 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
SECTION V - TRAINING STANDARD
13. Using a comprehensive model of information systems
security, the curriculum is intended to provide two levels of
knowledge:
a. Awareness Level. Creates a sensitivity to the
threats and vulnerabilities of national security information
systems, and a recognition of the need to protect data, infor-
mation and the means of processing them; and builds a working
knowledge of principles and practices in INFOSEC.
b. Performance Level. Provides the employee with the
skill or ability to design, execute, or evaluate agency INFOSEC
security procedures and practices. This level of understanding
will ensure that employees are able to apply security concepts
while performing their tasks.
14. The program of instruction, as outlined below, shall
encompass scope, suggested sequence, and content.
a. COMMUNICATIONS BASICS (Awareness Level)
Instructional Content Behavioral Outcomes
- Introduce the evolution of - Outline chronology of
modern communications systems. communications systems and
development.
- Describe vehicles of - Match features of trans-
transmission. mission to descriptors
(e.g., signal type, speed
production characteristics,
etc.)
(1) Topical Content
(a) Historical vs Current Methodology
(b) Capabilities and limitations of various
communications systems
- microwave
- line of sight
- satellite
- radio frequency (e.g., bandwidth)
- asynchronous vs synchronous
- dedicated line
- digital vs analog
- public switched network
(1) Topical Content
(a) Historical vs Current Methodology
b. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS
(Awareness Level)
Instructional Content Behavioral Outcomes
- Provide language of an AIS. - Define terms in an AIS.
- Describe an AIS environment - Define functions performed.
by an AIS.
- Providing an overview of - Describe interrelationship
hardware, software, firmware among AIS components.
components of an AIS, to
integrate into information
systems security aspects/
behaviors discussed later.
(1) Topical Content
(a) Historical vs Current Technology
(b) Hardware
(b) Hardware
- distributed vs stand-alone
- micro, mini, mainframe processors
- storage devices
- components (e.g., input, output, central
processing unit (CPU))
(c) Software
- operating system
- applications
(d) Memory
- sequential
- random
- volatile vs nonvolatile
(e) Media
- magnetic remanence
- optical remanence
(f) Networks
- topology
- sharing of data
- sharing of devices
- file servers
- modems
- asynchronous vs synchronous
- switching
c. SECURITY BASICS (Awareness Level)
Instructional Content Behavioral Outcomes
- Using the Comprehensive Model - The student will list and
of Information Systems Security describe the elements of
(contained in the Annex to AIS security.
this instruction), introduce
a comprehensive model of - The student will summarize
information systems security security disciplines used
that addresses: in protecting government
automated information
- critical characteristics systems.
of information
- information states, and - Student will give examples
- security measures. of determinants of criti-
cal information.
(1) Topical Content
(a) INFOSEC Overview
- threats
- vulnerabilities
- critical information characteristics
- confidentiality
- integrity
- availability
- information states
- transmission
- storage
- processing
- security countermeasures
- technology
- policy, procedures and practices
- education, training and awareness
(b) Operations Security (OPSEC)
- OPSEC process
- INFOSEC and OPSEC interdependency
- unclassified indicators
- OPSEC surveys/OPSEC planning
(c) Information Security
- policy
- roles and responsibilities
- application dependent guidance
(d) INFOSEC
- cryptography
- strength (e.g., complexity, secrecy,
characteristics of the key)
- encryption (e.g., point-to-point,
network, link)
- key management (to include electronic
key)
- transmission security
- emanations security
- physical, personnel and administrative
security
- computer security
- identification and authentication
- access control
- audit
- object reuse
d. NSTISS BASICS (Awareness Level)
Instructional Content Behavioral Outcomes
- Describe components (with - Outline national NSTISS
examples to include: national Policies.
policy, threats and vulner-
abilities, countermeasures, - Cite examples of threats
risk management, systems and vulnerabilities of an
lifecycle management, trust, AIS.
modes of operation, roles of
organizational units, facets - Give examples of Agency
of NSTISS. implementation of NSTISS
policy, practices and
procedures.
(1) Topical Content
(a) National Policy and Guidance
- AIS security
- communications security
- protection of information
- employee accountability for
agency information
(b) Threats to and Vulnerabilities of Systems
- definition of terms (e.g., threats,
vulnerabilities, risk)
- major categories of threats (e.g.,
fraud, Hostile Intelligence Service
- major categories of threats (e.g.,
fraud, Hostile Intelligence Service
(HOIS), malicious logic, hackers,
environmental and technological hazards,
disgruntled employees, careless
employees, HUMINT, and monitoring)
- threat impact areas
(c) Legal Elements
- fraud, waste and abuse
- criminal prosecution
- evidence collection and preservation
- investigative authorities
(d) Countermeasures
- cover and deception
- HUMINT
- monitoring (e.g., data, line)
- technical surveillance countermeasures
- education, training, and awareness
- assessments (e.g., surveys, inspections)
(e) Concepts of Risk Management
- threat and vulnerability assessment
- cost/benefit analysis of controls
- implementation of cost-effective
controls
- implementation of cost-effective
controls
- consequences (e.g., corrective action,
risk assessment)
- monitoring the efficiency and effective-
ness
of controls (e.g., unauthorized or
inadvertent disclosure of information)
(f) Concepts of System Life Cycle Management
- requirements definition (e.g.,
architecture)
- development
- demonstration and validation (testing)
- implementation
- security (e.g., certification and
accreditation)
- operations and maintenance (e.g.,
configuration management)
(g) Concepts of Trust
- policy
- mechanism
- assurance
(h) Modes of Operation
- dedicated
- system-high
- compartmented/partitioned
- multilevel
(i) Roles of Various Organizational Personnel
- senior management
- program or functional managers
- system manager and system staff
- telecommunications office and staff
- security office
- COMSEC custodian
- INFOSEC Officer
- information resources management staff
- audit office
- OPSEC managers
- end users
(j) Facets of NSTISS
- protection of areas
- protection of equipment
- protection of passwords
- protection of files and data
- protection against malicious logic
- backup of data and files
- protection of magnetic storage media
- protection of voice communications
- protection of data communications
- protection of keying material
- application of cryptographic systems
- transmission security countermeasures
(e.g., callsigns, frequency, and pattern
- transmission security countermeasures
(e.g., callsigns, frequency, and pattern
forewarning protection)
- reporting security violations
e. SYSTEM OPERATING ENVIRONMENT (Awareness Level)
Instructional Content Behavioral Outcomes
- Outline Agency specific - Summarize Agency AIS
AIS and telecommunications and telecommunications
systems. systems in operation.
- Describe Agency "control points" - Give examples of current
for purchase and maintenance Agency AIS/telecom-
of Agency AIS and telecommuni- munications systems and
cations systems. configurations.
- Review Agency AIS and telecom- - List Agency-level contact
munications security policies. points for AIS and tele-
communications systems
and maintenance.
- Cite appropriate policy
and guidance.
(1) Topical Content
(a) AIS
- hardware
- software
- firmware
(b) Telecommunications Systems
- hardware
- software
(c) Agency Specific Security Policies
- guidance
- roles and responsibilities
- points of contact
(d) Agency Specific AIS and Telecommunications
Policies
- points of contact
- references
f. NSTISS PLANNING AND MANAGEMENT (Performance Level)
Instructional Content Behavioral Outcomes
- Discuss practical performance - Builds a security plan
measures employed in designing that encompasses NSTISS
security measures and programs. components in designing
protection/security for an
- Introduce generic security instructor-supplied
planning guidelines/documents. description of an AIS
telecommunications system.
(1) Topical Content
(a) Security Planning
- directives and procedures for NSTISS
policy
- NSTISS program budget
- NSTISS program evaluation
- NSTISS training (content and audience
definition)
(b) Risk Management
- information identification
- roles and responsibilities of all the
players in the risk analysis process
- risk analysis and/or vulnerability
assessment components
- risk analysis results evaluation
- corrective actions
- acceptance of risk (accreditation)
(c) Systems Life Cycle Management
- management control process (ensure that
appropriate administrative, physical,
and technical safeguards are incor-
porated into all new applications and
and technical safeguards are incor-
porated into all new applications and
into significant modifications to
existing applications)
- evaluation of sensitivity of the
application based upon risk analysis
- determination of security specifications
- design review and systems test
performance (ensure required safeguards
are operationally adequate)
- systems certification and accreditation
process
- acquisition
(d) Contingency Planning/Disaster Recovery
- contingency plan components
- agency response procedures and
continuity of operations
- team member responsibilities in
responding to an emergency situation
- guidelines for determining critical and
essential workload
- determination of backup requirements
- development of procedures for off-site
processing
- development of plans for recovery
actions after a disruptive event
- development of plans for recovery
actions after a disruptive event
- emergency destruction procedures
g. NSTISS POLICIES AND PROCEDURES (Performance Level)
Instructional Content Behavioral Outcomes
- List and describe: - Playing the role of either
specific technological, policy, a system penetrator or
and educational solutions system protector, the
for NSTISS. student will discover
points of exploitation
- List and describe: and apply appropriate
elements of vulnerability and countermeasures in an
threat that exist in an AIS/ instructor-supplied
telecommunications system with description of an Agency
corresponding protection AIS/telecommunications
measures. system.
(1) Topical Content
(a) Physical Security Measures
- building construction
- alarms
- information systems centers
- communications centers
- shielding
- cabling
- filtered power
- physical access control systems (key
cards,
locks and alarms)
- stand-alone systems and peripherals
- environmental controls (humidity and air
conditioning)
- fire safety controls
- storage area controls
- power controls (regulator, uninterrupted
power service (UPS), and emergency
poweroff switch)
- protected distributed systems
(b) Personnel Security Practices and
Procedures
- position sensitivity
- employee clearances
- access authorization/verification
(need-to-know)
- security training and awareness (initial
and refresher)
- systems maintenance personnel
- contractors
(c) Software Security
- configuration management
- programming standards and controls
- documentation
- change controls
- software security mechanisms to protect
information
- segregation of duties
- concept of least privilege
- identification and authentication
- access privileges
- internal labeling
- application security features
- audit trails and logging
- operating systems security features
- need-to-know controls
- malicious logic protection
- assurance
(d) Network Security
- public vs private
- dial-up vs dedicated
- privileges (class, nodes)
- traffic analysis
- end-to-end access control
(e) Administrative Security Procedural
Controls
- external marking of media
- destruction of media
- sanitization of media
- construction, changing, issuing and
deleting passwords
- transportation of media
- reporting of computer misuse or abuse
- preparation of security plans
- emergency destruction
- media downgrade and declassification
- copyright protection and licensing
- documentation, logs and journals
- attribution
- repudiation
(f) Auditing and Monitoring
- effectiveness of security programs
- conducting security reviews
- verification, validation, testing, and
evaluation processes
- monitoring systems for accuracy and
abnormalities
- investigation of security breaches
- review of audit trails and logs
- review of software design standards
- review of accountability controls
- privacy
(g) Cryptosecurity
- encryption/decryption method, procedure,
algorithm
- cryptovariable or key
- electronic key management system
(h) Key Management
- identify and inventory COMSEC material
- access, control and storage of COMSEC
material
- report COMSEC incidents
- destruction procedures for COMSEC
material
- key management protocols (bundling,
electronic key, over-the-air rekeying)
(i) Transmission Security
- frequency hopping
- masking
- directional signals
- burst transmission
- optical systems
- spread spectrum transmission
- covert channel control (crosstalk)
- dial back
- line authentication
- line-of-sight
- low power
- screening
- jamming
- protected wireline
(j) TEMPEST Security
- shielding
- grounding
- attenuation
- banding
- filtered power
- cabling
- zone of control/zoning
- TEMPEST separation