Strategic Security Intelligence

NSTSSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

1.         Maintain a plan for site security improvements and progress towards meeting the

           a.    Facilities

                 (1)      Planning

                          E    - cite significance of facilities planning in INFOSEC;
                          E    - identify issues that need to be addressed in facilities plan; make
                                 suggestions for enhancement to plan;  and
                          I    - review facility plan and make suggestions for upgrades and modifications
                                 to enhance INFOSEC posture;
                 (2)      Management

                          E    - list basic principles of facility management; and
                          I    - ensure the plan is implemented as planned.

                 (3)      Housekeeping 

                          E  - list general procedures in facility, e.g., standard operating procedures
                                 (SOP), access roster, etc.;
                          I    - develop the SOP, maintain the access roster.

                  (4)     Data Processing Center (DPC) Security

                          E    - list unique security requirements above and beyond general facility
                                 management for DPCs.

           b.    INFOSEC Program Planning

                 E       - describe the overall program to users and managers;
                 E       - prepare input to the overall security plan;
                 I       - prepare the plan;
                 I       - present the plan to management and users; and
                 I       - propose changes to the plan.                                 
                 (1)      Procedures

                          E    - describe the policy, etc. to users and managers;
                          E    - identify potential flaws in policy, etc., and initiate corrective actions;
                          E    - provide periodic reports to managers with status and recommendations;
                          I    - write the procedures as required;
                          I    - design the procedures and test them; and
                          I    - modify procedures as required.
                 (2)      Contingency Plans
       E     - prepare input to contingency plan;
       E     -  write the contingency plan;
       E     - identify items for which plans must be developed; and
       I     - modify the contingency plan to reflect changes.

(3)    Continuity Plans
       E     - prepare input to continuity plan;
       E     - write the continuity plan;
       E     - identify items for which plans must be developed; and
       I     - modify the contingency plan reflecting changes.

(4)    Emergency Destruction Procedures (EDP)

       E     - explain the EDP to those who execute the plans; 
       E     - ensure executors of EDP plans are trained in environmental and safety
       I     - demonstrate the EDP to users and managers; and
       I     - integrate EDP into overall plans.

(5)    Network Monitoring

       E     - list capabilities, limitations, and data available from network monitors;
       E  - identify networks to be monitored including times and amount/types of
              data to be collected;
       E     - ensure laws, for instance, warning banners in place, are followed;
       I     - determine the need to monitor suspicious activity; start the monitoring
              process; and
       I     - justify to management the need for the detailed monitoring.
(6)    Password Management
       E  - list the underlying password management principles explaining the need
              for password management;   
       E  - issue passwords to users; ensure that passwords are chosen in accordance
              with policy; disable accounts when necessary;   
       E  - address questions or concerns of users and managers; and
       I     - develop local policies and procedures for password management in
              accordance with higher level policies, etc.

       (a) Password Sharing
       E     - inform users they are not to share passwords and the consequences of
              doing so (explain the potential criminal penalties involved);
       I     - identify abuses, e.g., who is sharing passwords or files; and
       I     - propose methods to share files without sharing passwords.                        

       (b) Password Choosing

       E     - describe to users how to choose appropriate passwords, and how/why to
              protect them;
       I     - enforce good selection of passwords in accordance with password
              management practices, and also notify user/managers of violations for
              appropriate action; and

                     I    - provide examples of good and bad passwords as an awareness activity.
            (7 )     Rules-based Access Controls (RBAC)

                     E    - defin  e RBAC;
                     I    - integrate the access controls into the appropriate operating plans,
                            procedures, etc.; and
                     I    - ensure the access controls are properly and correctly installed in
                            accordance with the security policy.

            (8)      Protection from Malicious Code

                     E    - describe malicious code and outline the various types of malicious code;
                     E    - describe techniques for protection from malicious code to users, and
                            provide examples (real and theoretical);
                     E    - report suspected or actual occurrences of malicious code and initiate
                            corrective actions as appropriate;
                     I    - propose methods and policies to combat introduction of malicious code
                            into a site; and
                     I    - integrate protection techniques into the system and into policies.
      c.    Administrative Security

            E       - outline the components of administrative security;
            E       - prepare input to the administrative security plan for which he/she is
            E       - implement parts of plan for which he/she is responsible;
            E       - report to management on variations from the plan and suggest improvements to
                     the plan;
            I       - modify the administrative security plan in accordance with higher level policies;
            I       - enforce the plan.