NSTSSI Security Education Standards |
2. Ensure the IS is operated, used, maintained, and disposed of in accordance with security policies and practices a. Laws, Regulations, and Other Public Policy E - outline INFOSEC policy, laws, and regulations, and explain their relevance to users; E - ensure all system use is in adherence to the policy, etc.; E - answer questions from users and interpret the rules; E - implement adherence, remind users of rules; E - notify management and users of status and violations of the rules; I - enforce reporting to management of variances from the laws, regulations, etc.; and I - develop the local policies and procedures based on rules, regulations, etc. (1) Information Systems Security Policies E - identify national policies; E - prepare input to the policies; E - tell users of the policies, and interpret the policy; E - report variations from policy; I - identify areas where policies need to be prepared; A - interpret policies for unique situations not specifically covered by policy; A - influence the priority in which policies are developed, and their implementation; A - review draft policies and procedures from all levels prior to being finalized; and A - verify policies and procedures are accomplishing their intended goals and supporting the overall security policy. (a) COMSEC E - outline basic COMSEC principles; E - describe uses of COMSEC to users; E - ensure appropriate COMSEC measures are used; I - evaluate COMSEC procedures as they apply to a system; I - integrate COMSEC procedures into the system; I - report COMSEC violations in accordance with appropriate policy; I - help users and managers with the interpretation and implementation of COMSEC policies and techniques; A - verify COMSEC policies are in place and accomplishing the intended goals, and are supporting the overall security policy; and A - perform independent audits of implementation of COMSEC procedures with respect to policy. (b) Computer Security (COMPUSEC) E - outline basic COMPUSEC principles; E - describe uses of COMPUSEC to users; E - ensure appropriate COMPUSEC measures are used; I - evaluate COMPUSEC procedures as they apply to a system; I - integrate COMPUSEC procedures into the system; I - report violations in accordance with appropriate policy; I - help users and managers to understand and implement COMPUSEC policies and procedures; A - verify policy is in place, is accomplishing the intended goals, and supporting the overall security policy; and A - perform independent audits of implementation of COMPUSEC procedures with respect to policy. (c) TEMPEST E - outline basic TEMPEST principles (including zoning concept); E - identify the Certified TEMPEST Technical Authority (CTTA); E - describe the uses of TEMPEST to users; E - ensure appropriate TEMPEST measures are used; I - integrate TEMPEST procedures into the system; I - report violations in accordance with appropriate policy; I - help users and managers to understand and implement TEMPEST techniques and policies; A - verify policy is in place, is accomplishing the intended goals, and is supporting the overall security policy; and A - perform independent audits of implementation of TEMPEST procedures with respect to policy. (d) Operations Security (OPSEC) E - describe the OPSEC process; E - describe the objectives of applying the OPSEC process; E - compare the five elements of risk management and OPSEC processes; E - describe the relationship between INFOSEC and OPSEC; E - explain why OPSEC is applicable to any time-definable, supported, organizational activity occuring in an adversarial or competitive environment; E - ensure users understand OPSEC is not a security compliance oriented process, and there are no "violations"; I - describe how the OPSEC process is applied, and how IS vulnerabilities are thereby identified; I - describe the unlimited, "anything that works" nature of countermeasures in the OPSEC repertoire; A - describe how IS risk is assessed using the OPSEC process; and A - compare and contrast need for OPSEC with respect to mission and costs. (e) Technical Security (TECHSEC) E - outline TECHSEC principles; E - describe uses of TECHSEC to users; E - ensure TECHSEC measures are used; I - evaluate TECHSEC procedures as they apply to the system; I - integrate TECHSEC procedures into the system; I - report violations in accordance with appropriate policy; I - help users and managers to understand and implement TECHSEC techniques and policies; A - verify policies are in place, are accomplishing the intended goals, and supporting the overall security policy; == A - perform independent audits of implementation of TECHSEC procedures with respect to policy; and A - discuss need for TECHSEC with respect to mission and costs. (2) Privacy (Privacy Act of 1974) E - outline the Act and explain its implications; E - describe to users the relevance of the Act; E - ensure there is compliance with the Act; E - notify management of abuse, and know this is a legal issue with civil and criminal consequences; I - evaluate whether procedures are in compliance with the Act; I - distinguish what is covered by the Privacy Act and what is not with respect to release of information; A - influence users and managers to comply with the Act; and A - validate that policy conforms to the Privacy Act. (3) Rainbow Series E - describe scope and purpose of the Rainbow Series of documents; E - identify the portions needed to be implemented in the system; E - describe the significance of the Series; I - apply the Series in an actual system; I - integrate underlying principles into the system and into security policy; A - justify variances with the Series to the appropriate authority; and A - interpret extensions to the Series to situations not specifically addressed. (a) Trusted Computer Systems Evaluation Criteria (Orange Book); (b) Trusted Network Interpretation (Red Book); and (c) Federal Criterion, Common Criteria, Canadian Criteria, others. (4) International Security Considerations (ISC) E - outline ISC; E - describe international INFOSEC programs; and A - interpret international requirements as they apply to local systems. (5) Monitoring (e.g., keystroke, banner) E - outline keystroke monitoring and the underlying laws and requirements for keystroke banners; E - describe monitoring to users and managers, including what it is, why it is used, and associated civil and criminal consequences; E - comply with all the rules, regulations, and laws for monitoring; == E - comply with all the rules, regulations, and laws for monitoring; I - integrate the underlying national policies into practices and procedures; I - modify local policies to meet the specific situation; A - validate implementing procedures are in line with the rules, and are used only in approved situations; and A - verify activation of the monitoring is in accordance with policy, and is justified by the situation. (6) Profiles E - define security profiles and explain their relationship to the Orange Book; and E - describe to users and managers what security profiles are and how they are used. b. Standards of Conduct (SOC) E - provide guidance to users or notify users where they can obtain further assistance regarding standards of conduct; and I - identify the standards of government conduct to include in policy and procedures. (1) Ethics E - define IS security ethics; E - demonstrate ethical IS practices; E - describe basic ethical procedures (e.g., software license, plagiarism of software, violations of copyright); I - ensure all software has a valid license; I - notify management of infractions and include extent of the problem; and I - develop policies and procedures for software license management. (2) Fraud, Waste, & Abuse (FW&A) E - describe examples of IS FW&A; E - report to management where IS FW&A is occurring; E - list corrective measure for IS FW&A; E - provide basic guidance, and refer detailed questions to legal authority; I - propose policies and procedures to counter and mitigate IS FW&A; and I - develop methods to address problems as they arise. c. Generally Accepted Systems Security Principles E - answer questions from users and interpret the rules; E - monitor adherence to the rules and remind users of rules; E - notify management and users of status and violations of the rules; I - identify the standards upon which the generally accepted systems security principles (GASSP) are based; I - integrate the GASSP into standard operating procedures; and I - develop the policies and procedures to reflect the standards. d. Access Control Model (ACM) E - define ACM and explain its relationship to security; E - describe to users and managers what ACMs are and how they are used; I - develop the policies and models; I - identify controls for specific systems; I - integrate the ACM's principles into the operational systems; I - enforce the ACM policies; A - review the policies in effect for effectiveness; and A - change the underlying policies and procedures when necessary. e. Access Authorization E - outline access authorization policies and procedures, and explain their relevance to users; E - describe to users and managers the following mechanisms, including what they are and how they are used: - Mandatory Access Controls (MAC), - Discretionary Access Controls (DAC), and - Identification & Authentication (I&A); I - modify MAC tables as necessary; I - review adequacy of MAC to adhere to security policy goals; I - design and implement DAC practices to conform with policy; A - verify DAC practices meet the security model goals; I - integrate I&A practices into system operations; I - select specific systems where I&A is to be used; and I - modify system I&A, in accordance with policy to accommodate system-unique environment/circumstances. f. Accountability E - define who has the responsibility for accountability; E - describe the accounting process for hardware, software, and information; E - outline accountability process/program; and A - validate the assigned responsibilities are commensurate with underlying IS security policies and are appropriately assigned. (1) Key Management E - outline national & agency key management policies and procedures, and explain their relevance to users; E - describe to users and managers what key management is, and how/why it is used; E - use key management in a system; I - design specific procedures for the system in line with policies; I - integrate key management into the overall system and procedures; and A - resolve conflict with procedures and policies, and variances thereof. (a) Electronic Key Management System (EKMS) E - outline EKMS policies and procedures and explain their relevance to users; E - describe to users and managers what EKMS is, and how/why it is used; I - use the appropriate EKMS system; E - demonstrate knowledge of how to operate an EKMS system; I - prepare the EKMS operating procedures for a system; I - identify the components of EKMS as it applies to the system on hand; and A - verify procedures are in line with policy. (b) Public Key Encryption (PKE) E - outline PKE national policies and procedures and explain their relevance to users; E - describe to users and managers what PKE is, and how/why it is used; I - implement appropriate public key encryption algorithm; I - describe PKE methodology; A - evaluate PKE process for a system; and A - compare differing public PKE methodologies. (c) Key Escrow E - list national key escrow policies and procedures; and E - describe to users and managers what key escrow is, and how/why it is used. (d) COMSEC Custodian E - list national COMSEC custodian policies and procedures, and explain their relevance to users/COMSEC custodians; E - explain to users and managers what the COMSEC custodian process is and how it is relevant to them; E - identify uses for COMSEC material on the system; E - use services and advice of COMSEC custodian; and A - review local COMSEC policies and procedures from an INFOSEC security standpoint. (2) Electronic Records Management E - outline the electronic records management program and underlying rules; and E - use records management program and describe any effect on the system. (a) Records Retention E - define the electronic records management program and underlying rules; and E - list uses of record retention and describe effect on the system. (b) E-Mail E - describe the local e-mail system and its potential vulnerabilities. (1) Retention E - describe retention policies as they apply to the system. (2) Non-Repudiation E - describe non-repudiation and its application to the system. (3) Hardware Asset Management E - describe the hardware asset management program and how it applies/is used on the system. (4) Software Asset Management E - describe the software asset management program and how it applies/is used on the system with emphasis on license and copyright issues, and cross reference to ethics; I - enforce policies and procedures; I - report non-compliance; I - promote compliance; and A - develop policies and procedures.