 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
8. DEVELOPING RECOMMENDATION TO DAA
a. Access Control Policies
1) explain the access control policies as implemented in the current system to
the DAA;
2) define who in the current system has access to information views, who
grants the access authorization, and the parameters which will be used to validate access
authorization;
3) identify the adequacy of the implemented access control mechanisms
identified in the access control policy and comment on this in the report;
4) evaluate the access control mechanisms implemented in accordance with
the policy, and include the results of this evaluation in the report; and
5) recommend changes to the implemented access control mechanisms in the
report as needed to meet requirements identified in the access control policies.
b. Administrative Security Policies and Procedures
1) address all pertinent security policies and procedures not covered under the
laws, agency-specific procedures, etc. (NOTE: this review examines these procedures and
policies in respect to applicable national laws and governing regulations consistent with security
requirements); and
2) recommend administrative security policies and procedures to limit the
impact of system technical security deficiencies.
c. Certification
1) recommend the conditions upon which an accreditation decision is to be
made, including the technical evaluation of security features, as well as other safeguards;
2) identify the deficiency and alternative safeguards and procedures that could
be employed to limit the impact of system deficiency;
3) recommend the adoption of requirements which were previously
unspecified, but which may be crucial to secure deployment and operation of the system; and
4) report on the comprehensive evaluation of the technical and non-technical
security features of the IS and other safeguards, to meet the security and accreditation
requirement.
d. Roles and Responsibilities
1) outline current roles and responsibilities of personnel assigned access to the
systems being certified; and
2) recommend changes to include additions for improving the roles and
responsibilities and accountability for personnel with various levels of access to the information
systems being certified.
e. Brief and Defend ST&E Results
1) describe the ST&E results; and
2) explain and defend the specific findings, including risk analysis/mitigation.
f. Communicate Results of ST&E
1) render the technical findings into comprehensible language for non-
technical managers; and
2) communicate the results/findings to technical personnel who would be
responsible for correcting the findings.
g. Identify Potential Corrective Approaches
1) identify potential avenues of corrective action;
2) provide corrective approaches to the DAA as potential mitigating factors, if
adopted; and
3) address the technical aspects of the system to meet the technical security
requirements for its intended use and to identify those areas where non-technical means such
as procedures; or
4) restrictions are needed to reduce the risk of operating the system to an
acceptable level.
h. Determine Residual Risk
1) report the findings and the overall level of residual risk in the current
system; and
2) compare and contrast the non-technical and technical test/evaluation
results, the impact of any countermeasures, and determine the residual risk.