![]() NSTSSI Security Education Standards |
SECTION V - TRAINING STANDARD 13. Using a comprehensive model of information systems security, the curriculum is intended to provide two levels of knowledge: a. Awareness Level. Creates a sensitivity to the threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, infor- mation and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC. b. Performance Level. Provides the employee with the skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices. This level of understanding will ensure that employees are able to apply security concepts while performing their tasks. 14. The program of instruction, as outlined below, shall encompass scope, suggested sequence, and content. a. COMMUNICATIONS BASICS (Awareness Level) Instructional Content Behavioral Outcomes - Introduce the evolution of - Outline chronology of modern communications systems. communications systems and development. - Describe vehicles of - Match features of trans- transmission. mission to descriptors (e.g., signal type, speed production characteristics, etc.) (1) Topical Content (a) Historical vs Current Methodology (b) Capabilities and limitations of various communications systems - microwave - line of sight - satellite - radio frequency (e.g., bandwidth) - asynchronous vs synchronous - dedicated line - digital vs analog - public switched network (1) Topical Content (a) Historical vs Current Methodology b. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS (Awareness Level) Instructional Content Behavioral Outcomes - Provide language of an AIS. - Define terms in an AIS. - Describe an AIS environment - Define functions performed. by an AIS. - Providing an overview of - Describe interrelationship hardware, software, firmware among AIS components. components of an AIS, to integrate into information systems security aspects/ behaviors discussed later. (1) Topical Content (a) Historical vs Current Technology (b) Hardware (b) Hardware - distributed vs stand-alone - micro, mini, mainframe processors - storage devices - components (e.g., input, output, central processing unit (CPU)) (c) Software - operating system - applications (d) Memory - sequential - random - volatile vs nonvolatile (e) Media - magnetic remanence - optical remanence (f) Networks - topology - sharing of data - sharing of devices - file servers - modems - asynchronous vs synchronous - switching c. SECURITY BASICS (Awareness Level) Instructional Content Behavioral Outcomes - Using the Comprehensive Model - The student will list and of Information Systems Security describe the elements of (contained in the Annex to AIS security. this instruction), introduce a comprehensive model of - The student will summarize information systems security security disciplines used that addresses: in protecting government automated information - critical characteristics systems. of information - information states, and - Student will give examples - security measures. of determinants of criti- cal information. (1) Topical Content (a) INFOSEC Overview - threats - vulnerabilities - critical information characteristics - confidentiality - integrity - availability - information states - transmission - storage - processing - security countermeasures - technology - policy, procedures and practices - education, training and awareness (b) Operations Security (OPSEC) - OPSEC process - INFOSEC and OPSEC interdependency - unclassified indicators - OPSEC surveys/OPSEC planning (c) Information Security - policy - roles and responsibilities - application dependent guidance (d) INFOSEC - cryptography - strength (e.g., complexity, secrecy, characteristics of the key) - encryption (e.g., point-to-point, network, link) - key management (to include electronic key) - transmission security - emanations security - physical, personnel and administrative security - computer security - identification and authentication - access control - audit - object reuse d. NSTISS BASICS (Awareness Level) Instructional Content Behavioral Outcomes - Describe components (with - Outline national NSTISS examples to include: national Policies. policy, threats and vulner- abilities, countermeasures, - Cite examples of threats risk management, systems and vulnerabilities of an lifecycle management, trust, AIS. modes of operation, roles of organizational units, facets - Give examples of Agency of NSTISS. implementation of NSTISS policy, practices and procedures. (1) Topical Content (a) National Policy and Guidance - AIS security - communications security - protection of information - employee accountability for agency information (b) Threats to and Vulnerabilities of Systems - definition of terms (e.g., threats, vulnerabilities, risk) - major categories of threats (e.g., fraud, Hostile Intelligence Service - major categories of threats (e.g., fraud, Hostile Intelligence Service (HOIS), malicious logic, hackers, environmental and technological hazards, disgruntled employees, careless employees, HUMINT, and monitoring) - threat impact areas (c) Legal Elements - fraud, waste and abuse - criminal prosecution - evidence collection and preservation - investigative authorities (d) Countermeasures - cover and deception - HUMINT - monitoring (e.g., data, line) - technical surveillance countermeasures - education, training, and awareness - assessments (e.g., surveys, inspections) (e) Concepts of Risk Management - threat and vulnerability assessment - cost/benefit analysis of controls - implementation of cost-effective controls - implementation of cost-effective controls - consequences (e.g., corrective action, risk assessment) - monitoring the efficiency and effective- ness of controls (e.g., unauthorized or inadvertent disclosure of information) (f) Concepts of System Life Cycle Management - requirements definition (e.g., architecture) - development - demonstration and validation (testing) - implementation - security (e.g., certification and accreditation) - operations and maintenance (e.g., configuration management) (g) Concepts of Trust - policy - mechanism - assurance (h) Modes of Operation - dedicated - system-high - compartmented/partitioned - multilevel (i) Roles of Various Organizational Personnel - senior management - program or functional managers - system manager and system staff - telecommunications office and staff - security office - COMSEC custodian - INFOSEC Officer - information resources management staff - audit office - OPSEC managers - end users (j) Facets of NSTISS - protection of areas - protection of equipment - protection of passwords - protection of files and data - protection against malicious logic - backup of data and files - protection of magnetic storage media - protection of voice communications - protection of data communications - protection of keying material - application of cryptographic systems - transmission security countermeasures (e.g., callsigns, frequency, and pattern - transmission security countermeasures (e.g., callsigns, frequency, and pattern forewarning protection) - reporting security violations e. SYSTEM OPERATING ENVIRONMENT (Awareness Level) Instructional Content Behavioral Outcomes - Outline Agency specific - Summarize Agency AIS AIS and telecommunications and telecommunications systems. systems in operation. - Describe Agency "control points" - Give examples of current for purchase and maintenance Agency AIS/telecom- of Agency AIS and telecommuni- munications systems and cations systems. configurations. - Review Agency AIS and telecom- - List Agency-level contact munications security policies. points for AIS and tele- communications systems and maintenance. - Cite appropriate policy and guidance. (1) Topical Content (a) AIS - hardware - software - firmware (b) Telecommunications Systems - hardware - software (c) Agency Specific Security Policies - guidance - roles and responsibilities - points of contact (d) Agency Specific AIS and Telecommunications Policies - points of contact - references f. NSTISS PLANNING AND MANAGEMENT (Performance Level) Instructional Content Behavioral Outcomes - Discuss practical performance - Builds a security plan measures employed in designing that encompasses NSTISS security measures and programs. components in designing protection/security for an - Introduce generic security instructor-supplied planning guidelines/documents. description of an AIS telecommunications system. (1) Topical Content (a) Security Planning - directives and procedures for NSTISS policy - NSTISS program budget - NSTISS program evaluation - NSTISS training (content and audience definition) (b) Risk Management - information identification - roles and responsibilities of all the players in the risk analysis process - risk analysis and/or vulnerability assessment components - risk analysis results evaluation - corrective actions - acceptance of risk (accreditation) (c) Systems Life Cycle Management - management control process (ensure that appropriate administrative, physical, and technical safeguards are incor- porated into all new applications and and technical safeguards are incor- porated into all new applications and into significant modifications to existing applications) - evaluation of sensitivity of the application based upon risk analysis - determination of security specifications - design review and systems test performance (ensure required safeguards are operationally adequate) - systems certification and accreditation process - acquisition (d) Contingency Planning/Disaster Recovery - contingency plan components - agency response procedures and continuity of operations - team member responsibilities in responding to an emergency situation - guidelines for determining critical and essential workload - determination of backup requirements - development of procedures for off-site processing - development of plans for recovery actions after a disruptive event - development of plans for recovery actions after a disruptive event - emergency destruction procedures g. NSTISS POLICIES AND PROCEDURES (Performance Level) Instructional Content Behavioral Outcomes - List and describe: - Playing the role of either specific technological, policy, a system penetrator or and educational solutions system protector, the for NSTISS. student will discover points of exploitation - List and describe: and apply appropriate elements of vulnerability and countermeasures in an threat that exist in an AIS/ instructor-supplied telecommunications system with description of an Agency corresponding protection AIS/telecommunications measures. system. (1) Topical Content (a) Physical Security Measures - building construction - alarms - information systems centers - communications centers - shielding - cabling - filtered power - physical access control systems (key cards, locks and alarms) - stand-alone systems and peripherals - environmental controls (humidity and air conditioning) - fire safety controls - storage area controls - power controls (regulator, uninterrupted power service (UPS), and emergency poweroff switch) - protected distributed systems (b) Personnel Security Practices and Procedures - position sensitivity - employee clearances - access authorization/verification (need-to-know) - security training and awareness (initial and refresher) - systems maintenance personnel - contractors (c) Software Security - configuration management - programming standards and controls - documentation - change controls - software security mechanisms to protect information - segregation of duties - concept of least privilege - identification and authentication - access privileges - internal labeling - application security features - audit trails and logging - operating systems security features - need-to-know controls - malicious logic protection - assurance (d) Network Security - public vs private - dial-up vs dedicated - privileges (class, nodes) - traffic analysis - end-to-end access control (e) Administrative Security Procedural Controls - external marking of media - destruction of media - sanitization of media - construction, changing, issuing and deleting passwords - transportation of media - reporting of computer misuse or abuse - preparation of security plans - emergency destruction - media downgrade and declassification - copyright protection and licensing - documentation, logs and journals - attribution - repudiation (f) Auditing and Monitoring - effectiveness of security programs - conducting security reviews - verification, validation, testing, and evaluation processes - monitoring systems for accuracy and abnormalities - investigation of security breaches - review of audit trails and logs - review of software design standards - review of accountability controls - privacy (g) Cryptosecurity - encryption/decryption method, procedure, algorithm - cryptovariable or key - electronic key management system (h) Key Management - identify and inventory COMSEC material - access, control and storage of COMSEC material - report COMSEC incidents - destruction procedures for COMSEC material - key management protocols (bundling, electronic key, over-the-air rekeying) (i) Transmission Security - frequency hopping - masking - directional signals - burst transmission - optical systems - spread spectrum transmission - covert channel control (crosstalk) - dial back - line authentication - line-of-sight - low power - screening - jamming - protected wireline (j) TEMPEST Security - shielding - grounding - attenuation - banding - filtered power - cabling - zone of control/zoning - TEMPEST separation