Strategic Security Intelligence

NSTSSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


   13.  Using a comprehensive model of information systems
security, the curriculum is intended to provide two levels of
        a.  Awareness Level.  Creates a sensitivity to the
threats and vulnerabilities of national security information
systems, and a recognition of the need to protect data, infor-
mation and the means of processing them; and builds a working
knowledge of principles and practices in INFOSEC.

        b.  Performance Level.  Provides the employee with the
skill or ability to design, execute, or evaluate agency INFOSEC
security procedures and practices.  This level of understanding
will ensure that employees are able to apply security concepts
while performing their tasks.
   14.  The program of instruction, as outlined below, shall
encompass scope, suggested sequence, and content.
        a.  COMMUNICATIONS BASICS (Awareness Level)

  Instructional Content          Behavioral Outcomes

- Introduce the evolution of   - Outline chronology of  
  modern communications systems. communications systems and
- Describe vehicles of         - Match features of trans-
  transmission.                  mission to descriptors
                                 (e.g., signal type, speed
                                 production characteristics,

                (1)  Topical Content
                     (a) Historical vs Current Methodology

                     (b) Capabilities and limitations of various
                         communications systems
                         - microwave
                         - line of sight
                         - satellite
                         - radio frequency (e.g., bandwidth)
                         - asynchronous vs synchronous
                         - dedicated line
                         - digital vs analog
                      - public switched network

                (1)  Topical Content
                     (a) Historical vs Current Methodology
           (Awareness Level)

  Instructional Content            Behavioral Outcomes   
- Provide language of an AIS.    - Define terms in an AIS.  

- Describe an AIS environment    - Define functions performed.
  by an AIS.

- Providing an overview of       - Describe interrelationship
  hardware, software, firmware     among AIS components.
  components of an AIS, to
  integrate into information
  systems security aspects/
  behaviors discussed later.
            (1)  Topical Content
                 (a) Historical vs Current Technology

                 (b) Hardware
                 (b) Hardware
                     - distributed vs stand-alone
                     - micro, mini, mainframe processors
                     - storage devices
                     - components (e.g., input, output, central
                       processing unit (CPU))
                 (c) Software
                     - operating system
                     - applications

                 (d) Memory
                     - sequential
                     - random
                     - volatile vs nonvolatile

                 (e) Media
                     - magnetic remanence
                     - optical remanence
                 (f) Networks
                     - topology
                     - sharing of data
                     - sharing of devices
                     - file servers
                     - modems
                     - asynchronous vs synchronous
                      - switching
        c.  SECURITY BASICS (Awareness Level)
  Instructional Content             Behavioral Outcomes
- Using the Comprehensive Model   - The student will list and
  of Information Systems Security   describe the elements of
  (contained in the Annex to        AIS security.
  this instruction), introduce  
  a comprehensive model of        - The student will summarize
  information systems security      security disciplines used
  that addresses:                   in protecting government
                                     automated information
  - critical characteristics        systems.
    of information
  - information states, and        - Student will give examples
  - security measures.                of determinants of criti-
                                         cal information.
            (1)  Topical Content

                 (a) INFOSEC Overview
                     - threats
                     - vulnerabilities
                     - critical information characteristics
                       - confidentiality
                       - integrity
                       - availability
                     - information states
                       - transmission
                       - storage
                       - processing
                     - security countermeasures  
                       - technology
                       - policy, procedures and practices
                       - education, training and awareness   

                 (b) Operations Security (OPSEC)
                     - OPSEC process
                     - INFOSEC and OPSEC interdependency
                     - unclassified indicators
                     - OPSEC surveys/OPSEC planning
                 (c) Information Security
                     - policy
                     - roles and responsibilities
                     - application dependent guidance
                 (d) INFOSEC
                     - cryptography
                       - strength (e.g., complexity, secrecy,
                         characteristics of the key)
                       - encryption (e.g., point-to-point,
                         network, link)
                       - key management (to include electronic
                     - transmission security
                     - emanations security
                                 - physical, personnel and administrative
                     - computer security
                       - identification and authentication
                       - access control
                       - audit
                       - object reuse
        d.  NSTISS BASICS (Awareness Level)
  Instructional Content              Behavioral Outcomes
- Describe components (with        - Outline national NSTISS
  examples to include:  national     Policies.
  policy, threats and vulner-
  abilities, countermeasures,      - Cite examples of threats
  risk management, systems           and vulnerabilities of an
  lifecycle management, trust,       AIS.
  modes of operation, roles of
  organizational units, facets     - Give examples of Agency  
  of NSTISS.                         implementation of NSTISS
                                      policy, practices and
            (1)  Topical Content
                 (a) National Policy and Guidance
                     - AIS security
                     - communications security
                     - protection of information
                     - employee accountability for
                       agency information

                 (b) Threats to and Vulnerabilities of Systems
                     - definition of terms  (e.g., threats,
                       vulnerabilities, risk)
                     - major categories of threats (e.g.,
                       fraud, Hostile Intelligence Service
                     - major categories of threats (e.g.,
                       fraud, Hostile Intelligence Service
                       (HOIS), malicious logic, hackers,
                       environmental and technological hazards,
                       disgruntled employees, careless
                       employees, HUMINT, and monitoring)
                     - threat impact areas

     (c) Legal Elements
         - fraud, waste and abuse
         - criminal prosecution
         - evidence collection and preservation  
         - investigative authorities
     (d) Countermeasures
         - cover and deception
         - HUMINT
         - monitoring (e.g., data, line)
         - technical surveillance countermeasures
         - education, training, and awareness
         - assessments (e.g., surveys, inspections)

     (e) Concepts of Risk Management
         - threat and vulnerability assessment
         - cost/benefit analysis of controls 
         - implementation of cost-effective
         - implementation of cost-effective
         - consequences (e.g., corrective action,
           risk assessment)
         - monitoring the efficiency and effective-   
           of controls (e.g., unauthorized or
           inadvertent disclosure of information)
     (f) Concepts of System Life Cycle Management
         - requirements definition (e.g.,
         - development
         - demonstration and validation (testing)
         - implementation
         - security (e.g., certification and
         - operations and maintenance (e.g.,     
           configuration management)
     (g) Concepts of Trust
         - policy
         - mechanism
         - assurance
     (h) Modes of Operation
         - dedicated
         - system-high
         - compartmented/partitioned
         - multilevel
                 (i) Roles of Various Organizational Personnel
                     - senior management
                     - program or functional managers
                     - system manager and system staff
                     - telecommunications office and staff
                     - security office
                     - COMSEC custodian
                     - INFOSEC Officer
                     - information resources management staff
                     - audit office
                     - OPSEC managers
                     - end users
                 (j) Facets of NSTISS
                     - protection of areas
                     - protection of equipment
                     - protection of passwords
                     - protection of files and data
                     - protection against malicious logic
                     - backup of data and files
                     - protection of magnetic storage media
                     - protection of voice communications
                     - protection of data communications
                     - protection of keying material
                     - application of cryptographic systems
                     - transmission security countermeasures
                       (e.g., callsigns, frequency, and pattern
                     - transmission security countermeasures
                       (e.g., callsigns, frequency, and pattern
                       forewarning protection)
                     - reporting security violations
        e.  SYSTEM OPERATING ENVIRONMENT (Awareness Level)
  Instructional Content               Behavioral Outcomes
- Outline Agency specific           - Summarize Agency AIS
  AIS and telecommunications          and telecommunications
  systems.                            systems in operation.
- Describe Agency "control points"  - Give examples of current
  for purchase and maintenance        Agency AIS/telecom-
  of Agency AIS and telecommuni-      munications systems and
  cations systems.                    configurations.
- Review Agency AIS and telecom-    - List Agency-level contact
  munications security policies.      points for AIS and tele-
                                                communications systems
                                                                  and maintenance.
                                                                                   - Cite appropriate policy
                                                                  and guidance.
                      (1)  Topical Content
                           (a) AIS
                               - hardware
                               - software
                               - firmware
                           (b) Telecommunications Systems
                               - hardware
                               - software
                           (c) Agency Specific Security Policies
                               - guidance
                               - roles and responsibilities   
                               - points of contact
                           (d) Agency Specific AIS and Telecommunications
                               - points of contact
                               - references
              f.  NSTISS PLANNING AND MANAGEMENT (Performance Level)
  Instructional Content              Behavioral Outcomes

- Discuss practical performance    - Builds a security plan   
  measures employed in designing     that encompasses NSTISS
  security measures and programs.    components in designing
                                               protection/security for an
- Introduce generic security         instructor-supplied
  planning guidelines/documents.     description of an AIS
                                      telecommunications system.
            (1)  Topical Content
                 (a) Security Planning
                     - directives and procedures for NSTISS
                     - NSTISS program budget
                     - NSTISS program evaluation  
                     - NSTISS training (content and audience
                 (b) Risk Management
                     - information identification
                     - roles and responsibilities of all the
                       players in the risk analysis process
                     - risk analysis and/or vulnerability
                       assessment components
                     - risk analysis results evaluation
                     - corrective actions
                      - acceptance of risk (accreditation)  

                  (c) Systems Life Cycle Management
                     - management control process (ensure that
                       appropriate administrative, physical,
                       and technical safeguards are incor-
                       porated into all new applications and
                       and technical safeguards are incor-
                       porated into all new applications and
                       into significant modifications to
                       existing applications)
                     - evaluation of sensitivity of the
                       application based upon risk analysis
                     - determination of security specifications
                     - design review and systems test
                       performance (ensure required safeguards
                       are operationally adequate)
                     - systems certification and accreditation
                     - acquisition
                 (d) Contingency Planning/Disaster Recovery
                     - contingency plan components
                     - agency response procedures and
                       continuity of operations
                     - team member responsibilities in 
                       responding to an emergency situation
                     - guidelines for determining critical and
                       essential workload
                     - determination of backup requirements
                     - development of procedures for off-site 
                     - development of plans for recovery  
                       actions after a disruptive event
                     - development of plans for recovery  
                       actions after a disruptive event
                     - emergency destruction procedures 
        g.  NSTISS POLICIES AND PROCEDURES (Performance Level)
  Instructional Content               Behavioral Outcomes
- List and describe:                - Playing the role of either
  specific technological, policy,    a system penetrator or
  and educational solutions          system protector, the
  for NSTISS.                         student will discover
                                      points of exploitation
- List and describe:                 and apply appropriate
  elements of vulnerability and      countermeasures in an 
  threat that exist in an AIS/       instructor-supplied
  telecommunications system with     description of an Agency
  corresponding protection           AIS/telecommunications
  measures.                          system.
            (1)  Topical Content
                 (a) Physical Security Measures
                     - building construction
                     - alarms
                     - information systems centers
                     - communications centers
                     - shielding
                     - cabling
                     - filtered power
                     - physical access control systems (key
                       locks and alarms)
                     - stand-alone systems and peripherals
                     - environmental controls (humidity and air
                     - fire safety controls
                     - storage area controls
                     - power controls (regulator, uninterrupted
                       power service (UPS), and emergency
                       poweroff switch)
                     - protected distributed systems
                 (b) Personnel Security Practices and
                     - position sensitivity
                     - employee clearances
                     - access authorization/verification
                     - security training and awareness (initial
                       and refresher)
                     - systems maintenance personnel
                     - contractors
                 (c) Software Security
                     - configuration management
                       - programming standards and controls
                       - documentation  
                       - change controls
                     - software security mechanisms to protect 
                       - segregation of duties
                       - concept of least privilege
                       - identification and authentication
                       - access privileges
                       - internal labeling
                       - application security features
                       - audit trails and logging
                       - operating systems security features
                       - need-to-know controls
                       - malicious logic protection
                      - assurance

                 (d) Network Security
                     - public vs private
                     - dial-up vs dedicated
                     - privileges (class, nodes)
                     - traffic analysis   
                     - end-to-end access control
     (e) Administrative Security Procedural
         - external marking of media    
         - destruction of media
         - sanitization of media
         - construction, changing, issuing and
           deleting passwords
         - transportation of media
         - reporting of computer misuse or abuse
         - preparation of security plans
         - emergency destruction
         - media downgrade and declassification
         - copyright protection and licensing
         - documentation, logs and journals
         - attribution
         - repudiation
     (f) Auditing and Monitoring
         - effectiveness of security programs
         - conducting security reviews  
         - verification, validation, testing, and
           evaluation processes
         - monitoring systems for accuracy and
         - investigation of security breaches
         - review of audit trails and logs
         - review of software design standards   
         - review of accountability controls
         - privacy

     (g) Cryptosecurity
         - encryption/decryption method, procedure,
         - cryptovariable or key
         - electronic key management system
     (h) Key Management
         - identify and inventory COMSEC material
         - access, control and storage of COMSEC
         - report COMSEC incidents
         - destruction procedures for COMSEC
         - key management protocols (bundling,
           electronic key, over-the-air rekeying)
                   (i) Transmission Security
                       - frequency hopping
                       - masking
                       - directional signals 
                       - burst transmission
                       - optical systems
                       - spread spectrum transmission
                       - covert channel control (crosstalk)
                       - dial back
                       - line authentication
                       - line-of-sight
                       - low power
                       - screening
                       - jamming
                       - protected wireline
                   (j) TEMPEST Security
                       - shielding
                       - grounding
                       - attenuation
                       - banding
                       - filtered power
                       - cabling
                       - zone of control/zoning  
                       - TEMPEST separation