Past ACSA Projects
SAC Technology Advocacy
The SAC Technology
Advocacy Committee is a group whose mission is to advance
Strong Access Control (SAC) technology and increase its
awareness in the marketplace. Strong Access Control refers to
mechanisms that provide effective protection and assured
behavior under concerted and sophisticated attack, and includes
mechanisms such as multilevel security. The
SAC-TAC has the following goals:
- To increase market awareness and demand for SAC
technology and products.
- To facilitate interoperability of SAC products.
- To identify commercial and research opportunities for
- To enhance communication within the SAC community.
- To define the appropriate resistance for attack for SAC
Faigin, The Aerospace Corporation
Workshop on the Application of
to System Security Design (WAEPSSD)
The goal of the Workshop on
the Application of Engineering Principles to System Security
Design (WAEPSSD) was to examine engineering fundamentals,
the principles and practice of designing and building secure
systems. The workshop looked at where we have been in security
engineering (formal methods, Orange book, Common Criteria,
penetrate and patch, Certification and Accreditation, Defense
in Depth) and where we should go. The goal of the workshop was
to begin a process of serious thinking about these important
issues. The output of the workshop is a collection of essays
and technical papers on the issues discussed in the workshop.
ACSA's intent is that the output of the workshop becomes the
kernel for a growing on-line collection of theory, principles,
and practice of security engineering.
This workshop was held in November 2002 in Boston, MA.
Workshop Chair.Marshall D. Abrams,
The MITRE Corporation
Information-Security-System Rating and Ranking
Security System Rating and Ranking (ISSRR)Workshop was a
venue to explore the meaning and intent of approaches for
rating and ranking information assurance. Specific goals of the
- To clarify what researchers and practitioners are talking
about when they refer to IA metrics.
- To debunk the pseudo-science associated with assurance
- To discover some indirect indicators of security.
- To precisely define the research problems in developing
IA metrics methodologies.
- To recap the latest thinking on current IA metrics
- To identify efforts that are successful in some sense, if
they exist, and if none exist, reduce expectations on what
might be achieved through IA metrics.
- To explore the unintended side effects of
ratings/measures (e.g., inflating the numbers to ensure
promotion, delay review by higher authority)
- To clarify what's measurable and what's not.
- To scope and characterize the measures to be addressed
(e.g., EJB Security, CORBA Security, and/or Microsoft DNA
Security) and to explain what happens when several of these
measures/applications co-exist in the same enterprise: do
they augment each other or cancel each other out?
- To describe how measures should be used in the context of
IA, especially to influence purchases and for general
- To identify misapplications of measures, including their
description as "metrics"
The workshop was held in May 2001.
ACSA Liaison. Marshall D. Abrams,
The MITRE Corporation
Second International Working
Conference on Integrity and Internal Control in Information
In 1998, ACSA was an "in cooperation with"
partner for the 2nd
International Working Conference on Integrity and Internal
Control in Information Systems. This workshop continued the
ongoing dialog between IT security specialists and internal
control specialists with the intent of assisting to create
reliable business systems in the future. The goals were to find
an answer to the questions:
- What precisely do business managers need in order to have
confidence in the integrity of their information systems
and their data?
- What is the status quo of research and development in
- Where are the gaps between business needs on the one hand
and research/development on the other?
- What needs to be done to bridge these gaps?
The workshop was sponsored by IFIP TC-11 Working
Group 11.5. It was held in cooperation with Applied
Computer Security Associates (ACSA), George Mason University,
and the International Federation of Accountants (IFAC),
IT-Committee. It was supported and sponsored by:
PricewaterhouseCoopers GRMS, the Dutch Association of
Registered EDP-Auditors (NOREA), and the Dutch Computer Society
(NGI), SIG on Information Security.
Coordinator. Marshall Abrams, MITRE (Conference
Workshop on Information
Technology Assurance and Trustworthiness
In 1994, 1995, and 1996, ACSA sponsored the
Information Technology Assurance and Trustworthiness
(WITAT). The general goal of the workshop was to investigate
and promote promising methods of gaining assurance in
information technology. Other sponsors of the workshop were the
National Institute of Standards and Technology, and the
University of Maryland Institute for Advanced Computer Studies.
Coordinator. Doug Landoll, ARCA Systems
(Workshop Chair, 1996)
ACSA Visiting Lecturer
The goal of this project was to initiate a Visiting Lecturer
program to bring speakers on Information Security to university
campuses. This was seen as a way of spreading information about
Information Security as a career choice and academic pursuit.
The project is currently on hold, pending volunteers and
suggestions for membership on this committee.
Coordinator. Position Open