 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
1. Maintain a plan for site security improvements and progress towards meeting the
accreditation
a. Facilities
(1) Planning
E - cite significance of facilities planning in INFOSEC;
E - identify issues that need to be addressed in facilities plan; make
suggestions for enhancement to plan; and
I - review facility plan and make suggestions for upgrades and modifications
to enhance INFOSEC posture;
(2) Management
E - list basic principles of facility management; and
I - ensure the plan is implemented as planned.
(3) Housekeeping
E - list general procedures in facility, e.g., standard operating procedures
(SOP), access roster, etc.;
I - develop the SOP, maintain the access roster.
(4) Data Processing Center (DPC) Security
E - list unique security requirements above and beyond general facility
management for DPCs.
b. INFOSEC Program Planning
E - describe the overall program to users and managers;
E - prepare input to the overall security plan;
I - prepare the plan;
I - present the plan to management and users; and
I - propose changes to the plan.
(1) Procedures
E - describe the policy, etc. to users and managers;
E - identify potential flaws in policy, etc., and initiate corrective actions;
E - provide periodic reports to managers with status and recommendations;
I - write the procedures as required;
I - design the procedures and test them; and
I - modify procedures as required.
(2) Contingency Plans
E - prepare input to contingency plan;
E - write the contingency plan;
E - identify items for which plans must be developed; and
I - modify the contingency plan to reflect changes.
(3) Continuity Plans
E - prepare input to continuity plan;
E - write the continuity plan;
E - identify items for which plans must be developed; and
I - modify the contingency plan reflecting changes.
(4) Emergency Destruction Procedures (EDP)
E - explain the EDP to those who execute the plans;
E - ensure executors of EDP plans are trained in environmental and safety
issues;
I - demonstrate the EDP to users and managers; and
I - integrate EDP into overall plans.
(5) Network Monitoring
E - list capabilities, limitations, and data available from network monitors;
E - identify networks to be monitored including times and amount/types of
data to be collected;
E - ensure laws, for instance, warning banners in place, are followed;
I - determine the need to monitor suspicious activity; start the monitoring
process; and
I - justify to management the need for the detailed monitoring.
(6) Password Management
E - list the underlying password management principles explaining the need
for password management;
E - issue passwords to users; ensure that passwords are chosen in accordance
with policy; disable accounts when necessary;
E - address questions or concerns of users and managers; and
I - develop local policies and procedures for password management in
accordance with higher level policies, etc.
(a) Password Sharing
E - inform users they are not to share passwords and the consequences of
doing so (explain the potential criminal penalties involved);
I - identify abuses, e.g., who is sharing passwords or files; and
I - propose methods to share files without sharing passwords.
(b) Password Choosing
E - describe to users how to choose appropriate passwords, and how/why to
protect them;
I - enforce good selection of passwords in accordance with password
management practices, and also notify user/managers of violations for
appropriate action; and
I - provide examples of good and bad passwords as an awareness activity.
(7 ) Rules-based Access Controls (RBAC)
E - defin e RBAC;
I - integrate the access controls into the appropriate operating plans,
procedures, etc.; and
I - ensure the access controls are properly and correctly installed in
accordance with the security policy.
(8) Protection from Malicious Code
E - describe malicious code and outline the various types of malicious code;
E - describe techniques for protection from malicious code to users, and
provide examples (real and theoretical);
E - report suspected or actual occurrences of malicious code and initiate
corrective actions as appropriate;
I - propose methods and policies to combat introduction of malicious code
into a site; and
I - integrate protection techniques into the system and into policies.
c. Administrative Security
E - outline the components of administrative security;
E - prepare input to the administrative security plan for which he/she is
responsible;
E - implement parts of plan for which he/she is responsible;
E - report to management on variations from the plan and suggest improvements to
the plan;
I - modify the administrative security plan in accordance with higher level policies;
and
I - enforce the plan.