Strategic Security Intelligence

NSTSSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

10.    Evaluate known vulnerabilities to ascertain if additional safeguards are needed (risk  
       a.    Threats

             E      - define threats.
             (1)     Human Threats
                     E    - describe how people can threaten a system's security;
                     E    - describe types of human threats to a system (insider, outsider, hacker,
                           unauthorized user);
                     I    - identify suspicious activity on a system;
                     A    - proposes/develop countermeasures to identified threats;
                     E    - describe how industrial espionage can impact the security of an IS; and
              E    - describe how international espionage can impact the security of an IS.

      (2)     Environmental/Natural Threats
              E    - describe the threat from electronic emanations;
              E    - identify appropriate TEMPEST authorities;
              E    - describe the threat from floods;
              I    - identify flood countermeasures;
              E    - describe the threat from fire;
              I    - identify fire-related countermeasures;                  
              E    - describe the threat from earthquake;
              I    - identify earthquake-related countermeasures;
              E    - describe the types of environmental controls (air conditioning, filtered
                    power, etc.); and
              I    - monitor the impact of environmental controls on systems operations.
      (3)     Technological Threats (Commercial Off-The-Shelf (COTS), Development, 

              E    - define technological threats;
              I    - identify the sources of technological threats:  hardware, software
                    (operating systems, applications, malicious code), firmware, networks
                    (local area networks, wide area networks, metropolitan area networks, and
                    direct connect);
              I    - describe countermeasures to known threats/vulnerabilities; and
              I    - propose new countermeasures to threats/vulnerabilities.
      (4)     Security Reviews

              E    - describe how security reviews can be used to identify threats to an IS.
b.    Vulnerability Analysis
      E      - describe vulnerability analysis;
      E      - assist in the performance of vulnerability analysis;          
      I      - conduct/perform vulnerability analysis;   
      A      - analyze the results of a vulnerability analysis;  
      A      - recommend fixes for deficiencies identified by the vulnerability analysis; and
      A      - recommend approval/rejection to the DAA of a system based on vulnerability
c.    Countermeasures
      E      - describe how countermeasures can reduce the impact of threats.
      (1)     Evaluated Products
              E    - define evaluated products/Evaluated Products List (EPL);
              E    - know how to use evaluated products;
              I    - integrate evaluated products into a system; and
              A    - recommend evaluated products for use in a system.

      (2)     Technical Surveillance Countermeasures
             E    - describe technical surveillance countermeasures;
             I    - monitor technical surveillance;
             A    - recommend starting/stopping surveillance to the DAA; and
             A    - develop procedures for performing surveillance.

    (3)      Disaster Recovery

             E    - define disaster recovery;
             E    - describe the need for disaster recovery;
             I    - review disaster recovery plans; and
             I    - review results of annual tests of recovery plans.
    (4)      Third Party Evaluation
             E    - describe how third party evaluations can be used as a countermeasure;
             I    - interpret results of third party evaluations; and
             A    - recommend acceptance or rejection of system based on third party
                   evaluation to the DAA.
    (5)      Security Reviews
             E    - discuss how security reviews can be used as a countermeasure;
             I    - conduct annual security reviews;
             I    - develop plans for annual security reviews;
             A    - interpret results of annual security reviews;
             A    - recommend changes to appropriate authorities; and
             A    - develop policies for conducting security reviews.
    (6)      Cost/Benefit Analysis

             E    - define cost/benefit analysis;
             I    - conduct cost/benefit analysis procedures; and
             A    - recommend changes to the DAA based on results of a cost/benefit
    (7)      Security Policies & Procedures
             E    - describe how effective security policies and procedures can reduce threats
                   to an IS;
             E    - identify security policy-making bodies;
             I    - write local guidance; and
             A    - interpret policy and procedures.
d. Risks                                      
    E       - define risk and residual risk (threat and vulnerability pairs).
    (1)      Risk Assessment
             E    - define risk assessment; and
             I    - describe the risk assessment process to include:
       (a)     risk assessment
               E    - define information criticality; and  
               I    - estimate information criticality.
       (b)     information states

               E    - describe the three states of information.
       (c)     information valuation

               E    - define information valuation; and
               I    - estimate information valuation.
               I    - conduct risk assessments;
               I    - write risk assessment reports;
               A    - develop policy and procedures for conducting a risk assessment;
               A    - coordinate resources to perform a risk assessment; and
               A    - interpret results of a risk assessment.
(2)    Risk Acceptance
       E      - define risk acceptance;
       I      - describe the risk acceptance process;
       A      - recommend actions to management based on risk acceptance; andA-
               recommend accreditation of a system to the DAA based on risk