 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
1. GENERAL
a. Security Policy
(1) define local accountability policies;
(2) explain accreditation;
(3) discuss three agency specific security policies;
(4) define assurance;
(5) explain certification policies as related to local requirements;
(6) define local e-mail privacy policies;
(7) describe local security policies relative to electronic records management;
(8) explain security policies relating to ethics;
(9) describe relevant FAX security policies;
(10) discuss the concept of information confidentiality;
(11) identify information ownership of data held under his/her cognizance;
(12) identify information resource owner/custodian;
(13) define local information security policy;
(14) describe information sensitivity in relation to local policies;
(15) discuss integrity concepts;
(16) describe local policies relevant to Internet security;
(17) explain local area network (LAN) security as related to local policies;
(18) define policies relating to marking of sensitive information;
(19) understands fundamental concepts of multilevel security;
(20) describe policies relevant to network security;
(21) define the functional requirements for operating system integrity;
(22) perform operations security (OPSEC) in conformance with local policies;
(23) explain physical security policies;
(24) discuss local policies relating to secure systems operations;
(25) identify appropriate security architecture for use in assigned IS(s);
(26) describe security domains as applicable to local policies;
(27) define local policies relating to separation of duties;
(28) identify systems security standards policies;
(29) identify DoD 5200.28-STD, Trusted Computer System Evaluation Criteria
(TCSEC), or Orange Book policies;
(30) identify TEMPEST policies;
(31) define TEMPEST policies;
(32) define validation and testing policies;
(33) identify verification and validation process policies;
(34) define verification and validation process policies;
(35) describe wide area network (WAN) security policies;
(36) use/implement WAN security policies;
(37) describe workstation security policies;
(38) use/implement workstation security policies; and
(39) describe zoning and zone of control policies.
b. Procedures
(1) practice/use facility management procedures;
(2) describe FAX security procedures;
(3) practice/use FAX security procedures;
(4) describe housekeeping procedures;
(5) perform housekeeping procedures;
(6) describe information states procedures;
(7) distinguish among information states procedures;
(8) explain Internet security procedures;
(9) use Internet security procedures;
(10) explain marking of sensitive information procedures (defined in C.F.R. 32
Section 2003, National Security Information - Standard Forms, March 30,
1987);
(11) perform marking of sensitive information procedures (defined in C.F.R. 32
Section 2003, National Security Information - Standard Forms, March 30,
1987);
(12) apply multilevel security;
(13) explain the principles of network security procedures;
(14) use network security procedures;
(15) describe operating system integrity procedures;
(16) perform operating systems security procedures;
(17) assist in local security procedures;
(18) describe purpose and contents of National Computer Security Center TG-005,
Trusted Network Interpretation (TNI), or Red Book;
(19) describes secure systems operations procedures;
(20) define TEMPEST procedures;
(21) identify TEMPEST procedures;
(22) identify certified TEMPEST technical authority (CTTA);
(23) describe WAN security procedures;
(24) practice WAN security procedures; and
(25) explain zoning and zone of control procedures.
c. Education, Training, and Awareness
(1) discuss the principle elements of security training;
(2) explain security training procedures;
(3) explain threat in its application to education, training, and awareness;
(4) use awareness materials as part of job;
(5) distinguish between education, training, and awareness;
(6) give examples of security awareness;
(7) give examples of security education;
(8) discuss the objectives of security inspections/reviews; and
(9) identify different types of vulnerabilities.
d. Countermeasures/Safeguards
(1) discuss the different levels of countermeasures/safeguards assurance;
(2) describe e-mail privacy countermeasures/safeguards;
(3) define Internet security;
(4) describe what is meant by countermeasures/safeguards;
(5) describe separation of duties;
(6) define countermeasures/safeguards used to prevent software piracy;
(7) define TEMPEST countermeasures/safeguards; and
(8) explain what is meant by zoning and zone of control.
e. Risk Management
(1) explain ways to provide protection for Internet connections;
(2) describe operating system integrity;
(3) define TEMPEST as it relates to the risk management process;
(4) identify different types of threat;
(5) explain WAN security; and
(6) explain what zoning and zone of control ratings are based on.