

Security for Mobile Agents: Issues and Requirements (591), V. Swarup, The

MITRE Corporation

Extended Capability: A Simple Way to Enforce Complex Security Policies in

Distributed Systems (598), I-Lung Kao, IBM Corporation

IGOR: The Intelligence Guard for ONI Replication (607), R. Shore, The ISX

Corporation

Friday, October 25th-----------------10:20 A.M. -- 12:30 P.M.

Closing Plenary Ballrooms 1 & 3

Information Systems Security - Directions and Challenges

Moderator: Willis H. Ware, Corporate Research Staff, Emeritus -- The Rand

Corporation

Distinguished Panelists: C. Thomas Cook (889)*, Executive Vice President --

Banc One Services Corporation; William P. Crowell, Deputy Director -- National

Security Agency; John Lainhart (890), Inspector General -- U.S. House of

Representatives; J. F. Mergen, Principal Scientist -- BBN; Stephen Smaha, Chief

Executive Officer/President -- Haystack Labs; Charles Stuckey, Chief Executive

Officer -- Security Dynamics

The need for seamless value-added, yet end-to-end secure and cost-effective,

information systems and networks in a rapidly evolving technological world that is

globally competitive, has created extraordinary demands and challenges for the

public, academic, and private sectors. Each is asking itself how to meet the

future with a stalwart information infrastructure, and wondering what roles and

contributions of the other two sectors will or should be.

This distinguished panel is convened to address such over-arching issues and to

engage the audience in a dialogue on such questions as the following:

* What challenges do you perceive for your own business or end-user community

with respect to information system security?

* What are the security-relevant challenges for your organization? What is

security's strategic role in your organization? How are you making the tradeoffs?

* As you move into new technology, how do you see the challenges changing,

evolving, or growing more serious?

* How do you think these challenges can best be dealt with -- from a

management view; from a public policy view; from a technical view; from a

business view?

* What do you see as the respective roles for government, industry, and

academia as the country and the world move into an ever more information-

intensive future?

* What do you see that industry, government, and academia should be doing in

computer security? What is each doing well or not so well now?

Demonstrations and Activities

Wednesday - Thursday ---Information Systems Security Exposition -----Hall G

The Armed Forces Communications and Electronics Association will host, in

parallel with the Conference, an exhibition of security products and services. This

exposition provides a forum for industry to showcase information systems

security technology and hands-on demonstrations of products and services that

are potential solutions to many network and computer security products.

Wednesday - Friday -----Research and Development Demonstrations -----Room

347-348

As a follow-up to the "INFOSEC Research and Technology, Facing the

Challenge: Secure Network Technology for the 21st Century," the National

Security Agency will demonstrate some of the techniques coming down the

future trails. Conference attendees are invited to see the demonstration of future

solutions to the 21st Century challenges.

Tuesday - Friday ------European Community ------Registration Area

The Information Technology Security Evaluation Facilities (ITSEF) in Europe and

the European Certification Bodies invite the attendees to learn about the

European system and security product evaluations and will demonstrate the

product evaluation methodology.

Tuesday - Friday -----NIST Clearinghouse -----Room 347-348

A wide variety of information security information is available to federal agencies

and to the public through the NIST Clearinghouse. Information posted to this

system include an events calendar, computer-based training, software reviews,

publication, bibliographies, lists of organization with points of contact, and other

government bulletin board numbers and WWW pointers.

Tuesday - Friday -----NSA INFOSEC Awareness ------Booth Registration Area

The booth offers a variety of INFOSEC publications most frequently requested by

users, developers, operators, and administrators of products and services.

Publications available include the INFOSEC Products and Services Catalog and

the National Computer Security Center's computer security technical guidelines --

the RAINBOW Series. The National Cryptologic Museum is also represented at

this booth.

Tuesday - Friday------DOCKMASTER I ------Room 347-348

The National Computer Security Center, DOCKMASTER I, is a focal point for

nationwide dissemination and exchange of information security data through

electronic mail and bulletin boards. Over 2,000 users from federal government,

private companies, and academic institutions participate in its electronic forums

and retrieve data on INFOSEC products, conferences, and training.

Tuesday - Friday ------Information Systems Security Association Booth ------

Registration Area

The Information Systems Security Association (ISSA) is an international

association of information security practitioners whose aim is to enhance

professionalism through education, information exchange, and sharing among

those who do INFOSEC day-to-day. The booth contains newsletters, resource

guides, Guidelines for Information Valuation, and the Draft of "Generally

Accepted System Security Principles."

Tuesday - Friday ------NIST Publication --------Booth Registration Area

NIST's Publication Booth will distribute information and publications on a variety

of information systems security issues, including the latest issues of the CSL

Bulletin. Each bulletin discusses a relevant information security topic in depth. A

catalog of our current publications will also be available, as well as instructions

for accessing our Computer Security Resource Clearinghouse electronically.

Tuesday - Thursday -------Book Exhibition --------Registration Area

A book exhibit display representing selections from leading worldwide publishers

dealing specifically with information security is presented by: Association Book

Exhibit, 693 S. Washington Street, Alexandria, VA 22314

Wednesday - Thursday ---Establishing an Enterprise Virus Response Program ----Laboratory

Room 330

MITRETEK Systems is providing a hands on demonstration of tools discussed in the

overview session for "Establishing an Enterprise Virus Response Program." The

Enterprise Virus Response is designed to help the organization develop a proactive

program for the prevention, detection, containment, management, and recovery of

computer virus incidents. The workshop will demonstrate the processes needed to prepare

for an incident or infection, to detect and contain a virus exposure or infection, to recover

from an infection, and to manage the response program.

Friday -----IEEE Data Warehouse Security Workshop -----Room 349-350

The Workshop follows from the two Thursday sessions on Data Warehousing. The

output of the workshop should be research directions for future Data Warehousing

security solutions. The workshop is co-sponsored by the IEEE Mass Storage Committee

and will become a component of the next IEEE Mass Storage Symposium.

General Information

Meeting Site: The conference will be held at the Baltimore Convention Center, 1 West

Pratt Street. Baltimore, Maryland, close to Baltimore Inner Harbor area. The Opening

Plenary Session will be held in Ballroom I, on the Ballroom Level (enter the Pratt Street

lobby). Registration and information services, and all technical sessions, will be held on

the third floor Meeting Room Level and the fourth floor Ballroom Level. The Convention

Center is conveniently located close to hotels, major highways, and numerous restaurants,

shops, and sightseeing attractions.

Transportation: For those attendees not staying in Baltimore, daily bus service will be

provided from the parking lot across from the National Computer Security Center

(NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, MD. The buses will run in a

round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the

NCSC at the end of the sessions each day, following the banquet, and periodically

throughout the awards reception.

Communications: Messages will be taken for conference attendees between the hours of

8 a.m. and 5 p.m. Tuesday through Thursday, and between the hours of 8 a.m. and 12

noon on Friday. Messages will be posted on a message board adjacent to the

Registration/Information Area. Attendees will not be called out of a meeting except for

emergencies. The phone numbers for leaving messages will be posted on the message

board.

Evaluation Forms: Evaluation forms are provided in your conference folder for your

comments. Please leave the completed forms in the boxes provided at the registration

area. We thank you in advance for your comments since your comments help the

committee to develop and improve the conference program each year.

Volunteers: If you would like to serve as a referee for the 20th National Information

Systems Security Conference being planned for October 1997 please E-MAIL:

[email protected] or call (410) 850-0272.

Special Interest Rooms: There will be a limited number of rooms available for special

interest discussions ("Birds of a Feather," etc.). These rooms may be reserved in one-hour

increments and must not be used for commercial purposes. To reserve a room, please stop

at the registration area. Breaks and Lunches

Coffee service: Provided to all the attendees during registration each morning and at mid-

morning and mid-afternoon breaks. Attendees will be free at lunch time to explore the

convenient restaurants or other sites near the Convention Center.

On Wednesday, box lunches will be provided to the first 1,500 attendees on a first-come,

first-served basis at the AFCEA exhibit in Hall G.

Banquet: The conference banquet will be held on Wednesday, October 23, beginning

with a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is

Kenneth Chenault, Vice Chairman, American Express Co., Inc. A coupon for this event,

which may be exchanged for a dinner ticket on a first-come first-served basis, will be

included in each attendee's registration kit.

Awards Ceremony and Reception: On Thursday, October 24, at 2:00 pm in rooms 337-

338, awards will be presented to vendors that have successfully developed security

product lines that have been approved by the NIST Validation Program or the NCSC

Trusted Computer System Evaluation Program. Following the award presentation,

conference participants will have an opportunity to learn more about these products as

each vendor hosts a display. Awards also will be presented to companies that have

participated in Systems Security Engineering Capability Maturity Model (SSE-CMM)

pilot appraisals. You are invited to visit the SSE-CMM project display for more

information regarding this community-supported initiative. An awards reception will

begin at 6 p.m. in the lower lobby. A ticket for the reception will be included in the

registration kit of each registered attendee.

Housing: See map of the conference hotels in the area

20th National Information Systems Security Conference ( October 6 - 9, 1997 in

Baltimore, MD )

Date post:	29-Oct-2014
Category:	Technology
Upload:	vinayak-hegde
View:	5 times
Download:	1 times