Vous êtes sur la page 1sur 61




[ Click Image (above) To Learn More About EPM ]

National Information Systems Security

U.S.A., Washington, D. C. - November 1, 2001: The National
Information Systems Security Conference (aka) NISSC holds special
annual conferences where handpicked representatives of top corporate
America and top intelligence agencies get together on a variety of
subjects which relates to industrial modeling information systems and
security management. Such a curious intertwining of business leaders
channeling and brainstorming directly with intelligence hierarchy
officials is absolutely amazing, as shown in detail here.

This think tank of sorts, conducts its business intelligence

brainstorming in any one of a variety of pre-scheduled meeting
places around the World. As an example, one year it met be held at
what once was (until 2001) one of the many U.S. National Security
Agency (aka) N.S.A. listening post for the global ECHELON
telecommunication satellite surveillance intelligence station at Bad
Aibling Station (aka) BAS, located inside the little village of
Mietraching, Germany while the following year, it could meet at the
Hyatt Regency Hotel & Convention Center in Orlando, Florida.

The National Security Agency (aka) N.S.A., is NISSC's "host" and

working participant along with a few "handpicked" American and
foreign firms, i.e. I.B.M., FUJITSU, BOEING, SIEMENS, LOCKHEED-
firm), to name just a few.

The collective, goes over "in detail", what they submitted in their
lengthy papers sent ahead of time to, the N.S.A. for its review. The
N.S.A. with a few sponsored firms then select their specific personnel
to study the reports these handpicked firms address. Some topics may
have an N.S.A. mission need and/pr, impact so in most all instances of
these meetings, NSA staff are present. Security is tremendous, to say
the least.

The focus on "information system security" a subject matter the N.S.A.

no doubt has already written the book on - provides this co-joint think
tank workshop exercises the time to study how a new information
security management system will best serve their future needs.

The prime subject matter's intelligence, deals with encryption codes,

dictionary standards and, methods for using and/or modifying a new
form of high-technology information management transference which,
is already designed to provide heightened security when handshaking
of data occurs over the internet and other means via satellite system
links for all these firm's current and future information requirements.
EPM - The Software Mastermind Firm
The purpose of EPM TECHNOLOGY, a JOTNE firm, based out of Oslo, Norway,
is distributing - with the blessing of the N.S.A. - its form of modularly innovative
high-tech data management technology throughout global organizations in a
variety of industries.

Specifically, the focus is on EPM Technology's, EXPRESS Data Manager (aka)

EDM based tools, designed for the many uses for its global multi-user customer's
Management Information Systems (aka) M.I.S..

These organizations are now gradually moving away from managing information
"on paper" and toward, being able to exchange and share huge amounts of data
electronically via extremely fast digital formats using computers which, the N.S.A.
has an interest in.

EPM's technology creation management system tools enable product data to be

effectively managed, exchanged and shared across radically different systems,
independent of location, type or network design. It allows access to this data
throughout the life cycle of the product and ensures that the information is in a
form that can be accessed and interpreted for decades to come.

It is already quick, easy and inexpensive to transfer or access basic, everyday

information via Databases, E-Mail, Internet Websites and, Intranet.

It is nearly impossible, however, to accurately and reliably exchange, share and

manipulate complex, technical data about a product - its design, properties and
structures, its development and history, its costs and maintenance, etc..
Problems arise because:

1. Different systems are used to design, analyze, manufacture and document a


2. Each system has its own way of representing data.;

3. Each group or organization tends to choose its own systems.;

4. Systems in use change over time, making some data inaccessible.; and,

5. Different hardware and software environments are a fact of computer life.

The ability to efficiently transfer and translate sophisticated product data,

independent of hardware and software environments, is now recognized
worldwide as the next, natural and vital step in the evolution of product data
technology and product information management. This ability is considered
essential for effective communication and cooperation, not only within work
groups and among colleagues but with customers, suppliers, users and business
partners. It is considered absolutely critical if an organization wants to archive
and maintain a competitive advantage well into the 21st century.

EPM sees the 21st century as significant for the deployment of its EDM set of
tools for Electronic Commerce and Product Data Technology standards - in
particular ISO 10303 - the international standard for the representation and
exchange of product model data, also known as STEP and EXPRESS-compliant
products EXPRESS, is a product suite that contains the tools needed to begin
implementing the product data technology standards for the 21st century by,
creating and managing EXPRESS schemata, customizing data models, and
establishing product-data databases and archives. EXPRESS products from
EPM Technology are available today to meet crucial needs for future success.
EDM is modular by design, enabling a firm to mix and match the products and
options they want, and to easily expand or update the system as their needs
change and as the standard continues to evolve. EDM products are available for
UNIX or Microsoft Windows platforms.

EDM is designed to make all product details, not just visual details, available to a
variety of users during all phases of engineering, development, production,
operation and maintenance. Ultimately, the EXPRESS Data Manager helps
transform many business theories into realistic business goals; goals which will
ensure a strategic, competitive edge for projects and companies, large or small:

1. Minimize product life-cycle costs.;

2. Provide continuous acquisition and life-cycle support (CALS).;

3. Ensure data integrity.;

4. Collaborate in virtual or extended enterprises;

5. Shorten product development cycles.;

6. Support concurrent product and process development.; and,

7. Respond with agility to changing customer needs.

The information handled by the EXPRESS Data Manager is contained in data

models rather than in paper-based blueprints or application-specific programs,
databases or texts. These models are created and defined in EXPRESS, the
information modeling language specified in STEP (ISO 10303-11).

Like other computer languages, EXPRESS has a well-defined syntax, structure

and set of language rules. In sharp contrast to other languages, however, in an
EXPRESS-based approach to product data the models are totally independent of
any underlying implementation tools.
As the foundation for EPM Technology's EDM, EXPRESS makes it possible to
link pieces of information that were once isolated from one another by
incompatible formats. Together, EXPRESS and the EXPRESS Data Manager
make it possible to overcome one of the main obstacles in true business and
process integration for the future.

NSA-EDM Cast Of Business Character Interests

To demonstrate a few examples of which EDM character firms might be

represented and how they might interact with the N.S.A. in being
casted for tutorials in an N.S.A. workshop workgroup and, in what the subject
areas of information management security focus might specifically be, is
ascertained by reviewing the minutes of previous meetings, studying a 1997
NISSC pre-scheduled meeting’s itineraries, topics and subject matter along with
their chairman's and panelists, as follows:

The Secret and Below Interoperability (aka) SABI Process

Continuing the Discovery of Community Risk

Monday, 1:30 Rooms: ____ - ____

Chairman: Mark Loepker, National Security Agency

Panelists: Curtis Dukes, National Security Agency; Charles Schreiner, National

Security Agency; Willard Unkenholz, National Security Agency; Corky Parks,
National Security Agency; Dallas Pearson, National Security Agency; Warner
Brake, Defense Information Systems Agency.

Topic Chairman and Panelist's Biographies

Mark Loepker: The Chief, Information Assurance Process Special Project Office,
Information Assurance Solutions, National Security Agency. He is responsible for
all matters impacting the development, refinement, and implementation of the
information assurance solution process. In this capacity, Mr. Loepker leads the
Secret and Below Interoperability (SABI) project. He last served with the
Command, Control, Communications, and Computer Systems Directorate, U.S.
European Command, as Chief, Information Systems Security Division,
responsible for all European theater policy and policy enforcement concerning
information warfare and communications and computer security. During this tour,
he led INFOSEC actions in support of Operation Provide Comfort, Joint
Endeavor, and Combined Endeavor (Partnership for Peace).;

Curtis Dukes: is the Deputy Chief, Architectures and Applications Division of the
Systems and Network Attack Center, National Security Agency. He is responsible
for the technical direction of the Intrusion Detection and Enterprise Management
System's vulnerability research within the Center. In this capacity, he leads the
Joint Vulnerability Assessment Process of the Secret and Below Interoperability
(SABI) Initiative. He previously served in an Intelligence Community assignment
in the Directorate of Operations, Central Intelligence Agency.;

Chuck Schreiner: the Chief of the Solution Security Analysis Division, National
Security Agency, which provides customers with vulnerability analysis and test
services to support their local risk decisions. He has held previous positions as
NSA Representative to the Pentagon, Technical Director for Fielded Systems,
and Deputy Chief of the RF Communications Division. ;

Willard Unkenholz: a Technical Director for the System Security Guidance and
Evaluation Division, National Security Agency. His current duties involve
developing and leading the DoD risk analysis capabilities applied to the Secret
and Below Interoperability Initiative.;

Corky Parks: a risk analyst in the System Security Guidance and Evaluation
Division, National Security Agency. His areas of interest include the theory and
practice of information risk management, and decision theory.;

Dallas Pearson: the Technical Director for Security and Evaluations in National
Security Agency’s Office of Information Assurance Solutions Deployment and
Maintenance. All of Dallas’ 29 years at NSA have been in technical roles in
COMSEC and INFOSEC. He received a Bachelor of Science in Physics from the
University of Southern Mississippi in 1970 and a Master of Science in Systems
Engineering from Johns Hopkins University in 1995. He is a co-author of NSA’s
Information Systems Security Engineering (ISSE) Handbook and teaches an in-
house introduction to ISSE course.;

Warner Brake: the Deputy Chief, Information Assurance Implementation Branch

of the Information Assurance Program Management Office, Defense Information
Systems Agency. He is the senior certification test director and advisor for
certification team members, who perform in-depth technical certification testing
and compliance validation of DISA pillar, Joint, and NATO programs. He is also
responsible for the periodic review and update of DOD Instruction 5200.40, DOD
Information Technology Security Connection Approval Process (DITSCAP), and
the operation of the Information Assurance Support Environment information
desk and website.

Secret and Below Interoperability (aka) SABI, is an Information Assurance

initiative mandated by the Assistant Secretary of Defense for Command, Control,
Communications, and Intelligence (ASD/C3I) and sponsored by the Joint Chiefs
of Staff, Command, Control, Communications, and Computer Systems (JS/J6).
SABI improves the security posture of all secret and below DoD systems by
using a community-based risk acceptance approach. SABI utilizes proven
system security engineering to address the risks to the community, and employs
mission-oriented risk management in making sound community decisions.

The goal of SABI is to ensure secure secret and below interoperability solutions
for the Warfighter within community-acceptable risks. It is a network-centric
process with procedures to review interconnections and leverage proven solution
reuse. It is founded on information system security engineering (ISSE) principles
whereby information systems security (INFOSEC) is integrated as a part of
systems engineering and systems acquisition processes, strong customer
participation in support of mission needs, and the optimal use of INFOSEC
disciplines to provide security solutions. Documentation implements the DoD
Instruction 5200.40, Defense Information Technology Security Certification and
Accreditation Process (DITSCAP).

The SABI process teams the local site customer with appropriate engineering,
risk, vulnerability, training and programmatic community risk-focused support
necessary to develop the right solution for the customer's SABI requirement.
SABI maintains this community team throughout the system security engineering
process. This strengthens the community risk acceptability of a specific site
solution through continued dialog and participation of all relevant stakeholders.

During the discussion about the current status of the SABI program, the panel
will focus on the progress and impact of the National Information Assurance
Certification and Accreditation Process (NIACAP), NSTISSI 1000.
Topic Workgroup Meeting Examples

Depicted below, are just some examples only, of how an NISSC topic workgroup
itinerary meeting outline might appear which, could also begin with a background
of information, as follows:

National Computer Security Center (aka) NCSC

In 1978, the Assistant Secretary of Defense for Command, Control,

Communications, and Intelligence (aka) C3I, established the Department of
Defense, Computer Security Initiative (aka) CSI, to ensure the widespread
availability of trusted Automatic Data Processing (aka) ADP systems for use
within the DoD.

In January 1981, the National Computer Security Center (aka) NCSC, was
established and assumed responsibility for the activities of the Initiative. The
NCSC encourages the development of trusted computing system products,
develops computer security standards and guidelines for interested users, and
sponsors basic research in this robust field.

In order to encourage the widespread availability of trusted systems, the NCSC

has developed an industry-government relationship, called the Trusted Product
Evaluation Program (aka) TPEP. This effort focuses on the technical protection
capabilities of commercially produced and supported systems, based on the
Department of Defense, Trusted Computer Security Evaluation Criteria (aka)

Three (3) important interpretations are used to assist in this program:

1. Trusted Network Interpretation (aka) TNI;

2. Computer Security Subsystem Interpretation (aka) CSSI; and,

3. Trusted Database Interpretation (aka) TDI.

The NCSC also promotes information security education and cooperates with the
National Institute of Standards and Technology (aka) NIST, to provide computer
security assistance to other government departments and agencies.

In support of the above, the NCSC operates a B2 Level Of Trust computer

system, i.e. DOCKMASTER, which provides on-line service to the information
security [intelligence] community.

NIST built a new Information Technology Laboratory (aka) ITL, in response to the
growing need for measurement and testing technology to support the
development of computing and communications systems that are usable,
scalable, interoperable, and secure. This need has come into sharper focus in
recent years with the national effort to develop an information infrastructure and
to support U. S. Industry in a global information marketplace.

The lTL seeks to enable the usability, scalability, interoperability, and security of
information technology through a focus on three (3) areas:

1. Development of tests for human-machine interfaces, software diagnostics and

performance, mathematical software, security, and conformance to standards.;

2. Collaborating, consulting and operational services for other NIST laboratories

in computational sciences and information services; and,

3. Federal government activities, especially security.

Since 1972, NIST has played a vital role in protecting the security and integrity of
information in computer systems in the public and private sectors. The Computer
Security Act of 1987 reaffirmed NIST's leadership role in the federal government
for the protection of unclassified information. NIST assists industry and
government by promoting and supporting better security planning, technology,
awareness, and training. In addition, NIST fosters the development of national
and international standards for security technology and commercial off-the-shelf
(aka) COTS security products.

Finally, NIST has an active, laboratory-based research program in computer and

network security with special technical emphasis in cryptography, authentication,
public-key infrastructure, internetworking, and security criteria and assurance.
NIST also has a special program in support of government key escrow activities.

On October 24, 2001 a conference was held at the Hyatt Regency and the
itinerary was scheduled as follows:

Track A Criteria & Assurance Ballroom 2

PANEL: Trust Technology Assessment Program (aka) TTAP (643)

Chairman: T. Anderson, National Security Agency

Panelists: P. Toth, N.I.S.T. (644); TTAP Working Group Members

This panel will focus on the progress of the TTAP initiative including the lessons
learned from the prototype effort to validate the process, procedures, and
documentation to support the program in a commercial environment.

Track B Electronic Commerce Ballroom 3

PANEL: Using Security to Meet Business Needs - An Integrated View From the
United Kingdom (677)

Chairman: A. McIntosh, PC Security, Ltd.

Panelists: D. Brewer, Gamma Secure Systems, Ltd. (679); N. Hickson,

Department of Trade & Industry (682); D. Anderton, Barclays Bank PLC (684); J.
Hodsdon, CESG (685); M. Stubbings, Government Communications
Headquarters (aka) G.C.H.Q. [ British agency equivalent to the U.S. National
Security Agency (NSA) ], UK (686)

This panel discusses the use of risk management techniques in the identification,
accreditation, and maintenance of appropriate security profiles for single
organization systems dispersed across a wide range of sites.

Track C In Depth Room: ___ - ___

Best of the New Security Paradigms Workshop

Chairman: T. Haigh, Secure Computing Corporation (693)

Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer
Science, Sweden (701); W. Wulf, University of Virginia (704)

This year's workshop focuses on the need to identify new approaches for proving
security in very heterogenous, highly internetworked environments.

Track D--Internet--Ballroom 1


Chair: C. Bythewood, NCSC

Introduction to Infowarfare Terminology (718): F. Bondoc, Klein & Stump

This overview is aimed at the newcomer to Information Warfare (IW), and

introduces the terminology, threats and countermeasures of Information Warfare
(aka) IW.
Track E Legal Perspectives Ballroom 4

Legal Issues for the User

Chairman: Special Agent John Lewis, United States Secret Service

Intellectual Property Rights and Computer Software (296): D. Bowman,

University of Maryland

Case Study of Industrial Espionage Through Social Engineering (306): I. Winkler,

National Computer Security Association

Legal Aspects of Ice-Pick Testing (313): B. Gabrielson, Department of the Navy

Track F Management & Administration Room: ___ - ___

PANEL: Ethical and Responsible Behavior for Children to Senior Citizens in the
Information Age - Community Responsibilities

Chairman: J. Lisi, National Security Agency

Panelists: R. Koenig, ISC2; G. Warshawsky, International Community

Interconnected Computing eXchange

Track G Research & Development Room: ___ - ___

PANEL: Database Systems Today - Safe Information at My Fingertips? (842)

Chairman: J. Campbell, National Security Agency

Panelists: T. Ehrsam, Oracle; R. O'Brien, SCC; T. Parenty, Sybase; J.

Worthington, Informix Software Company; Lt. Colonel Pointdexter, D.I.S.A.; S.
Sahni, 3S Group Incorporated
This panel will address distributed and web database system security issues and

Track H--Solutions Room--343-344

Future Activities

Chairman: J. Tippett, National Security Agency

Computer Virus Response Using Autonomous Agent Technology (471): C.

Trently, MITRETEK Systems

Security Across the Curriculum - Using Computer Security to Teach Computer

Science Principles (483): Major General White, USAF Academy

U.S. Government Wide Incident Response Capability (489): M. Swanson, NIST

Track I--Tutorials Room--327-328

Introduction to Information System Security: L. Smith and D. Strickland, National

Cryptologic School

This tutorial will use an interactive computer-based training course to present the
basics of information system security (INFOSEC). The course is composed of
five instructional units: information systems overview, threats, INFOSEC
solutions, INFOSEC techniques, and risks management.

A CD-ROM with this and other courses will be provided to attendees.

Tuesday, October 22nd------------4:00 P.M. -- 6:00 P.M.

Track A--Criteria & Assurance--Ballroom 2

Gaining Assurance though Evaluations

Chairman: H. Holm, National Security Agency

E4 ITSEC Evaluation of PR/SM on ES/9000 Processors (1): R. Nasser,

International Business Machines

A High-Performance Hardware-Based High Assurance Trusted Windowing

System (12): J. Epstein, Cordant, Inc.

WWW Technology in the Formal Evaluation of Trusted Systems (22): E.

McCauley, Silicon Graphics, Inc.

Track B--Electronic Commerce--Ballroom 3

Electronic Commerce: International Security

Chairman: V. Gibson, Computer Science Corporation

EDI Moves from the VAN to the Internet (98): B. Bradford, University of Maryland

An International Standard for the Labeling of Digital Products (109): V. Hampel,

Hampel Consulting

The Business-LED Accreditor - OR...How to Take Risks and Survive (123): M.

Stubbings, Government Communications Headquarters (aka) G.C.H.Q., UK

Integration of Digital Signatures into the European Business Register (131): H.

Kurth, Industricanlagen Betriebsghesellschaft mbH (IABG), Germany
Track C--In Depth Room--349-350


Best of the New Security Paradigms Workshop (continued from 2:00) (693)

Chairman: T. Haigh, Secure Computing Corporation

Panelists: R. Blakely, International Business Machines (694); S. Greenwald,

Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer
Science, Sweden (701); W. Wulf, University of Virginia (704)

This year's workshop focuses on the need to identify new approaches for proving
security in very heterogenous, highly internetworked environments.

Track D--Internet-- Ballroom 1


Information Warfare: Real Threats, Definition Changes, and Science Fiction


Chairman: W. Madsen, Computer Sciences Corporation

Panelists: M. Hill, Office of the Assistant Secretary of Defense C3/Information

Warfare; F. Tompkins, Science Applications International Corporation; S. Shane,
The Baltimore Sun; J. Stanton, Journal of Technology Transfer

This panel will discuss the Information Warfare scenario, which has received a
great deal of attention from national security planners, legislators, the military,
intelligence agencies, the media, and industry.
Track E--Legal Perspectives--Ballroom 4

PANEL: Electronic Data: Privacy, Security, Confidentiality Issues

Chairman: K. Blair, Esq., Duvall, Harrington, Hale and Hassan (740)

Panelists: The Honorable L. Alden, Judge, Fairfax County Circuit Court (741); S.
Mandell, Esq., The Mandell Law Firm (749); R. Palenski, Esq., Gordon and
Glickson, P.C. (749); S. Ray, Esq., Kruchko & Fries (800)

This panel will discuss how the legal system is dealing with crimes involving the
use of computers. Because computers are relatively new in the world of
established criminal law, many of the illegal events associated with the use of
computers did not come with definitions established by legislation or case law.

Track F--Management & Administration--Room 341-342

New Workplace Paradigms for Security

Chairman: C. Hash, National Security Agency

Security Through Process Management (323): J. Bayuk, Price Waterhouse

Malicious Data and System Security (334): O. Sibert, Oxford Systems, Inc.

Security Issues for Telecommuting (342): L. Carnahan, NIST

Track G--Research & Development Room--345-346

Webware: Nightmare or Dream Come True? (844)

Chairman: P. Neumann, SRI International

Panelists: S. Bellovin, AT&T Laboratories (845); E. Felten, Princeton University

(846); P. Karger, International Business Machines (847); J. Roskind, Netscape

This panel will discuss the risks involved in the open-ended security problem
introduced by world-wide web browsers and programming languages sauch as
Java and JavaScript, as well as other languages with similar problems - such as
ActiveX, Microsoft WORD macros, and PostScript. Specific attention will be
spent on how to intelligently succeed.

Track H Solutions Room: ___ - ___

PANEL: Information Systems Security Research Joint Technology Office

Chairman: R. Schaeffer, National Security Agency

Panelists: T. Lunt and H. Frank, Defense Advanced Research Projects Agency

(aka) DARPA; R. Meushaw, National Security Agency

This panel will discuss its successes since the first (1st) year of this joint
partnership to develop and integrate security technology. The partnership will
maximize security solutions for building the DII & NII.

Track I Tutorials Room: 327-328

Trusted Systems Concepts: C. Abzug, Institute for Computer and Information

This tutorial focuses on the fundamental concepts and terminology of trust
technology. It includes descriptions of the Trusted Computer System Evaluation
Criteria (TCSEC) classes, how the classes differ, and how to determine the
appropriate class for your operation environment.

Wednesday, October -----------23rd 8:30 A.M. -- 10:00 A.M.

Track A--Criteria & Assurance--Ballroom 2

PANEL: Alternative Assurance: There's Gotta Be a Better Way! (644)*

Chairman: D. Landoll, ARCA Systems, Inc.

Panelists: J. Adams, NSA; Speaker TBD, WITAT System Analysis & Operational
Assurance Subgroup Chair; M. Abrams, The MITRE Organization, WITAT Impact
Mitigation Subgroup Chair; Speaker TBD, WITAT Determining Assurance Mix
Subgroup Chair

A Workshop report about the evolving development of practical solutions for

business and industry in need of confidence in their information systems.

Track B--Electronic Commerce--Ballroom 3


Information Security - Transforming the Global Marketplace: D. Gary, Booz-Allen

& Hamilton

Panelists: J. M. Anderson, Morgan Stanley; K. Panker, American Bankers

Association; P. Freund, CertCo
Technology resources are means to achieve organizational goals --- not solutions
in their own right. New dimensions will be discussed of commercial interchange
in a highly networked marketplace.

Track C--In Depth Room--349-350


Public Key Infrastructure: From Theory to Implementation

Public Key Infrastructure Technology (707)

Chairman: D. Dodson, NIST

Panelists: R. Housley, Spyrus; C. Martin, Government Accounting Office; W.

Polk, NIST; S. Chokani, Cygnacom Solutions, Inc.; V. Hampel, Hampel
Consulting; W. Ford, Independent Consultant

This panel will familiarize the audience with PKI standards, interoperability
solutions, and implementation issues. This session will concentrate on technical
specifications and standards; the session that follows will review lessons learned
during implementation of existing PKIs.

Track D--Internet--Ballroom 1


Security in World Wide Web Browsers - More than Visa cards? (737)

Chairman: R. Dobry, N.S.A.

Panelists: C. Kolcun, Microsoft; B. Atkins, NSA; K. Rowe, NCSA; Speaker TBD,

This panel will discuss the security problems and solutions required to handle
electronic commerce via the Internet.

Track E--Legal Perspectives--Ballroom 4


Computer Crime on the Internet - Sources and Methods (817)

Chairman: C. Axsmith, The Orkand Corporation

Panelists: Special Agent M. Pollitt, Federal Bureau of Investigation (F.B.I.); P.

Reitinger, Esq., Department of Justice; B. Fraser, CERT, Carnegie Mellon

This panel will discuss some case studies of system break-ins, what information
system administrators should focus on saving for the evidentiary trail, and some
resources available to the system administrator should a break-in be attempted.

Track F--Management & Administration Room--341-342


Current Challenges in Computer Security Program Management (828)

Chairman: M. Wilson, NIST

Panelists: L. McNulty, McNulty and Associates; P. Connelly, White House
Communications Agency; A. Miller, Fleet and Industrial Supply Center; B.
Gutmann, NIST

This panel will discuss managing a computer security program in light of budget
constraints, reorganizing and downsizing, and the continuous decentralization of
ever increasing complex computing and communications environments.

Track G--Research & Development--Room 345-346


Availability Policies: The Forgotten INFOSEC Pillar

Chairman: V. Gligor, University of Maryland

Panelists: H. Hosmer, Data Security, Inc.; J. Millen, The MITRE Corporation; R.

Nelson, Information System Security; M. Reiter, AT&T

This panel will discuss various kinds of availability policies, highlighting impact
assumptions and potential conflicts with other kinds of security policies.

Track H--Solutions--Room343-344


Security Management Infrastructure Deployment and Operations (871)

Chairman: A. Arsenault, N.S.A.

Panelists: D. Heckman, NSA; S. Capps, NSA; S. Hunt, NSA

This panel will focus on lessons learned from the deployment of MISSI security
management infrastructure at NSA and GSA.

Track I--Tutorials--Room 327-328

OS Security: M. Weidner, ARCA Systems

This tutorial focuses on security issues for commercial operating systems. Topics
include common vulnerabilities, security services, and potential safeguards.
Specific capabilities of several commercially available operating systems will be
Wednesday, October 23rd------------10:30 A.M.-- 12:00 Noon

Track A---Criteria & Assurance--Ballroom 2


Current Perspective on Strategies for the (646) Certification & Accreditation


Chairman: B. Stauffer, CORBETT Technologies, Inc. (653)

Panelists: P. Wisniewski, NSA (647); C. Stark, Computer Science Corporation

(648); R. Snouffer. NIST (652); J. Eller, DISA, CISS (ISBEC) (646)


The Certification of the Interim Key Escrow System (26): R. Snouffer, NIST

Track B--Electronic Commerce--Ballroom 3


Security APIs: CAPIs and Beyond (687)

Chairman: A. Reiss, N.S.A.

Panelists: J. Centafont, NSA; Speaker TBD, Microsoft; L. Dobranski,

Communications Security Establishment (aka) C.S.E., Canada; D. Balenson,
Trusted Information Systems, Inc.

The panelists will discuss Cryptographic Application Program Interfaces,

FORTEZZA, Public Key Infrastructures, the International Cryptography
Experiment, and the Microsoft Internet Security Framework.


NIST Proposal for a Generic Authentication Module Interface: J. Dray, NIST

Track C-In Depth--Room 349-350


Public Key Infrastructure: From Theory to Implementation (continued from 8:30)


Public Key Infrastructure Implementations

Chairman: W. Polk, NIST

Panelists: P. Edfors, Government Information Technology Services (GITS) Board;

D. Heckman, NSA; D. Dodson, NIST; J. Galvin, CommerceNet; W. Redden,
Communications Security Establishment (aka) C.S.E.; R. Kemp, General
Services Administration SI-PMO

Track D--Internet--Ballroom 1


Chairman: M. Schaffer, ARCA Systems

Secure Business on the Internet: Looking Ahead with Electronic Data

Interchange: D. Federman, Premenos

The speaker will discuss the history of Electronic Data Interchange and how
today's marketplace on the Internet needs cost effective and secure business
solutions to function over the World Wide Web.

Track E--Legal Perspectives--Ballroom 4


Legal Liability for Information System Security Compliance Failures - New

Recipes for Electronic Sachertorte Algorithms (818)

Chairman: F. Smith, Esq., Private Practice, Santa Fe, New Mexico

Panelists: J. Montjoy, BBN Corporation; E. Tenner, Princeton University; D.

Loundy, Esq., Private Practice, Highland Park, Illinois

This panel will discuss the liabilities associated with the increased expansion of
increasingly complex computer networks and associated services.
Track F--Management & Administration--Room 341-342


Achieving Vulnerability Data Sharing (830)*

Chairman: L. Carnahan, NIST

Panelists: M. Bishop, University of California, Davis, CA.; J. Ellis, CERT,

Carnegie Mellon University; I. Krsul, COAST Laboratory, Purdue University

This panel will discuss security issues to be addressed when building a data
repository that will be shared by different communities of interest.

Track G--Research & Development--Room 345-346


Secure Systems and Access Control (851)

Chairman: T. Lunt, Defense Advanced Research Projects Agency (DARPA)

Panelists: D. Sterne, Trusted Information Systems, Inc. (852); R. Thomas, ORA

(854); M. Zurko, OSF (855); J. Lepreau, University of Utah (857); J. Rushby, SRI

The panelists will discuss their respective security programs.

Track H--Solutions--Room 343-344

Future of Trust in Commercial Operating Systems (872)

Chairman: T. Inskeep, NSA

Panelists: K. Moss, Microsoft; J. Alexander, Sun Microsystems; J. Spencer, Data

General; M. Branstad, Trusted Information Systems, Inc.; G. Liddle, Hewlett

This panel will discuss where assurance and functionality in commercial systems
are going.

Track I--Tutorials--Room 327-328

Network Security: J. Wool, ARCA Systems

This tutorial focuses on basic issues in network security and gives an overview of
the implementing process. Topics include network security concerns and
services, vendor qualification issues, system composition and interconnection,
and cascading.

Wednesday, October 23rd---------12:45 p.m. -- 1:45 p.m.

Midday Seminar--Room 327-328

War Stories

Speaker: James P. Anderson, J. P. Anderson & Co.

Wednesday, October 23rd-----------2:00 P.M. -- 3:30 P.M.

Track A--Criteria & Assurance--Ballroom 2


Firewall Testing and Rating (655)

Chairman: J. Wack, NIST

Panelists: I. Winkler, National Computer Security Association; K. Dolan, NSA; J.

McGowen, National Computer Security Association; C. Costack, Computer
Science Corporation

This panel will discuss whether firewalls can be effectively rated, what the rating
criteria is, characteristics of firewalls that don't lend themselves to rating, and
how well rating and testing actually work.

Track B--Electronic Commerce--Ballroom 3


Are Cryptosystems Really Unbreakable? (691)

Chairman: D. Denning, Georgetown University

Panelists: S. Bellovin, AT&T Research; P. Kocher, Independent Cryptography

Consultant; A. Lenstra, Citibank (692); E. Thompsom, AccessData Corporation

The panelists will explore the strengths of existing cryptosystems in terms of

potential weaknesses in algorithms, protocols, implementation, and application

Track C--In Depth--Room 349-350

Chairman: T. Zmudzinski, Defense Information Systems Agency

Establishing an Enterprise Virus Response Program (709): C. Trently,

MITRETEK Systems; Laboratory Assistants: E. Hawthorn, MITRETEK Systems;
D. Black, MITRETEK Systems

The speakers will provide practical information that can be used to understand
the virus threat; institute low cost preventative mechanisms; develop and
implement enterprise response mechanisms, including when to contact the
experts; and monitor the effectiveness of the tools and program within the
enterprise. Thirty attendees will be able to get hands-on practice in the lab in
Room 330 during Part 2 of the lecture.

This In-depth tutorial will be repeated at 8:30 a.m. on Thursday.

Track D--Internet--Ballroom 1

Security Issues in a Networked Environment

Chairman: D. Branstad, Trusted Information Systems, Inc.

The Advanced Intelligent Network -- A Security Opportunity (221): T. Casey, Jr.,

GTE Laboratories, Inc.

Security Issues in Emerging High Speed Networks (233): V. Varadharajan,

University of Western Sydney, Australia

A Case Study of Evaluating Security in an Open Systems Environment (250): D.

Tobat, TASC

Track E--Legal Perspectives--Ballroom 4


The Next Generation of Cyber Criminals

Chairman: M. Gembicki, WARROOM RESEARCH LLC.

Panelists: J. Christie, AFOSI; K. Geide, Federal Bureau of Investigation ( FBI );

D. Waller, Time Magazine

The panelists will address cybercrime issues and how it affects legal competitive
intelligence, the National Information Infrastructure, information warriors, and the
commercial business environment. Examples of traditional organized crime
elements to individual "Cyber-Terrorists" as well as proposed changes in
Government strategies will be presented.

Track F--Management & Administration--Room 341-342


Incident Handling Policy, Procedures, and Tools (831)

Chairman: M. Swanson, NIST

Panelists: K. Cooper, BBN Planet; T. Longstaff, Computer Emergency Response

Team; P. Richards, Westinghouse Savannah River Company; K. van Wyk,
Science Applications International Corporation ( SAIC )

This panel will discuss the incident handling policy and procedures that have
been implemented within their organizations. They will also discuss a new
methodology that system administrators can use for characterizing network
security tools.

Track G--Research & Development--Room 345-346

Network Attacks, Protections, and Vulnerabilities

Chairman: W. Murray, Deloitte & Touche

An Isolated Network for Research (349): M. Bishop, University of California,

Davis, CA.

GrIDS-A Graph-Based Intrusion Detection System for Large Networks (361): S.

Staniford-Chen, University of California, Davis, CA.

Attack Class - Address Spoofing (371): T. Heberlein, University of California,

Davis, CA.

Track H--Solutions--Room 343-344


Vendors Experience with Security Evaluations (873)

Chairman: J. DeMello, Oracle Corporation

Panelists: J. Caywood, Digital Equipment Corporation (DEC); D. Harris, Oracle

Corporation (874); K. Moss, Microsoft Corporation (876); I. Prickett, Sun
Microsystems (877)

This panel will discuss their experiences in achieving successful evaluations,

identifying what has worked well for them, and not-so-well, in the process.
Track I--Tutorials--Room 327-328

Database Security: W. Wilson, Arca Systems

This tutorial focuses on database security issues from the standpoint of using
database management systems to meet the organization's security requirements.
Topics include data security requirements, vulnerabilities, database design
considerations, and implementation issues.
Wednesday, October 23rd----------4:00 P.M. -- 6:00 P.M.

Track A Criteria & Assurance--Ballroom 2


The Trusted Product Evaluation Program: Direction for the Future (656)

Chairman: J. Pedersen, N.S.A.

Representatives from various initiatives within the Trusted Product Evaluation

Program will discuss the overall strategy for the future of TPEP, including specific
steps for moving the program to a new evaluation criteria, mechanisms for
commercial advice to vendors, and new types of products which will be

Track B--Electronic Commerce--Ballroom 3

Information Security in the Business World

Chairman: N. Pantiuk, IIT Research Institute

Industrial Espionage Today and Information Wars of Tomorrow (139): P. Joyal,

B is for Business - Mandatory Security Criteria & the OECD Guidelines for
Information Systems Security (152): W. Caelli, Queensland University of
Technology, Australia

Marketing & Implementing Computer Security (163): M. Wilson, NIST

Secure Internet Commerce - Design and Implementation of the Security

Architecture of Security First Network Bank, FSB (173)
N. Hammond, NJH Security Consulting, Inc.

Track C--In Depth--Room 349-350

Concerns in the Cryptographic Arenas

Chairman: P. Woodie, NSA

Automatic Formal Analyses of Cryptographic Protocols (181): S. Brackin, ARCA

Systems, Inc.

Surmounting the Effects of Lossy Compression on Steganography (194): C.

Irvine, Naval Postgraduate School

Key Escrowing Systems and Limited One Way Functions (202): W. T. Jennings,

The Keys to a Reliable Escrow Agreement (215): R. Sheffield, Fort Knox Escrow
Services, Inc.
Track D--Internet--Ballroom 1

WWW: The Case for Having a Security Policy and Measuring It

Chairman: R. Wood, National Cryptologic School

Internet Firewalls Policy Development and Technology Choices (259): L. D'Alotto,

GTE Laboratories

A Case for Avoiding Security-Enhanced HTTP Tools to Improve Security for Web
Based Applications (267): B. Wood, Sandia National Laboratories

Applying the Eight Stage Risk Assessment Methodology to Firewalls (276): D.

Drake, Science Applications International Corporation

Lessons Learned: An Examination of Cryptographic Security Services in a

Federal Automated Information System (288): J. Foti, NIST

Track E--Legal Perspectives--Ballroom 4


Legal Aspects of the Internet - Rights and Obligations of Users and Vendors

Chairman: C. Castagnoli, Esq., Haystack Labs

Panelists: C. Merrill, Esq., Carter & English; M. Lemley, Esq., Professor of Law,
University of Texas; M. Godwin, Esq., Electronic Frontier Foundation

The panelists will discuss digital signatures, on-line contracting and the liability
issues for the operator and the user.
Track F--Management & Administration--Room 341-342


Interdisciplinary Perspectives on INFOSEC: Mandatory Reporting (833)

Chairman: M. Kabay, National Computer Security Association

Panelists: B. Butterworth, Federal Aviation Administration; B. Smith Jacobs,

Securities and Exchange Commision (SEC); R. Whitmore, Occupational Health
and Safety Administration (OSHA); S. Wetterhall, Centers for Disease Control
and Prevention

This panel will discuss their experiences from other disciplines with mandatory
reporting of security incidents and accidents, with an eye to avoiding known
pitfalls and benefiting from their years of experience.

Track G--Research & Development--Room 345-346


Facing the Challenge: Secure Network Technology for the 21st Century (867)

Chairman: R. Schaeffer, NSA

Panelists: R. Meushaw, NSA; C. McBride, NSA; D. Muzzy, NSA; B. Burnham,


This panel discusses current initiatives and collaborations within the research
communities in government, industry, and academia. Additionally, room 347-348
is set up to demonstrate examples of core technologies to include Token
Technology, Voice Verification, Real-time Encrypted Voice, Firewalls, Secure
Wireless Communications, and others.

Track H--Solutions--Room 343-344

Security with COTS (Commercial-Off-The-Shelf) Products

Chairman: S. Kougoures, N.S.A.

MLS DBMS Interoperability Study (495): R. Burns, ESC/ENS

MISSI Compliance for Commercial-Off-The-Shelf Firewalls (505): M. Hale, NSA

Designing & Operating a Multilevel Security Network Using Standard Commercial

Products (515): M. McGregor, Air Force C4 Technology Validation Office

Track I--Tutorials--Room 327-328

Information Systems Security Officer's Challenges: C. Breissinger, Department of

Defense Security Institute

This tutorial focuses on the continued protection and accreditation of operational

information systems. Topics include: virus prevention and eradication; access
control evaluation and configuration; media clearing and purging; intrusion
detection and handling; and dealing with risk.
Thursday, October 24th-----------------8:30 A.M. -- 10:00 A.M.

Track A--Criteria & Assurance--Ballroom 2


Common Criteria Project Implementation Status (657)

Chairman: L. Ambuel, BDM International

Panelists: M. Donaldson, Communications-Electronics Security Group, UK; R.

Harland, Communications Security Establishment (aka) C.S.E., Canada; K.
Keus, BSI/GISA, Germany; F. Mulder, Netherlands National Communications
Security Agency; J. Smith, Gamma Secure Systems, UK

The panelists will discuss the Common Criteria trial version's structure and
content, the status and results to date of the trial-use and implementation
activities, the planned future of the project, and the expected impact of all this
work on US and international IT security communities.

Track B--Electronic Commerce--Ballroom 3


Security Concerns in the Private Sector - Banking: S. Ross, Deloitte & Touche

Track C--In Depth--Room 349-350


Chairman: S. Lipner, Trusted Information Systems, Inc.

Establishing an Enterprise Virus Response Program (709): C. Trently,

MITRETEK Systems; Laboratory Assistants: E. Hawthorn; MITRETEK Systems;
D. Black, MITRETEK Systems
The speakers will provide practical information that can be used to understand
the virus threat; institute low cost preventative mechanisms; develop and
implement enterprise response mechanisms, including when to contact the
experts; and monitor the effectiveness of the tools and program within the
enterprise. Thirty attendees will be able to get hands-on practice in the lab in
Room 330 during part 2 of the lecture.

This In Depth tutorial is a live encore presentation from Wednesday at 2:00.

Track D--Internet--Ballroom 1


Secure Use of the World Wide Web: Moving From Sandbox to Infrastructure

Chairman: R. Bagwill, NIST

Panelists: J. Pescatore, IDC Government; S. Smaha

This panel will explore the current state of practice in WWW security practices
and standards, and provide predictions for the evolution of these security
services in the commercial environment.

Track E--Legal Perspectives--Ballroom 4


V-Chip: Policies and Technology (822)

Chairman: H. Hosmer, Data Security, Inc.

Panelists: D. Moulton, Esq., Chief of Staff, Office of Congressman Markey, HR;
D. Brody, MD, American Academy of Child and Adolescent Psychiatry; S.
Goering, Esq., American Civil Liberties Union; W. Diffie, Sun Microsystems

This panel will address a variety of legal and technical issues concerning the V-
chip, a hardware device inserted into new televisions which can identify labels
attached to movies, etc.

Track F--Management & Administration--Room 341-342


Industrial Espionage Today and Information Wars of Tomorrow

Chairman: P. Joyal, Interger, Inc.

Panelists: Ret. Major General O. Kalugin, Russia; S. Baker, Esq.; M. Lajman,

Author on French Intelligence; E. O'Malley, retired F.B.I..

This panel will discuss the perspectives of Industrial Espionage as the focus of a
multi-national problem which affects everyone.

Track G--Research & Development--Room 345-346

Implementations of the Security Policy

Chairman: D. Gambel, General Research Corporation

Generic Model Interpretations: POSIX.1 and SQL (378): D. Elliott Bell,

The Privilege Control Table Toolkit: An Implementation of the System Build
Approach (389): T. Woodall, Hughes Aircraft Company

Use of the Zachman Architecture for Security Engineering (398): R. Henning,

Harris Corporation

Track H--Solutions--Room 343-344

New Test Methodologies

Chairman: R. Lau, N.S.A.

Real World Anti-Virus Product Reviews and Evaluation - The Current State of
Affairs (526): S. Gordon, Command Systems, Inc.

Security Proof of Concept Keystone (SPOCK) (539): J. McGehee, COACT, Inc.

Use of a Taxonomy of Security Faults (551): I. Krsul, Coast Laboratory, Purdue


Track I--Tutorials--Room 327-328

Information Systems Security Engineering: P. Boudra, NSA; D. Pearson, NSA

Thursday, October 24th-----------10:30 A.M. -- 12:00 Noon

Track A--Criteria & Assurance--Ballroom 2

Views of Assurances
Chairman: D. Kinch, N.S.A.

Configuration Management in Security related Software Engineering Processes

(34): K. Keus, Bundesamt fur Sicherheit in der Informationstechnik, Germany

The Department of Defense Information Technology Security Certification and

Accreditation Process (DITSCAP)(46): B. Stauffer, CORBETT Technologies, Inc.

Trusted Process Classes (54): W. Steffan, Tracor Applied Science, Inc.

Track B--Electronic Commerce--Ballroom 3


Security Concerns in the Private Sector: Brokerage: D. Gary, Booz-Allen &


Track C--In Depth--Room 349-350


Information Security Policy: There has to be a Better Way

Chairman: J. Pescatore, Trusted Information Systems, Inc.

Panelists: K. Kasprzak, Maryland Bancorp; S. Smaha, Haystack Labs; R.

Stratton, Wheelgroup Inc.

The panelists will discuss new ideas for transforming organizational needs into
security controls and policies.
Track D--Internet--Ballroom 1


Attack/Defense (738)

Chairman: J. David, The Fortress

Panelists: S. Bellovin, AT&T; W. Cheswick, AT&T; P. Peterson, Lockheed-Martin;

M. Ranum, V-One

The panel will discuss how the role of the Internet security practitioner has
changed. Keep-ing the bad guys out is no longer the prime goal of security,
rather the prompt and accurate identification of intrusions (or, preferably, intrusion
attempts) and minimizing the damages. This session examines these "popular"
attacks and presents ways to effectively defend your site against them.

Track E--Legal Perspectives--Ballroom 4


Protecting Medical Records and Health Information (824)

Chairman: J. Winston, Trusted Information Systems, Inc.

Panelists: G. Belles, VA Medical Information Security Service; B. Braithwaite, US

Department of Health and Human Services*; P. Bruening, Information Policy
Consultant; P. Taylor, US General Accounting Office

This panel will examine the technical, policy, and legal issues involved in
establishing and implementing appropriate protections for patient medical
records and other types of health information.

Track F --Management & Administration --Room 341-342


International Perspectives on Cryptography Policy (835)

Chairman: D. Denning, Georgetown University

Panelists: P. Ford, Attorney General's Office, Australia; D. Herson, Commission

of the European Communities, Belgium; N. Hickson, Department of Trade and
Industry, UK

Panelists from outside the United States will discuss their views on cryptography
policy and national and international proposals and initiatives.

Track G--Research & Development--Room 345-346

Mechanisms in Understanding Security

Chairman: H. Weiss, SPARTA, Inc.

Developing Secure Objects (410): D. Frincke, University of Idaho

Deriving Security Requirements for Applications on Trusted Systems (420): R.

Spencer, Secure Computing Corporation

Security Implications of the Choice of Distributed Database Management

Systems Model: Relational vs. Object-Oriented: S. Coy, University of Maryland
Track H--Solutions--Room 343-344

Defenses in Networks

Chairman: M. Woodcock, National Cryptologic School

Protecting Collaboration (561): G. Wiederhold, Stanford University

Design and Management of A Secure Networked Administration System: A

Practical Solution (570): Prof. V. Varadharajan, University of Western Sydney,

Information Warfare - INFOSEC and Dynamic Information Defense (581): V.

Winkler, PRC Inc.

Track I--Tutorials--Room 327-328

Systems Security Engineering Capability Maturity Model: K. Ferraiolo, ARCA


A capability maturity model (CMM) has been developed to help organizations

improve their security engineering capability. This tutorial will describe the model,
why it was developed, how it is being used, and plans for its use in the future.
Thursday, October 24th----------12:45 P.M. -- 1:45 P.M.

Midday Seminar--Room 343-344


Security Protocols/Protocol Security

Chairman: D. Maughan, N.S.A.

Panelists: TBD

This panel will discuss why standards and protocols are needed for the increased
use of the Internet by personal as well as business ventures.
Thursday, October 24th --------------2:00 P.M. -- 3:30 P.M.

Track A--Criteria & Assurance--Ballroom 2

Evolution of Criteria Requirements and User Needs

Chairman: J. Arnold, Science Applications International Corporation

Design Analysis in Evaluations Against the TCSEC C2 Criteria (67): D. Bodeau,

The MITRE Corporation

System Security Engineering Capability Maturity Model and Evaluations -

Partners within the Assurance Framework(76): C. Menk III, NSA

Applying the TCSEC Guidelines in a Real-Time Embedded System Environment

(89): D. Frincke, University of Idaho

Track B--Electronic Commerce--Ballroom 3


Security Concerns in the Private Sector - Communications: J. Klein, Wizards


Track C--In Depth--Room 349-350


Data Warehousing I: An Introduction to Data Warehousing, Data Mining and

Security (711)

Chairman: J. Campbell, N.S.A.

Panelists: B. Thuraisingham, The MITRE Corporation; J. Worthington, Informix

Software, Inc.; P. Lambert, Oracle Corporation

These sessions will investigate Data Warehousing from what it is to what are the
security issues associated with it. These sessions will provide a basis for a Friday
afternoon workshop co-sponsored by the IEEE Mass Storage Committee. The
goal of the workshop is to provide direction in future R&D efforts ensuring optimal
security for Data Warehousing and Data Mining environments.

Track D--Internet--Ballroom 1


The Web - What is it? Why/How is it Vulnerable? (739)*

Chairman: J. David, The Fortress

Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D.

Dean, Department of Computer Science, Princeton University

The speakers will formally describe what the web is/does, indicate how it differs
from "normal" Internet use, show it is used in typical/popular operational modes,
and point out the nature and magnitude of primary vulnerabilities.
Track E--Legal Perspectives--Ballroom 4


Crimes in Cyberspace: Case Studies (827)

Chairman: W. Galkin, Esq., Law Office of William S. Galkin

Panelists: A. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & Allen; K. Bass,
III, Venable, Baetjer, Howard & Civeletti

The panel will present, discuss, and analyze the legal issues involving several
actual criminal incidents that have occurred in Cyberspace.

Track F--Management & Administration--Room 341-342


Surviving the Year 2000 Time Bomb (839): G. Hammonds, AGCS, Inc.

Panelists: J. White, OAO Corporation; A. Hodyke, ESC/AXS/USAF

This panel will identify the complexity and magnitude of the Year 2000 Problem,
why so many people will likely be affected, and some practical near and long-
term solutions.

Track G--Research & Development--Room 345-346

Toward a Common Framework for Role-Based Access Control (868)*

Chairman: D. Ferraiolo, NIST

Panelists: R. Sandhu, George Mason University; V. Gligor, University of

Maryland; R. Kuhn, NIST

This panel will discuss the issues related to the development of a common
reference model for Role-Based Access Control.

Track H--Solutions--Room 343-344


Workshop Report on the Role of Optical Systems and Devices for Security (879)

Chairman: T. Mayfield, Institute for Defense Analyses

Panelists: M. Medard, MIT Lincoln Laboratory; J. Ingles, NSA; M. Krawczewicz,

NSA; B. Javidi, University of Connecticut

This panel will address security and vulnerabilities in all-optical networks, discuss
the use of optics for information encoding, and introduce some applications that
might take advantage of optical technology.

Track I--Tutorials--Room 327-328

Common Criteria: K. Britton, NSA; L. Ambuel, BDM International

The Common Criteria has been developed as the next generation of IT Security
Criteria replacing the TCSEC, ITSEC, and CTCPEC. This session will provide a
working knowledge of the concepts and contents of the Common Criteria.

Thursday, October 24th------------4:00 P.M. -- 6:00 P.M.

Track A-- Criteria & Assurance--Ballroom 2


Assurance Measures in Evaluation Assurance Level 3 of the Common Criteria


Chairman: M. Schanken, N.S.A.

Panelists: S. Katzke, NIST; K. Keus, GISA; Y. Klein, France

The Common Criteria Sponsoring Organizations are investigating alternative

approaches for gaining assurance that products and systems meet their security
requirements. The initial phase of the activity maps several alternative assurance
approaches to Evaluation Assurance Level 3 (EAL 3) of the Common Criteria.

Track B--Electronic Commerce--Ballroom 3


Security Concerns in the Private Sector - Manufacturing: S. Meglathery, Estee

Lauder (Cosmetics)

Track C--In Depth--Room 349-350


Data Warehousing II: The Security Issues

Chairman: D. Kinch, N.S.A.

This session continues discussing current data warehousing security issues.

Track D--Internet--Ballroom 1


Securing the Web (739)

Chairman: J. David, The Fortress

Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D.

Dean, Department of Computer Science, Princeton University

The speakers will show how to treat the vulnerabilities uncovered in the first
session in and of themselves, and as a part of both Internet security programs
and total security programs.

Track E--Legal Perspectives--Ballroom 4


Track F--Management & Administration --Room 341-342


Security Siblings
Chairman: C. Pfleeger, Trusted Information Systems, Inc.

Panelist: W. Agresti, MITRETEK Systems

This panel will discuss other venues of assurance developed in the reliability,
safety critical, fault-tolerant as well as the security communities. By working
together, we can reduce the expense of repeating each other errors and share
our successes.

Track G--Research & Development--Room 345-346

Security Policy & PKI Certification

Chairman: H. Highland, FICS

Management Model for the Federal Public Key Infrastructure (438): N. Nazario,

Security Policies for the Federal Public Key Infrastructure (445): N. Nazario,

A Proposed Federal PKI using X.509 V3 Certificates (452): W. Burr, NIST

A Security Flaw in the X.509 Standard (463): S. Chokani, Cygnacom Solutions,


Track H--Solutions--Room 343-344


Cryptography's Role in Securing the Information Society

Chairman: H. Lin, National Research Council (N.R.C.)

Panelists: W. Ware, The Rand Corporation, Emeritus; P. Neumann, SRI


The panel will discuss the National Research Council (N.R.C.) report on
Cryptography and its role.

Track I--Tutorials--Room 327-328

Education Technology: R. Quane, National Cryptologic School

Friday, October 25th------------8:30 A.M. -- 10:00 A.M.

Track A--Criteria & Assurance--Ballroom 2


Secure Networking and Assurance Technologies (661)*

Chairman: T. Lunt, Defense Advanced Research Projects Agency (D.A.R.P.A.)

Panelists: K. Levitt, University of California, Davis, CA; J. McHugh, Portland

State University (663); S. Kent, BBN; J. Voas, Reliable Software Technologies
(669); D. Weber, Key Software (666); L. Badger, Trusted Information Systems,
Inc. (667)

The speakers will discuss their goals for secure networking and assurance
technologies in the following areas: Intrusion Detection, Secure Mobile
Computing, and new inroads to Internet Security.
Track C--In Depth--Room 349-350


ISSO as a Vendor Partner in a Changing World

Chairman: B. Snow, N.S.A.

Panelists: C. Baggett, NSA, S. Barnett, NCSC, M. Fleming, NSA, R. George,

NSA, R. Marshall, Esq., NSA, H. Novitsky, NSA, R. Schaffer, NSA

This panel of technical leaders from the Information Systems Security

Organization will discuss their organizational plans for vendor interaction and
support, and under what terms, with the stress on how the ISSO is changing to
better accomplish the ISSO mission.

Track F--Management & Administration--Ballroom 4


The Assessment Methodology in the Corporate Sector

Chairman: R. Lopez, N.S.A.

Panelists: J. Jackson, N.S.A., V. Moseley, N.S.A.. G. Hale, N.S.A., S.

Dombkowski, NSA

The panelists will provide a background of the methodology and tools used by
reviewers of information assets in the corporate environment.

Track H--Solutions--Room 343-344

Execution of Security Policies

Chairman: D. Arnold, N.S.A.

Security for Mobile Agents: Issues and Requirements (591), V. Swarup, The
MITRE Corporation

Extended Capability: A Simple Way to Enforce Complex Security Policies in

Distributed Systems (598), I-Lung Kao, IBM Corporation

IGOR: The Intelligence Guard for ONI Replication (607), R. Shore, The ISX
Friday, October 25th-----------------10:20 A.M. -- 12:30 P.M.

Closing Plenary Ballrooms 1 & 3

Information Systems Security - Directions and Challenges

Moderator: Willis H. Ware, Corporate Research Staff, Emeritus -- The Rand


Distinguished Panelists: C. Thomas Cook (889)*, Executive Vice President --

Banc One Services Corporation; William P. Crowell, Deputy Director -- National
Security Agency; John Lainhart (890), Inspector General -- U.S. House of
Representatives; J. F. Mergen, Principal Scientist -- BBN; Stephen Smaha, Chief
Executive Officer/President -- Haystack Labs; Charles Stuckey, Chief Executive
Officer -- Security Dynamics

The need for seamless value-added, yet end-to-end secure and cost-effective,
information systems and networks in a rapidly evolving technological world that is
globally competitive, has created extraordinary demands and challenges for the
public, academic, and private sectors. Each is asking itself how to meet the
future with a stalwart information infrastructure, and wondering what roles and
contributions of the other two sectors will or should be.

This distinguished panel is convened to address such over-arching issues and to

engage the audience in a dialogue on such questions as the following:

* What challenges do you perceive for your own business or end-user community
with respect to information system security?

* What are the security-relevant challenges for your organization? What is

security's strategic role in your organization? How are you making the tradeoffs?

* As you move into new technology, how do you see the challenges changing,
evolving, or growing more serious?

* How do you think these challenges can best be dealt with -- from a
management view; from a public policy view; from a technical view; from a
business view?

* What do you see as the respective roles for government, industry, and
academia as the country and the world move into an ever more information-
intensive future?

* What do you see that industry, government, and academia should be doing in
computer security? What is each doing well or not so well now?
Demonstrations and Activities

Wednesday - Thursday ---Information Systems Security Exposition -----Hall G

The Armed Forces Communications and Electronics Association will host, in

parallel with the Conference, an exhibition of security products and services. This
exposition provides a forum for industry to showcase information systems
security technology and hands-on demonstrations of products and services that
are potential solutions to many network and computer security products.

Wednesday - Friday -----Research and Development Demonstrations -----Room


As a follow-up to the "INFOSEC Research and Technology, Facing the

Challenge: Secure Network Technology for the 21st Century," the National
Security Agency will demonstrate some of the techniques coming down the future
trails. Conference attendees are invited to see the demonstration of future
solutions to the 21st Century challenges.

Tuesday - Friday ------European Community ------Registration Area

The Information Technology Security Evaluation Facilities (ITSEF) in Europe and

the European Certification Bodies invite the attendees to learn about the
European system and security product evaluations and will demonstrate the
product evaluation methodology.

Tuesday - Friday -----NIST Clearinghouse -----Room 347-348

A wide variety of information security information is available to federal agencies

and to the public through the NIST Clearinghouse. Information posted to this
system include an events calendar, computer-based training, software reviews,
publication, bibliographies, lists of organization with points of contact, and other
government bulletin board numbers and WWW pointers.

Tuesday - Friday -----NSA INFOSEC Awareness ------Booth Registration Area

The booth offers a variety of INFOSEC publications most frequently requested by

users, developers, operators, and administrators of products and services.
Publications available include the INFOSEC Products and Services Catalog and
the National Computer Security Center's computer security technical guidelines --
the RAINBOW Series. The National Cryptologic Museum is also represented at
this booth.

Tuesday - Friday------DOCKMASTER I ------Room 347-348

The National Computer Security Center, DOCKMASTER I, is a focal point for

nationwide dissemination and exchange of information security data through
electronic mail and bulletin boards. Over 2,000 users from federal government,
private companies, and academic institutions participate in its electronic forums
and retrieve data on INFOSEC products, conferences, and training.

Tuesday - Friday ------Information Systems Security Association Booth ------

Registration Area

The Information Systems Security Association (ISSA) is an international

association of information security practitioners whose aim is to enhance
professionalism through education, information exchange, and sharing among
those who do INFOSEC day-to-day. The booth contains newsletters, resource
guides, Guidelines for Information Valuation, and the Draft of "Generally
Accepted System Security Principles."

Tuesday - Friday ------NIST Publication --------Booth Registration Area

NIST's Publication Booth will distribute information and publications on a variety

of information systems security issues, including the latest issues of the CSL
Bulletin. Each bulletin discusses a relevant information security topic in depth. A
catalog of our current publications will also be available, as well as instructions
for accessing our Computer Security Resource Clearinghouse electronically.

Tuesday - Thursday -------Book Exhibition --------Registration Area

A book exhibit display representing selections from leading worldwide publishers
dealing specifically with information security is presented by: Association Book
Exhibit, 693 S. Washington Street, Alexandria, VA 22314

Wednesday - Thursday ---Establishing an Enterprise Virus Response Program ----Laboratory

Room 330

MITRETEK Systems is providing a hands on demonstration of tools discussed in the

overview session for "Establishing an Enterprise Virus Response Program." The
Enterprise Virus Response is designed to help the organization develop a proactive
program for the prevention, detection, containment, management, and recovery of
computer virus incidents. The workshop will demonstrate the processes needed to prepare
for an incident or infection, to detect and contain a virus exposure or infection, to recover
from an infection, and to manage the response program.

Friday -----IEEE Data Warehouse Security Workshop -----Room 349-350

The Workshop follows from the two Thursday sessions on Data Warehousing. The output
of the workshop should be research directions for future Data Warehousing security
solutions. The workshop is co-sponsored by the IEEE Mass Storage Committee and will
become a component of the next IEEE Mass Storage Symposium.

General Information

Meeting Site: The conference will be held at the Baltimore Convention Center, 1 West
Pratt Street. Baltimore, Maryland, close to Baltimore Inner Harbor area. The Opening
Plenary Session will be held in Ballroom I, on the Ballroom Level (enter the Pratt Street
lobby). Registration and information services, and all technical sessions, will be held on
the third floor Meeting Room Level and the fourth floor Ballroom Level. The Convention
Center is conveniently located close to hotels, major highways, and numerous restaurants,
shops, and sightseeing attractions.
Transportation: For those attendees not staying in Baltimore, daily bus service will be
provided from the parking lot across from the National Computer Security Center
(NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, MD. The buses will run in a
round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the
NCSC at the end of the sessions each day, following the banquet, and periodically
throughout the awards reception.

Communications: Messages will be taken for conference attendees between the hours of
8 a.m. and 5 p.m. Tuesday through Thursday, and between the hours of 8 a.m. and 12
noon on Friday. Messages will be posted on a message board adjacent to the
Registration/Information Area. Attendees will not be called out of a meeting except for
emergencies. The phone numbers for leaving messages will be posted on the message

Evaluation Forms: Evaluation forms are provided in your conference folder for your
comments. Please leave the completed forms in the boxes provided at the registration
area. We thank you in advance for your comments since your comments help the
committee to develop and improve the conference program each year.

Volunteers: If you would like to serve as a referee for the 20th National Information
Systems Security Conference being planned for October 1997 please E-MAIL:
NISSConference@dockmaster.ncsc.mil or call (410) 850-0272.

Special Interest Rooms: There will be a limited number of rooms available for special
interest discussions ("Birds of a Feather," etc.). These rooms may be reserved in one-hour
increments and must not be used for commercial purposes. To reserve a room, please stop
at the registration area. Breaks and Lunches

Coffee service: Provided to all the attendees during registration each morning and at mid-
morning and mid-afternoon breaks. Attendees will be free at lunch time to explore the
convenient restaurants or other sites near the Convention Center.
On Wednesday, box lunches will be provided to the first 1,500 attendees on a first-come,
first-served basis at the AFCEA exhibit in Hall G.

Banquet: The conference banquet will be held on Wednesday, October 23, beginning with
a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is
Kenneth Chenault, Vice Chairman, American Express Co., Inc. A coupon for this event,
which may be exchanged for a dinner ticket on a first-come first-served basis, will be
included in each attendee's registration kit.

Awards Ceremony and Reception: On Thursday, October 24, at 2:00 pm in rooms 337-
338, awards will be presented to vendors that have successfully developed security
product lines that have been approved by the NIST Validation Program or the NCSC
Trusted Computer System Evaluation Program. Following the award presentation,
conference participants will have an opportunity to learn more about these products as
each vendor hosts a display. Awards also will be presented to companies that have
participated in Systems Security Engineering Capability Maturity Model (SSE-CMM)
pilot appraisals. You are invited to visit the SSE-CMM project display for more
information regarding this community-supported initiative. An awards reception will
begin at 6 p.m. in the lower lobby. A ticket for the reception will be included in the
registration kit of each registered attendee.

Housing: See map of the conference hotels in the area

20th National Information Systems Security Conference ( October 6 - 9, 1997 in

Baltimore, MD )