 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
2. Ensure the IS is operated, used, maintained, and disposed of in accordance with security
policies and practices
a. Laws, Regulations, and Other Public Policy
E - outline INFOSEC policy, laws, and regulations, and explain their relevance to
users;
E - ensure all system use is in adherence to the policy, etc.;
E - answer questions from users and interpret the rules;
E - implement adherence, remind users of rules;
E - notify management and users of status and violations of the rules;
I - enforce reporting to management of variances from the laws, regulations, etc.;
and
I - develop the local policies and procedures based on rules, regulations, etc.
(1) Information Systems Security Policies
E - identify national policies;
E - prepare input to the policies;
E - tell users of the policies, and interpret the policy;
E - report variations from policy;
I - identify areas where policies need to be prepared;
A - interpret policies for unique situations not specifically covered by policy;
A - influence the priority in which policies are developed, and their
implementation;
A - review draft policies and procedures from all levels prior to being finalized;
and
A - verify policies and procedures are accomplishing their intended goals and
supporting the overall security policy.
(a) COMSEC
E - outline basic COMSEC principles;
E - describe uses of COMSEC to users;
E - ensure appropriate COMSEC measures are used;
I - evaluate COMSEC procedures as they apply to a system;
I - integrate COMSEC procedures into the system;
I - report COMSEC violations in accordance with appropriate policy;
I - help users and managers with the interpretation and implementation
of COMSEC policies and techniques;
A - verify COMSEC policies are in place and accomplishing the intended
goals, and are supporting the overall security policy; and
A - perform independent audits of implementation of COMSEC
procedures with respect to policy.
(b) Computer Security (COMPUSEC)
E - outline basic COMPUSEC principles;
E - describe uses of COMPUSEC to users;
E - ensure appropriate COMPUSEC measures are used;
I - evaluate COMPUSEC procedures as they apply to a system;
I - integrate COMPUSEC procedures into the system;
I - report violations in accordance with appropriate policy;
I - help users and managers to understand and implement COMPUSEC
policies and procedures;
A - verify policy is in place, is accomplishing the intended goals, and
supporting the overall security policy; and
A - perform independent audits of implementation of COMPUSEC
procedures with respect to policy.
(c) TEMPEST
E - outline basic TEMPEST principles (including zoning concept);
E - identify the Certified TEMPEST Technical Authority (CTTA);
E - describe the uses of TEMPEST to users;
E - ensure appropriate TEMPEST measures are used;
I - integrate TEMPEST procedures into the system;
I - report violations in accordance with appropriate policy;
I - help users and managers to understand and implement TEMPEST
techniques and policies;
A - verify policy is in place, is accomplishing the intended goals, and is
supporting the overall security policy; and
A - perform independent audits of implementation of TEMPEST
procedures with respect to policy.
(d) Operations Security (OPSEC)
E - describe the OPSEC process;
E - describe the objectives of applying the OPSEC process;
E - compare the five elements of risk management and OPSEC
processes;
E - describe the relationship between INFOSEC and OPSEC;
E - explain why OPSEC is applicable to any time-definable, supported,
organizational activity occuring in an adversarial or competitive
environment;
E - ensure users understand OPSEC is not a security compliance
oriented process, and there are no "violations";
I - describe how the OPSEC process is applied, and how IS
vulnerabilities are thereby identified;
I - describe the unlimited, "anything that works" nature of
countermeasures in the OPSEC repertoire;
A - describe how IS risk is assessed using the OPSEC process; and
A - compare and contrast need for OPSEC with respect to mission and
costs.
(e) Technical Security (TECHSEC)
E - outline TECHSEC principles;
E - describe uses of TECHSEC to users;
E - ensure TECHSEC measures are used;
I - evaluate TECHSEC procedures as they apply to the system;
I - integrate TECHSEC procedures into the system;
I - report violations in accordance with appropriate policy;
I - help users and managers to understand and implement TECHSEC
techniques and policies;
A - verify policies are in place, are accomplishing the intended goals, and
supporting the overall security policy;
== A - perform independent audits of implementation of TECHSEC
procedures with respect to policy; and
A - discuss need for TECHSEC with respect to mission and costs.
(2) Privacy (Privacy Act of 1974)
E - outline the Act and explain its implications;
E - describe to users the relevance of the Act;
E - ensure there is compliance with the Act;
E - notify management of abuse, and know this is a legal issue with civil and
criminal consequences;
I - evaluate whether procedures are in compliance with the Act;
I - distinguish what is covered by the Privacy Act and what is not with respect
to release of information;
A - influence users and managers to comply with the Act; and
A - validate that policy conforms to the Privacy Act.
(3) Rainbow Series
E - describe scope and purpose of the Rainbow Series of documents;
E - identify the portions needed to be implemented in the system;
E - describe the significance of the Series;
I - apply the Series in an actual system;
I - integrate underlying principles into the system and into security policy;
A - justify variances with the Series to the appropriate authority; and
A - interpret extensions to the Series to situations not specifically addressed.
(a) Trusted Computer Systems Evaluation Criteria (Orange Book);
(b) Trusted Network Interpretation (Red Book); and
(c) Federal Criterion, Common Criteria, Canadian Criteria, others.
(4) International Security Considerations (ISC)
E - outline ISC;
E - describe international INFOSEC programs; and
A - interpret international requirements as they apply to local systems.
(5) Monitoring (e.g., keystroke, banner)
E - outline keystroke monitoring and the underlying laws and requirements
for keystroke banners;
E - describe monitoring to users and managers, including what it is, why it is
used, and associated civil and criminal consequences;
E - comply with all the rules, regulations, and laws for monitoring;
== E - comply with all the rules, regulations, and laws for monitoring;
I - integrate the underlying national policies into practices and procedures;
I - modify local policies to meet the specific situation;
A - validate implementing procedures are in line with the rules, and are used
only in approved situations; and
A - verify activation of the monitoring is in accordance with policy, and is
justified by the situation.
(6) Profiles
E - define security profiles and explain their relationship to the Orange Book;
and
E - describe to users and managers what security profiles are and how they
are used.
b. Standards of Conduct (SOC)
E - provide guidance to users or notify users where they can obtain further
assistance regarding standards of conduct; and
I - identify the standards of government conduct to include in policy and
procedures.
(1) Ethics
E - define IS security ethics;
E - demonstrate ethical IS practices;
E - describe basic ethical procedures (e.g., software license, plagiarism of
software, violations of copyright);
I - ensure all software has a valid license;
I - notify management of infractions and include extent of the problem; and
I - develop policies and procedures for software license management.
(2) Fraud, Waste, & Abuse (FW&A)
E - describe examples of IS FW&A;
E - report to management where IS FW&A is occurring;
E - list corrective measure for IS FW&A;
E - provide basic guidance, and refer detailed questions to legal authority;
I - propose policies and procedures to counter and mitigate IS FW&A; and
I - develop methods to address problems as they arise.
c. Generally Accepted Systems Security Principles
E - answer questions from users and interpret the rules;
E - monitor adherence to the rules and remind users of rules;
E - notify management and users of status and violations of the rules;
I - identify the standards upon which the generally accepted systems security
principles (GASSP) are based;
I - integrate the GASSP into standard operating procedures; and
I - develop the policies and procedures to reflect the standards.
d. Access Control Model (ACM)
E - define ACM and explain its relationship to security;
E - describe to users and managers what ACMs are and how they are used;
I - develop the policies and models;
I - identify controls for specific systems;
I - integrate the ACM's principles into the operational systems;
I - enforce the ACM policies;
A - review the policies in effect for effectiveness; and
A - change the underlying policies and procedures when necessary.
e. Access Authorization
E - outline access authorization policies and procedures, and explain their
relevance to users;
E - describe to users and managers the following mechanisms, including what they
are and how they are used:
- Mandatory Access Controls (MAC),
- Discretionary Access Controls (DAC), and
- Identification & Authentication (I&A);
I - modify MAC tables as necessary;
I - review adequacy of MAC to adhere to security policy goals;
I - design and implement DAC practices to conform with policy;
A - verify DAC practices meet the security model goals;
I - integrate I&A practices into system operations;
I - select specific systems where I&A is to be used; and
I - modify system I&A, in accordance with policy to accommodate
system-unique environment/circumstances.
f. Accountability
E - define who has the responsibility for accountability;
E - describe the accounting process for hardware, software, and information;
E - outline accountability process/program; and
A - validate the assigned responsibilities are commensurate with underlying IS
security policies and are appropriately assigned.
(1) Key Management
E - outline national & agency key management policies and procedures, and
explain their relevance to users;
E - describe to users and managers what key management is, and how/why it
is used;
E - use key management in a system;
I - design specific procedures for the system in line with policies;
I - integrate key management into the overall system and procedures; and
A - resolve conflict with procedures and policies, and variances thereof.
(a) Electronic Key Management System (EKMS)
E - outline EKMS policies and procedures and explain their relevance to
users;
E - describe to users and managers what EKMS is, and how/why it is
used;
I - use the appropriate EKMS system;
E - demonstrate knowledge of how to operate an EKMS system;
I - prepare the EKMS operating procedures for a system;
I - identify the components of EKMS as it applies to the system on hand;
and
A - verify procedures are in line with policy.
(b) Public Key Encryption (PKE)
E - outline PKE national policies and procedures and explain their
relevance to users;
E - describe to users and managers what PKE is, and how/why it is
used;
I - implement appropriate public key encryption algorithm;
I - describe PKE methodology;
A - evaluate PKE process for a system; and
A - compare differing public PKE methodologies.
(c) Key Escrow
E - list national key escrow policies and procedures; and
E - describe to users and managers what key escrow is, and how/why it
is used.
(d) COMSEC Custodian
E - list national COMSEC custodian policies and procedures, and
explain their relevance to users/COMSEC custodians;
E - explain to users and managers what the COMSEC custodian process
is and how it is relevant to them;
E - identify uses for COMSEC material on the system;
E - use services and advice of COMSEC custodian; and
A - review local COMSEC policies and procedures from an INFOSEC
security standpoint.
(2) Electronic Records Management
E - outline the electronic records management program and underlying rules;
and
E - use records management program and describe any effect on the system.
(a) Records Retention
E - define the electronic records management program and underlying
rules; and
E - list uses of record retention and describe effect on the system.
(b) E-Mail
E - describe the local e-mail system and its potential vulnerabilities.
(1) Retention
E - describe retention policies as they apply to the system.
(2) Non-Repudiation
E - describe non-repudiation and its application to the system.
(3) Hardware Asset Management
E - describe the hardware asset management program and how it applies/is
used on the system.
(4) Software Asset Management
E - describe the software asset management program and how it applies/is
used on the system with emphasis on license and copyright issues, and
cross reference to ethics;
I - enforce policies and procedures;
I - report non-compliance;
I - promote compliance; and
A - develop policies and procedures.