ACSAC is pleased to host two workshops this year: One on Security Awareness Programs and one on Trusted Computing. Previous ACSAC attendees have agreed that past workshops like these provide a useful and exciting forum for information technology professionals – for example, standards developers, software developers, security engineers, security officers – to exchange ideas, concerns, and opinions. Due to community interest in both security awareness and trusted computing, this year's workshops should generate much discussion.

Registration: Although there is no charge for attending the workshop, pre-registration is requested. Use the Registration Form to register or contact Harvey H. Rubinovitz, Workshop Chairman, directly by mail at The MITRE Corporation, M/S S145, 202 Burlington Road, Bedford, MA 01730; by telephone at (781) 271-3076; or by electronic mail at hhr@mitre.org. Position papers are encouraged; contact Harvey with proposed papers or presentations. Please note that registration for this Workshop does not include registration for any ACSAC sessions.

Meals: ACSAC workshops do not include meals or refreshments at breaks. However, workshop participants who would like to partake of a Continental Breakfast, morning and afternoon snacks, and the ACSAC Lunch at the Monday and/or Tuesday Workshops may do so at a cost of $40.00 per day. Use the Registration Form to pre-register for this option.

Chairs:

Melissa Guenther
Security Awareness Consultant

Kelley Bogart
University of Arizona, Department of Business Continuity and Information Security

Monday, 6 December 2004
1:30 PM - 4:30 PM

Technology that drives the information age also drives information security. As information becomes more available, so does the capability of people to get into your information systems. In today's environment, you need to do more than prepare your IS team to ensure the security of your personal, physical and information assets. Those assets may well be handled on a regular basis by nontechnical employees in the least protected parts of your organization.

Security no longer belongs to a department - it needs to be considered as part of every individual's daily work. Simply put, a security aware organization is one where every employee understands that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within your computer systems and through out your organization. Therefore, it would be prudent to support the assets of the organization (information, physical, and personal) by trying to stop that from happening. This workshop will provide a source for establishing a security awareness program and for evaluating and updating an existing program.

Features:

Off-the-shelf solutions for developing a security awareness program.
Step-by-step methodology on how to communicate the message – how to get buy in from the entire organization.
Evaluation tools and suggestions for future improvement - where and how to make updates.

About the Instructors:

Ms. Kelley Bogart has worked for the University of Arizona for a total of twelve years. The last seven years she has worked for the Campus Computing and Information Technology Center. The first three and half years were dedicated to the campus Y2K education and coordination efforts. The last four and half years she has worked for the University's Business Continuity and Information Security Office as the Information Security Coordinator. Much of the initial work was dedicated to policy and best practices related to Business Continuity and Information Security topics. The last two years have been dedicated to developing and implementing a Campus Security Awareness Campaign. This on-going campaign has received international recognition. As a result of this recognition Kelley was appointed Co-Chair of the EDUCAUSE Security Awareness Task Force, which is a international group that focuses on IT issues and solutions specific to academia. This task force works directly with the National Cyber Security Alliance with regard to Security Awareness. Most recently she is working on a partnership agreement with Arizona Homeland Security to use UA's Awareness Campaign for a Statewide Awareness Campaign Initiative.

Ms. Melissa Guenther has worked in a consulting capacity on a wide range of assignments. Her experience has been to assist teams in creating blueprints and designing interventions for change, primarily in the Security Awareness area. She brings over 20 years of culture Change Management and Training experience, providing a strong base for proven results. She has been a presenter at various security conferences, such as SANS, CSI, and the Arizona Chapter of High Technology Crime Investigation Association (ACHICIA), both nationally and internationally. Ms. Guenther also created the plan and blueprint for the University of Arizona's Security Awareness campaign, and assisted in the implementation through presentations, integration and various anchoring interventions throughout the campus.

Chair:

Dr. Harvey H. Rubinovitz
The MITRE Corporation

Tuesday, 7 December 2004
8:30 a.m. - 4:30 p.m.

With the increase of mobility, collaboration, and information sharing new ways to secure information in a trusted manner are necessary. Trusted computing is an industrial initiative proposed using additional hardware and software to help solve some of today's security threats. The hardware implementation provides additional functionality and assurance that could not otherwise be possible. One use of trusted computing is Digital Rights Management (DRM). DRM is a term used for technologies that control how digital content is used. Creators of documents and entertainment media (music, movies, etc.) can control what type of access (read-only, read for the next 10 days, copy, etc.) is allowed to their content, and prevent unauthorized access.

Major IT companies have taken a greater interest in trusted computing technology as the amount of information that needs to be protected such as personal, company confidential, copyright, etc., increases. A group of companies (AMD, HP, IBM, Intel, Microsoft, Sony, Sun, and others) formed a consortium originally called the Trusted Computer Platform Alliance (TCPA); in May 2003, it became the Trusted Computing Group (TCG).

TCG develops and promotes open industry standard specifications for trusted computing and is in the process of defining an expanded version of the original TCPA specification. IBM has published software to make a TCG Trusted Platform Module (TPM) that will work with the Linux kernel to improve the protection of cryptographic keys. Microsoft's project is the Microsoft Next-Generation Secure Computing Base (NGSCB). Both projects rely on additional hardware that may not be present in today's computing devices.

This workshop will focus on the relationship between trusted computing and security, how the technology is being implemented and utilized to provide additional trust between various software applications and better data protection, and the need to facilitate the research and development of the next generation of trusted computing.

Previous participants have agreed that past workshops have provided a useful and exciting forum for members of the standards and software development worlds to exchange ideas, opinions, and concerns. Due to community interest in trusted computing (and the rapidly evolving specifications and technologies), this year's workshop should generate much discussion.

Presentations:

Trusted Linux Client, Dave Safford
Digital Rights Management & XML Security Protocols, Holly Lynn McKinley
TCG Overview, Ned Smith
Digital Rights Management, Ed Giorgio
Trusted Computing for High Trusted Computing for High-Consequence Consequence Missions, John McDermott
Infrastructure for Trusted Computing, Thomas Hardjono