NSTSSI Security Education Standards |
ANNEX A INFOSEC PERFORMANCE STANDARD FOR THE ISSO (ENTRY, INTERMEDIATE & ADVANCED LEVELS) Job functions using competencies identified in: DoD 5200.28-M, Automated Data Processing Security Manual NCSC-TG-027, Version 1, A Guide To Understanding Information System Security Officer Responsibilities for Automated Information Systems DCID 1-16, Security Policy for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks The INFOSEC functions of an ISSO are: (1) maintaining a plan for site security improvements and progress towards meeting the accreditation; (2) ensuring the IS is operated, used, maintained, and disposed of in accordance with security policies and practices; (3) ensuring the IS is accredited and certified if it processes sensitive information; (4) ensuring users and system support personnel have the required security clearances, authorization and need-to-know; are indoctrinated; and are familiar with internal security practices before access to the IS is granted; (5) enforcing security policies and safeguards on all personnel having access to the IS for which the ISSO is responsible; (6) ensuring audit trails are reviewed periodically (e.g., weekly, daily), and audit records are archived for future reference, if required; (7) initiating protective or corrective measures; (8) reporting security incidents in accordance with agency-specific policy, such as DOD 5200.1-R , to the designated approving authority (DAA) when an IS is compromised; (9) reporting the security status of an IS, as required by the DAA; and (10) evaluating known vulnerabilities to ascertain if additional safeguards are needed. Terminal Objective: ENTRY LEVEL: Given a series of hypothetical system security breaches, the ISSO will identify system vulnerabilities and recommend security solutions required to return the systems to operational level of trust. INTERMEDIATE LEVEL: Given a proposed new system architecture requirement, the ISSO will investigate and document system security technology, policy and training requirements to assure system operation at a specified level of trust. ADVANCED LEVEL: Given a proposed IS accreditation action, the ISSO will analyze and evaluate the system security technology, policy, and training requirements in support of DAA approval to operate the system at a specified level of trust. This analysis will include a description of the management/technology team required to successfully complete the accreditation process. List of performance items under job functions E = entry level I = intermediate level A = advanced level In each of the competency areas listed below by job function, the ISSO shall perform the following functions at the levels indicated: