Past ACSA Projects
SAC Technology Advocacy Committee (SAC-TAC)
The SAC Technology
Advocacy Committee is a group whose mission is to advance Strong Access
Control (SAC) technology and increase its awareness in the marketplace. Strong
Access Control refers to mechanisms that provide effective protection and
assured behavior under concerted and sophisticated attack, and includes
mechanisms such as multilevel security. The
SAC-TAC has the following goals:
- To increase market awareness and demand for SAC
technology and products.
- To facilitate interoperability of SAC products.
- To identify commercial and research opportunities for
- To enhance communication within the SAC community.
- To define the appropriate resistance for attack for SAC
Daniel Faigin, The Aerospace
Workshop on the Application of Engineering Principles
to System Security Design (WAEPSSD)
The goal of the Workshop on
the Application of Engineering Principles to System Security Design
(WAEPSSD) was to examine engineering fundamentals, the principles and
practice of designing and building secure systems. The workshop looked at where
we have been in security engineering (formal methods, Orange book, Common
Criteria, penetrate and patch, Certification and Accreditation, Defense in
Depth) and where we should go. The goal of the workshop was to begin a process
of serious thinking about these important issues. The output of the workshop is
a collection of essays and technical papers on the issues discussed in the
workshop. ACSA's intent is that the output of the workshop becomes the kernel
for a growing on-line collection of theory, principles, and practice of
This workshop was held in November 2002 in Boston, MA.
Workshop Chair.Marshall D. Abrams, The MITRE
Workshop on Information-Security-System Rating and Ranking
Security System Rating and Ranking (ISSRR)Workshop was a venue to explore
the meaning and intent of approaches for rating and ranking information
assurance. Specific goals of the workshop included:
- To clarify what researchers and practitioners are talking
about when they refer to IA metrics.
- To debunk the pseudo-science associated with assurance
- To discover some indirect indicators of security.
- To precisely define the research problems in developing
IA metrics methodologies.
- To recap the latest thinking on current IA metrics
- To identify efforts that are successful in some sense, if
they exist, and if none exist, reduce expectations on what might be achieved
through IA metrics.
- To explore the unintended side effects of
ratings/measures (e.g., inflating the numbers to ensure promotion, delay review
by higher authority)
- To clarify what's measurable and what's not.
- To scope and characterize the measures to be addressed
(e.g., EJB Security, CORBA Security, and/or Microsoft DNA Security) and to
explain what happens when several of these measures/applications co-exist in
the same enterprise: do they augment each other or cancel each other out?
- To describe how measures should be used in the context of
IA, especially to influence purchases and for general resource
- To identify misapplications of measures, including their
description as "metrics"
The workshop was held in May 2001.
Chair. Ronda Henning, Harris
Liaison. Marshall D. Abrams,
The MITRE Corporation
Second International Working Conference on Integrity and
Internal Control in Information Systems
In 1998, ACSA was an "in cooperation with"
partner for the
International Working Conference on Integrity and Internal Control in
Information Systems. This workshop continued the ongoing dialog between IT
security specialists and internal control specialists with the intent of
assisting to create reliable business systems in the future. The goals were to
find an answer to the questions:
- What precisely do business managers need in order to have
confidence in the integrity of their information systems and their data?
- What is the status quo of research and development in
- Where are the gaps between business needs on the one hand
and research/development on the other?
- What needs to be done to bridge these gaps?
The workshop was sponsored by
IFIP TC-11 Working Group
11.5. It was held in cooperation with Applied Computer Security Associates
(ACSA), George Mason University, and the International Federation of
Accountants (IFAC), IT-Committee. It was supported and sponsored by:
PricewaterhouseCoopers GRMS, the Dutch Association of Registered EDP-Auditors
(NOREA), and the Dutch Computer Society (NGI), SIG on Information Security.
Coordinator. Marshall Abrams, MITRE
(Conference Chair, 1998)
Workshop on Information Technology Assurance and
In 1994, 1995, and 1996, ACSA sponsored the
Workshop on Information
Technology Assurance and Trustworthiness (WITAT). The general goal of the
workshop was to investigate and promote promising methods of gaining assurance
in information technology. Other sponsors of the workshop were the National
Institute of Standards and Technology, and the University of Maryland Institute
for Advanced Computer Studies.
Coordinator. Doug Landoll, ARCA
Systems (Workshop Chair, 1996)
ACSA Visiting Lecturer Program
The goal of this project was to initiate a Visiting Lecturer
program to bring speakers on Information Security to university campuses. This
was seen as a way of spreading information about Information Security as a
career choice and academic pursuit. The project is currently on hold, pending
volunteers and suggestions for membership on this committee.
Coordinator. Position Open