 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
ANNEX A
INFOSEC PERFORMANCE STANDARD FOR THE ISSO
(ENTRY, INTERMEDIATE & ADVANCED LEVELS)
Job functions using competencies identified in:
DoD 5200.28-M, Automated Data Processing Security Manual
NCSC-TG-027, Version 1, A Guide To Understanding Information System Security Officer
Responsibilities for Automated Information Systems
DCID 1-16, Security Policy for Uniform Protection of Intelligence Processed in Automated
Information Systems and Networks
The INFOSEC functions of an ISSO are:
(1) maintaining a plan for site security improvements and progress towards meeting
the accreditation;
(2) ensuring the IS is operated, used, maintained, and disposed of in accordance
with security policies and practices;
(3) ensuring the IS is accredited and certified if it processes sensitive information;
(4) ensuring users and system support personnel have the required security
clearances, authorization and need-to-know; are indoctrinated; and are familiar
with internal security practices before access to the IS is granted;
(5) enforcing security policies and safeguards on all personnel having access to the
IS for which the ISSO is responsible;
(6) ensuring audit trails are reviewed periodically (e.g., weekly, daily), and audit
records are archived for future reference, if required;
(7) initiating protective or corrective measures;
(8) reporting security incidents in accordance with agency-specific policy, such as
DOD 5200.1-R , to the designated approving authority (DAA) when an IS is
compromised;
(9) reporting the security status of an IS, as required by the DAA; and
(10) evaluating known vulnerabilities to ascertain if additional safeguards are
needed.
Terminal Objective:
ENTRY LEVEL: Given a series of hypothetical system security breaches, the ISSO will identify
system vulnerabilities and recommend security solutions required to return the systems to
operational level of trust.
INTERMEDIATE LEVEL: Given a proposed new system architecture requirement, the ISSO will
investigate and document system security technology, policy and training requirements to assure
system operation at a specified level of trust.
ADVANCED LEVEL: Given a proposed IS accreditation action, the ISSO will analyze and
evaluate the system security technology, policy, and training requirements in support of DAA
approval to operate the system at a specified level of trust. This analysis will include a description
of the management/technology team required to successfully complete the accreditation process.
List of performance items under job functions
E = entry level
I = intermediate level
A = advanced level
In each of the competency areas listed below by job function, the ISSO shall perform the following
functions at the levels indicated: