NSTSSI Security Education Standards |
4. Ensure users and system support personnel have the required security clearances, authorization, and need-to-know, are indoctrinated, and are familiar with internal security practices before access to the IS is granted a. Personnel (1) Position Sensitivity E - identify sensitive positions; and I - justify sensitive positions. (2) Disgruntled Employees E - identify characteristics of disgruntled employees; and I - monitor access of identified disgruntled employees. (3) Separation of Duties A - direct the separation of duties of personnel in accordance with established policies and procedures. (4) Security Staffing Requirement E - monitor staffing requirements; and A - direct security staffing. (5) Background Investigations A - monitor background investigations of personnel assigned. (6) Termination Process I - identify the requirement for termination of an employee's access to a system; and A - comply with established policies and procedures when terminating the employee's access to an IS. b. Policy & Procedures (1) Emergency Destruction A - develop policies and procedures for the destruction of hardware, software, and firmware under emergency conditions. (2) Access Control Policy (ACP) I - report non-compliance with ACP; and A - develop access control policies. (3) Organizational Placement of IS/Information Technology (IT) Security Functions I - monitor and report IS/IT security functions and report on effectiveness. (4) Disposition of Classified Information I - dispose of classified hardware and software in accordance with written instructions; and A - develop procedures for disposing of classified hardware, software and firmware. c. Education, Training, & Awareness (1) Security Awareness I - use and present security awareness materials; and A - develop security awareness materials for IS users. (2) Security Training I - present security training to IS users; I - monitor security training of all IS user; and A - develop security training materials. (3) Security Education I - present security education to IS users/managers; I - monitor security education of all IS users; and A - develop/design IS education programs. d. General Information (1) Organization Culture I - monitor the organization's culture and it's affect on the security of an IS. (2) Basic/Generic Management Issues I - identify basic management issues and their impact on an IS security program. e. Operations (1) Account Administration E - establish user accounts in accordance with policy; I - develop security policy for account administration; and A - conduct oversight for account administration. (2) Intrusion Detection E - test operability of physical intrusion detection systems. (3) Backups E - outline security policy for backup procedures; I - review backup policy; and A - enforce compliance with backup policy. (4) Password Management E - issue passwords; I - enforce control and use of passwords in accordance with policy, procedures and requirements; and A - develop password management policy.