 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
6. PERFORMING CERTIFICATION ANALYSIS
a. Access Control
1) appraise access control privilege assignment;
2) appraise access controls defined as appropriate for the IS under review for
subjects (e.g., local and remote users and/or processes);
3) appraise access controls for objects (e.g., data, information, and
applications);
4) appraise access controls for privileged users and/or processes;
5) appraise management of the access control tables and lists;
6) appraise identification and authentication mechanisms which identify users
and/or processes;
7) appraise the implementation of user privileges and group management
assignments;
8) appraise managed and default file permission settings and factory settings;
9) appraise the effectiveness of password management implemented to enforce
policies and procedures;
10) appraise whether the identification and authentication mechanism can
correctly identify users and/or processes;
11) identify the requirement for discretionary/mandatory access controls
(DAC/MAC);
12) explain to other team members and managers how access privileges are set;
13) match data ownership and responsibilities with access control rights;
14) match the requirements for respective access control features with
appraised controls implemented;
15) match the access control requirements with user roles and group
management;
16) determine the security countermeasures to implement effective access
control;
17) verify the contents of the user registry and access control tables;
18) verify the effectiveness of password management software in enforcing
policies and procedures;
19) identify representative processes which must use an appropriate
identification and authentication mechanism;
20) propose the security test and evaluation plan/procedures and schedule to
test and evaluate agreed upon security countermeasures for access control; and
21) report recommended changes to the implemented access control
mechanisms as needed to meet the requirements identified in the access control policies.
b. Audits
1) appraise the system's ability to produce viable, inclusive audit data for
review and analysis (e.g., selection capabilities for review of audit information);
2) appraise the alert capabilities provided by audit/intrusion detection tools;
3) verify the criteria for generating alerts provided by audit/intrusion detection
tools;
4) appraise the availability of audits including recovery from permanent
storage;
5) appraise the identification of anomalies which indicate successful
violation/bypass of security capabilities;
6) appraise the inherent audit capabilities and the proposed implementation;
7) appraise the processes for analyzing audit information;
8) appraise the report generation capability;
9) appraise the use of audit information to identify attempts to violate/bypass
the proper operation of system security capabilities;
10) appraise the use of audit information to validate the proper operation of
automated system security capabilities;
11) identify the audit elements and capabilities available on the system being
evaluated;
12) identify the audit event characteristics and their granularity (i.e., type of
event, success/failure, date/time stamp, user ID);
13) summarize the data which supports trend analysis;
14) verify that the audit elements capture information that meets specified
security requirements;
15) verify that the audit log overflow policy is correctly implemented;
16) verify that audit procedures exist to implement the policy (i.e., data reviews,
audit retention and protection, response to alerts, etc);
17) verify that audit processes support interpretation of the audit data;
18) verify that the audit retention capability meets the system security
requirements;
19) verify that protections are in place to prevent the audit trails from being
modified by any means, including direct edits of media or memory;
20) report the audit collection requirements to meet a stated authorization
policy;
21) report any alternative means to satisfy the audit collection requirements;
22) propose aperiodic security test and evaluation plans and procedures to test
and evaluate agreed upon audit functionality and events;
23) verify that system resources are sufficient to log all required events;
24) interpret the audit policy to be implemented (to include which events are to
be recorded, what action should occur when the log fills, how long audits are to be retained,
etc.);
25) determine the impact of audit requirements on the system operation
requirements; and
26) appraise the capabilities of the add-on audit analysis and intrusion
detection tools that are implemented.
c. Applications Security
1) appraise the effectiveness of applications security mechanisms and their
interactions with other systems and network security mechanisms;
2) differentiate between the operating system and application system security
features; and
3) propose security test and evaluation plans and procedures to test and
evaluate agreed upon security countermeasures provided by application security mechanisms.
d. Confidentiality, Integrity and Availability (CIA)
1) explain the stated system requirements for confidentiality, integrity, and
availability in the system design/SSAA documentation;
2) appraise the network architecture and what security mechanisms are used
to enforce the CIA security policy; and
3) appraise the network security posture in light of the CONOPS and the
abilities of the expected users and system administrators.
e. Countermeasures
1) appraise the requirements for additional countermeasures based on the
security policy being implemented (e.g., routers, firewalls, guards, intrusion detection devices);
2) study the security countermeasures documented in the SSAA; and
3) propose security test and evaluation plans and procedures to test and
evaluate agreed upon security countermeasures documented in the SSAA.
f. Documentation
1) identify the documentation of security-related function parameters, defaults
and settings;
2) report the review of the documentation, noting the adequacy of detail; and
3) identify the deficiencies in the system documentation, whether they be
missing documents or inadequate detail in the existing documentation.
g. Network Security
1) appraise the network connectivity policy and the proposed implementation
for connection;
2) appraise the security requirements for interconnectivity with other
systems/networks;
3) verify that formal approvals have been granted for other systems and
networks for which interconnectivity is sought;
4) appraise the security attributes of both the data and users accessing the
connected system to determine whether additional security requirements result; and
5) propose security test and evaluation plans and procedures to test and
evaluate agreed upon security countermeasures for network connectivity.
h. Maintenance Procedures
appraise the proposed system maintenance and upgrade procedures to ensure
that they comply with configuration management procedures (e.g., remote software updates).
i. Operating System Security
1) appraise the documentation and system configuration of security function
defaults and settings, ensuring that all inappropriate factory defaults have been changed;
2) appraise how the system handles error conditions;
3) appraise the system recovery capability during loss of power situations;
4) assess and report any variance between documented and actually installed
software and operating systems;
5) propose security test and evaluation plan/procedures to test and evaluate
agreed upon security countermeasures enforced by the operating system;
6) verify that capabilities are employed to enforce the protection of the
operating system by preventing programs or users from writing over system areas;
7) verify that protections are in place to prevent configuration files and
pointers that can run in a supervisory state from unauthorized access or unauthorized
modifications, deletions, etc.; and
8) verify that protections are in place to prevent the operating system kernel
from being modified by any process, program or individual except through an approved
organizational configuration management procedure.
j. Vulnerabilities
identify vulnerabilities inherent to the system's specific operating system,
applications, and network configuration.
k. Contingency Operations
1) appraise whether the disaster recovery mechanism adequately addressees
the needs of the site;
2) appraise whether the plan sufficiently protects the security of the
information and the investment made in life-cycle security processes;
3) match the requirements for disaster recovery/continuity of operation with
mission requirements; and
4) match the requirements for emergency destruction procedures with mission
requirements.