1998 Conferences

1st CACR Information Security Workshop

Marty Ferris, Ferris & Associates, Inc.

Common Criteria: The Security Business Case

Managing security involves a business decision on the part of the consumer of security products. Always the question looms, "What's good enough" to satisfy service users, auditors and business planners. Management tools for security have always included voluntary standards. The Common Criteria provides some new wrinkles into a standard business process. The talk will discuss the basics of why organizations choose to secure; what the challenges to securing have been and are; commonalities and differences of past to future; the role of standards, the standard's development process, what a standard looks like. Linking the traditional challenges of securing to the future via the Common Criteria provides more opportunity for constituency ownership of the standard and other advantages in managing "What's good enough."

Speaker Bio
John Martin Ferris established Ferris & Associates, Inc., an information security consulting firm specializing in electronic payment security, financial standards development and applications, policy analyses, security awareness, education and training and security program conference development. Clients include the Financial Services Technology Consortium and the American Banker's Association.

As a Senior Security Manager for the United States Department of Treasury from 1984 to 1997, Mr. Ferris developed and supervised the evaluation and implementation of Treasury-wide information security program with results including 500 federal agencies. initiated of Treasury-wide enterprise security services (including Virtual Private Network services, IPSEC, PKI, education and training) in support of 13 Treasury agency security programs that are business case driven and industry standards based.

Mr. Ferris specialty area includes development of federal payment systems using financial industry electronic signature standards, Treasury-wide enterprise security services and serving as the chief security consultant for Treasury's Electronic Check Pilot program. Mr. Ferris is a former chair of the financial industry's accredited security standards subcommittee X9F.

Prior to joining Treasury in 1984, Mr. Ferris worked at the National Security Agency in three distinct capacities. As a Security Analyst from 1981 to 1984 he evaluated the security of government and commercial information systems for significant vulnerabilities and risks based on customer-defined security policies. As a Program Manager from 1978-1981, Mr. Ferris assisted government customers in acquiring secure systems (government and commercial) to meet mission needs. From 1970-78 as a Computer Programmer, he developed application programs for government security applications using both high-level software and assembly languages.

Born in Darby, Pennsylvania in 1951, John Martin "Marty" Ferris received his B.S. in Mathematics from Drexel University and a M.S. in Computer Science from Johns Hopkins University. A 12-year resident of Cleveland Park, Mr. Ferris is an active and committed member of the Washington D.C. community, illustrated by his service to the homeless as President of the Georgetown Ministry Center's Board of Directors.