 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
4. Ensure users and system support personnel have the required security clearances,
authorization, and need-to-know, are indoctrinated, and are familiar with internal security
practices before access to the IS is granted
a. Personnel
(1) Position Sensitivity
E - identify sensitive positions; and
I - justify sensitive positions.
(2) Disgruntled Employees
E - identify characteristics of disgruntled employees; and
I - monitor access of identified disgruntled employees.
(3) Separation of Duties
A - direct the separation of duties of personnel in accordance with established
policies and procedures.
(4) Security Staffing Requirement
E - monitor staffing requirements; and
A - direct security staffing.
(5) Background Investigations
A - monitor background investigations of personnel assigned.
(6) Termination Process
I - identify the requirement for termination of an employee's access to a
system; and
A - comply with established policies and procedures when terminating the
employee's access to an IS.
b. Policy & Procedures
(1) Emergency Destruction
A - develop policies and procedures for the destruction of hardware, software,
and firmware under emergency conditions.
(2) Access Control Policy (ACP)
I - report non-compliance with ACP; and
A - develop access control policies.
(3) Organizational Placement of IS/Information Technology (IT) Security Functions
I - monitor and report IS/IT security functions and report on effectiveness.
(4) Disposition of Classified Information
I - dispose of classified hardware and software in accordance with written
instructions; and
A - develop procedures for disposing of classified hardware, software and
firmware.
c. Education, Training, & Awareness
(1) Security Awareness
I - use and present security awareness materials; and
A - develop security awareness materials for IS users.
(2) Security Training
I - present security training to IS users;
I - monitor security training of all IS user; and
A - develop security training materials.
(3) Security Education
I - present security education to IS users/managers;
I - monitor security education of all IS users; and
A - develop/design IS education programs.
d. General Information
(1) Organization Culture
I - monitor the organization's culture and it's affect on the security of an IS.
(2) Basic/Generic Management Issues
I - identify basic management issues and their impact on an IS security
program.
e. Operations
(1) Account Administration
E - establish user accounts in accordance with policy;
I - develop security policy for account administration; and
A - conduct oversight for account administration.
(2) Intrusion Detection
E - test operability of physical intrusion detection systems.
(3) Backups
E - outline security policy for backup procedures;
I - review backup policy; and
A - enforce compliance with backup policy.
(4) Password Management
E - issue
passwords;
I - enforce control and use of passwords in accordance with policy,
procedures and requirements; and
A - develop password management policy.