 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
10. Evaluate known vulnerabilities to ascertain if additional safeguards are needed (risk
management)
a. Threats
E - define threats.
(1) Human Threats
E - describe how people can threaten a system's security;
E - describe types of human threats to a system (insider, outsider, hacker,
unauthorized user);
I - identify suspicious activity on a system;
A - proposes/develop countermeasures to identified threats;
E - describe how industrial espionage can impact the security of an IS; and
E - describe how international espionage can impact the security of an IS.
(2) Environmental/Natural Threats
E - describe the threat from electronic emanations;
E - identify appropriate TEMPEST authorities;
E - describe the threat from floods;
I - identify flood countermeasures;
E - describe the threat from fire;
I - identify fire-related countermeasures;
E - describe the threat from earthquake;
I - identify earthquake-related countermeasures;
E - describe the types of environmental controls (air conditioning, filtered
power, etc.); and
I - monitor the impact of environmental controls on systems operations.
(3) Technological Threats (Commercial Off-The-Shelf (COTS), Development,
Maintenance)
E - define technological threats;
I - identify the sources of technological threats: hardware, software
(operating systems, applications, malicious code), firmware, networks
(local area networks, wide area networks, metropolitan area networks, and
direct connect);
I - describe countermeasures to known threats/vulnerabilities; and
I - propose new countermeasures to threats/vulnerabilities.
(4) Security Reviews
E - describe how security reviews can be used to identify threats to an IS.
b. Vulnerability Analysis
E - describe vulnerability analysis;
E - assist in the performance of vulnerability analysis;
I - conduct/perform vulnerability analysis;
A - analyze the results of a vulnerability analysis;
A - recommend fixes for deficiencies identified by the vulnerability analysis; and
A - recommend approval/rejection to the DAA of a system based on vulnerability
analysis.
c. Countermeasures
E - describe how countermeasures can reduce the impact of threats.
(1) Evaluated Products
E - define evaluated products/Evaluated Products List (EPL);
E - know how to use evaluated products;
I - integrate evaluated products into a system; and
A - recommend evaluated products for use in a system.
(2) Technical Surveillance Countermeasures
E - describe technical surveillance countermeasures;
I - monitor technical surveillance;
A - recommend starting/stopping surveillance to the DAA; and
A - develop procedures for performing surveillance.
(3) Disaster Recovery
E - define disaster recovery;
E - describe the need for disaster recovery;
I - review disaster recovery plans; and
I - review results of annual tests of recovery plans.
(4) Third Party Evaluation
E - describe how third party evaluations can be used as a countermeasure;
I - interpret results of third party evaluations; and
A - recommend acceptance or rejection of system based on third party
evaluation to the DAA.
(5) Security Reviews
E - discuss how security reviews can be used as a countermeasure;
I - conduct annual security reviews;
I - develop plans for annual security reviews;
A - interpret results of annual security reviews;
A - recommend changes to appropriate authorities; and
A - develop policies for conducting security reviews.
(6) Cost/Benefit Analysis
E - define cost/benefit analysis;
I - conduct cost/benefit analysis procedures; and
A - recommend changes to the DAA based on results of a cost/benefit
analysis.
(7) Security Policies & Procedures
E - describe how effective security policies and procedures can reduce threats
to an IS;
E - identify security policy-making bodies;
I - write local guidance; and
A - interpret policy and procedures.
d. Risks
E - define risk and residual risk (threat and vulnerability pairs).
(1) Risk Assessment
E - define risk assessment; and
I - describe the risk assessment process to include:
(a) risk assessment
E - define information criticality; and
I - estimate information criticality.
(b) information states
E - describe the three states of information.
(c) information valuation
E - define information valuation; and
I - estimate information valuation.
I - conduct risk assessments;
I - write risk assessment reports;
A - develop policy and procedures for conducting a risk assessment;
A - coordinate resources to perform a risk assessment; and
A - interpret results of a risk assessment.
(2) Risk Acceptance
E - define risk acceptance;
I - describe the risk acceptance process;
A - recommend actions to management based on risk acceptance; andA-
recommend accreditation of a system to the DAA based on risk
assessment.