December 5–9, 2011 | Buena Vista Palace Hotel & Spa | Orlando, Florida, USA

• Venue
• Program
•   –   Courses / Tutorials
•   –   FISMA Training
•   –   GTIP Workshop
•   –   LAW Workshop
• Print Proceedings
• Sponsorships & Exhibits
• Committees
• Call for Participation

• About ACSAC
• Past ACSACs
• Mailing List
• Security Bookshelf
• FAQs

2011 Annual Computer Security Applications Conference

Training and Continuing Education at ACSAC

ACSAC offers several opportunities to help you maintain your professional certification: Technology courses, the ACSAC technical program, and our FISMA training track. For all of these, ACSAC provides sufficient evidence to support Continuing Professional Education (CPE) credit claims:

• For formal ACSAC courses and training with pre-registration, ACSAC will provide printed certificates of completion indicating the number of hours of training.
• For the ACSAC technical program, a copy of the final program, the attendance roster, and the registration receipt are your evidence.*

Notes will be printed for people that have registered a week or more before the conference. PDF file(s) of notes will be mailed (on request) to people who did not register a week or more before the conference.

ACSAC technology courses and the ACSAC technical program (including the ACSAC FISMA training track) are a great way to meet CPE requirements!

---

FISMA Training Track

The Joint Task Force Transformation Initiative Working Group with representatives from the Civil, Defense, and Intelligence Communities is an ongoing effort to produce a unified information security framework for the U.S. Federal government.including a consistent process for selecting and specifying safeguards and countermeasures (i.e., security controls) for federal information systems. The initiative has addressed the transition from periodic Certification & Accreditation to continuous monitoring and Integrated Enterprise-Wide Risk Management. ACSAC is very pleased to host training by the authors of several related foundational NIST guidance publications.

ID	Title	Instructor	Scheduled
TR1	Security Controls: NIST SP 800-53, Revision 4	Kelley Dempsey	Wed, 10:30-12:00
TR2	New Appendix in NIST SP 800-53 Revision 4: Privacy Controls	Julie McEwen	Wed 13:30-15:00
TR3	Conducting Risk Assessments: NIST SP 800-30, Revision 1	Kelley Dempsey	Wed 15:30-17:00 & Thu 10:30-12:00
TR4	Risk Management Framework: NIST SP 800-37	Marshall Abrams and/or Kelley Dempsey	Thu, 13:30-15:00 & 15:30-17:00
TR5	Managing Information Security: NIST SP 800-39	Marshall Abrams	Fri, 8:30-10:00 & 10:30-12:00

In addition to the Training Track that is scheduled as part of ACSAC, the Technology Courses are offered on Monday and Tuesday before ACSAC.

---

Training TR1 – Security Controls: NIST SP 800-53 Revision 4

Kelley Dempsey, National Institute of Standards and Technology

Wednesday, 10:30-12:00

The National Institute of Standards and Technology (NIST), in collaboration with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems (CNSS), is currently updating Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations. Revision 3 published August 2009 contains the first unified set of security controls for both non national security and national security systems. Revision 4, scheduled for publication December 2011, will provide significant updates for controls in many new areas, including insider threats, supply chain, application security, industrial control systems, and privacy.

Prerequisites

None

About the Instructor

Kelley Dempsey began her career in IT in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management in the early 90s. While with the Department of the Navy in 1999, she began focusing on information system security by training for and then conducting a large scale DITSCAP certification and accreditation from start to finish. In 2001, Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008. Kelley joined the NIST Computer Security Division FISMA team in October 2008 and has co-authored NIST SP 800-128 (Security-Focused Configuration Management) and NIST SP 800-137 (Information Security Continuous Monitoring) and was also a major contributor to NIST SPs 800-53 Rev 3, 800-37 Rev 1, 800-53A Rev 1, and 800-39. Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and earned a CISSP certification in June 2004.

---

Training TR2 – New Appendix in NIST SP 800-53 Revision 4: Privacy Controls

Julie McEwen, MITRE Corporation

Wednesday, 13:30-15:00

Special Publication 800-53, Appendix J, Privacy Control Catalog, addresses Privacy, with respect to personally identifiable information, specifies privacy and security controls in information systems that are processing, storing, and transmitting personally identifiable information. The Privacy Control Catalog is a new addition to SP 800-53, Revision 4, projected for release in December 2011. The objectives of the Privacy Appendix are:

• Provide a structured set of privacy controls;
• Establish a linkage and relationship between privacy and security controls;
• Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy control; and
• Promote closer cooperation between privacy and security officials.

Prerequisites

None

About the Instructor

Julie S. McEwen, CIPP/G, CIPP, CISSP, is a Principal Information Privacy and Cybersecurity Engineer and leads the privacy capability at the Cybersecurity and Privacy Technical Center at The MITRE Corporation. Prior to joining MITRE, Ms. McEwen managed privacy and cybersecurity programs and advised organizations on privacy and cybersecurity policy and technology issues while at the U.S. Department of Defense, Deloitte, IIT Research Institute, the Logistics Management Institute, and T. Rowe Price. With over 25 years of experience in privacy and cybersecurity, U.S. federal agencies and departments that she has supported include the Departments of Defense, Justice, Treasury, Homeland Security, and Health and Human Services as well as the Census Bureau and U.S. House of Representatives. Ms. McEwen is co-editor of U.S. Government Privacy: Essential Policies and Practices for Privacy Professionals [International Association of Privacy Professionals (IAPP), 2009]. She has served as one of the lead faculty for the IAPP.s U.S. Government Privacy Training Program since 2006, and is a member of the IAPP CIPP/G Certification Advisory Board.

---

Training TR3 – Conducting Risk Assessments NIST SP 800-30, Revision 1

Kelley Dempsey, National Institute of Standards and Technology

Wednesday, 15:30-17:00 & Thursday, 10:30-12:00

NIST Special Publication 800-30 is undergoing a transition from a risk management document to risk assessment guideline. While the traditional factors considered in performing an assessment will not change, application of the determinations will now inform and transit all three tiers of the new 3-tier risk model introduced in Special Publication 800-39. This session will cover the assessment itself, additional considerations relevant to performing assessments, and the importance of maintaining the currency of the assessment results in support of continuous monitoring.

Prerequisites

None

About the Instructor

Kelley Dempsey began her career in IT in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management in the early 90s. While with the Department of the Navy in 1999, she began focusing on information system security by training for and then conducting a large scale DITSCAP certification and accreditation from start to finish. In 2001, Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008. Kelley joined the NIST Computer Security Division FISMA team in October 2008 and has co-authored NIST SP 800-128 (Security-Focused Configuration Management) and NIST SP 800-137 (Information Security Continuous Monitoring) and was also a major contributor to NIST SPs 800-53 Rev 3, 800-37 Rev 1, 800-53A Rev 1, and 800-39. Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and earned a CISSP certification in June 2004.

---

Training TR4 – Risk Management Framework: NIST SP 800-37

Marshall Abrams, The MITRE Corporation
Kelley Dempsey, National Institute of Standards and Technology

Wednesday, 15:30-17:00 & Thursday, 10:30-12:00

The National Institute of Standards and Technology (NIST), in collaboration with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems (CNSS), published Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, (formerly the security certification and accreditation guideline) in February 2010. The revised publication transforms the traditional static, stovepiped certification and accreditation process into a process that supports near real-time risk management. This session describes how the process of certification and accreditation is integrated into the Risk Management Framework, and focuses on the continuous monitoring of security controls to determine the security state of organizational information systems and environments of operation.

Prerequisites

None

About the Instructorx

Dr. Marshall D. Abrams is a Principal Scientist at the MITRE Corporation in McLean, Virginia. He holds two patents and has taught cyber security courses on six continents. He received the BSEE from Carnegie Institute of Technology and the MSEE and Ph.D. from the University of Pittsburgh. While at the National Bureau of Standards he received the Department of Commerce Silver Metal Award. Two awards were received from the Federal Aviation Administration for contributions to the Information Systems Security Program. He is a Senior Life Member of the IEEE and has been honored with the IEEE Computer Society Golden Core award. He is also a Senior Fellow of the Applied Computer Security Associates. Marshall has been involved with the NIST FISMA Implementation Project since its inception.

Kelley Dempsey began her career in IT in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management in the early 90s. While with the Department of the Navy in 1999, she began focusing on information system security by training for and then conducting a large scale DITSCAP certification and accreditation from start to finish. In 2001, Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008. Kelley joined the NIST Computer Security Division FISMA team in October 2008 and has co-authored NIST SP 800-128 (Security-Focused Configuration Management) and NIST SP 800-137 (Information Security Continuous Monitoring) and was also a major contributor to NIST SPs 800-53 Rev 3, 800-37 Rev 1, 800-53A Rev 1, and 800-39. Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and earned a CISSP certification in June 2004.

---

Training TR5 – Managing Information Security Risk: Organization, Mission, and Information System View: NIST SP 800-39

Marshall Abrams, The MITRE Corporation

Friday, 8:30-10:00 & 10:30-12:00

Information technology is widely recognized as the engine that drives the U.S. economy, giving industry a competitive advantage in global markets, enabling the federal government to provide better services to its citizens, and facilitating greater productivity as a nation. Risk related to the operation and use of information systems is one of many components of organizational risk that senior leaders address as a routine part of their ongoing risk management responsibilities. Effective risk management requires that organizations operate in a highly complex and interconnected world using state-of-the-art and legacy information systems.systems that organizations depend upon to accomplish critical missions and to conduct important business-related functions. Special Publication 800-39, published March 2011, is the flagship document in the series of FISMA publications and provides a structured, yet flexible approach for managing that portion of risk resulting from the operation and use of information systems to support the missions and mission/business processes of organizations. This session will examine Special Publication 800-39 guidelines for an integrated, enterprise-wide approach to managing risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems.

Prerequisites

None

About the Instructor

Dr. Marshall D. Abrams is a Principal Scientist at the MITRE Corporation in McLean, Virginia. He holds two patents and has taught cyber security courses on six continents. He received the BSEE from Carnegie Institute of Technology and the MSEE and Ph.D. from the University of Pittsburgh. While at the National Bureau of Standards he received the Department of Commerce Silver Metal Award. Two awards were received from the Federal Aviation Administration for contributions to the Information Systems Security Program. He is a Senior Life Member of the IEEE and has been honored with the IEEE Computer Society Golden Core award. He is also a Senior Fellow of the Applied Computer Security Associates. Marshall has been involved with the NIST FISMA Implementation Project since its inception.

---

Home | Mailing List | FAQs | Privacy Policy | Contact Us

Copyright © 2011 ACSAC