 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
5. SUPPORTING SYSTEMS DEVELOPMENT
a. Coordination with Related Disciplines
1) explain to the development team and to the accreditor the need for
coordination with related disciplines;
2) perform coordination with the various offices responsible for the related
disciplines; and
3) verify coordination with related security disciplines, e.g., physical,
emanations, personnel, operations, and cryptographic security.
b. Configuration Control
1) appraise current system configuration control;
2) discuss configuration control with the development team for compliance
with required INFOSEC policy and technology;
3) propose configuration control changes;
4) report the configuration control deficiencies to the developer; and
5) verify that the activities associated with configuration control, i.e., physical
and functional audits, inventory of the hardware and software components, etc., are adequately
documented and performed.
c. Information Security Policy
1) identify applicable information security policy;
2) explain information security policy to the development team for the secure
operation of the system; and
3) use information security policy to ensure the appropriate secure operation
of the system.
d. Life-Cycle System Security Planning
1) appraise the life-cycle system security planning proposed by the
development team;
2) assist with the information security planning for life-cycle system security;
3) explain the life-cycle system security planning to the development team;
4) influence the development team's approach to life-cycle system security
planning; and
5) verify that life-cycle system security planning has been accomplished.
e. Parameters of the Certification
1) propose alterations to the parameters of the certification process as the
system development progresses and the design is modified;
2) compare the parameters of the certification to those of similar systems or
during parallel certification;
3) determine the parameters of the certification to ensure mission
accomplishment;
4) explain the parameters of the certification to system developers and
maintainers;
5) use the parameters of the certification; and
6) verify adherence to the parameters of the certification.
f. Principles and Practices of Information Security
1) understand the principles and practices of information security;
2) identify principles and practices of information security that pertain to the
certification;
== MicroEMACS 3.7i () == 4015.html 3) adhere to recognized principles and practices of information security; and
4) explain the principles and practices of information security that pertain to
the certification to the developers.
g. Network Vulnerabilities
1) identify any network vulnerabilities for the system developers and
maintainers;
2) demonstrate to the system developers and maintainers the network
vulnerabilities that are present during the development of the system;
3) evaluate the impact of network vulnerabilities;
4) explain unacceptable network vulnerabilities to the developers;
5) respond to network vulnerabilities by suggesting corrective measures when
possible; and
6) stay current on network vulnerabilities.
h. Security Engineering
1) assist developers and maintainers with system security engineering
principles as required for information security and certification and accreditation;
2) define security engineering principles that are applicable to information
security;
3) explain security engineering principles and practices;
4) review security engineering principles and practices for compliance with
information security policies; and
5) outline best security engineering practices as defined by the National
Information Assurance Partnership (NIAP).
i. Access Control Policies
1) be aware of access control policies;
2) evaluate for the developers and maintainers the strengths and weaknesses
of access control policies;
3) explain the need for access control policies;
4) identify to the developers and maintainers access control policies that are
applicable to information security; and
5) recommend access control policy changes that are appropriate for the
system being certified.