Quality Enhancement Plan (QEP) From These Roots … A

Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy

1

CSC 486 Systems Security for Senior Management

Instructor: Office: Telephone:

Office Hours:

E-Mail:

Course Description: Develops the knowledge necessary for senior security management to analyze and

judge the reported systems for validity and reliability to ensure such systems will operate at a proposed

trust level. Topical review and discussion on current trends in CNSS 4012 standard. Includes grant final

approval to operate, grant review accreditation, verify compliance, ensure establishment of security

controls, ensure program managers define security in acquisitions, assign responsibilities, define criticality

and sensitivity, allocate resources, multiple and joint accreditation, assess network security. Prerequisite:

CSC382 or Consent of the Chair.

Course Objectives: This course focuses on teaching and training students to be able to practice the

standard of CNS 4012. After completing the course, students would be able to:

Discuss and explain the procedure of grant final approval to operate.

Discuss and explain the procedure of grant review accreditation.

Verify compliance.

Ensure establishment of security control.

Ensure program managers define security in acquisitions.

Assign responsibilities.

Define criticality and sensitivity.

Allocate resources.

Multiple and joint accreditation.

Assess network security.

Minimum Competencies: Students meeting minimum competencies should expect to receive a grade

between 74% and 77%. Minimum competencies for this course are as follows:

Discuss and explain the procedure of grant final approval to operate.

Discuss and explain the procedure of grant review accreditation.

Verify compliance.

Ensure establishment of security control.

Ensure program managers define security in acquisitions.

Assign responsibilities.

Define criticality and sensitivity.

Allocate resources.

Multiple and joint accreditation.

Assess network security.

Course Topics: This course will cover most of the information assurance concepts including:

Grant final approval to operate. (3 hours)


2

Grant review accreditation. (6 hours)

Verify compliance. (6 hours)

Ensure establishment of security control. (6 hours)

Ensure program managers define security in acquisitions. (3 hours)

Assign responsibilities. (3 hours)

Define criticality and sensitivity. (1 hours)

Allocate resources. (1 hours)

Multiple and joint accreditation. (1 hours)

Assess network security. (3 hours)

Laboratory. (12 hours)

Mapping to CNSSI 4012 can be found here.

Textbooks:

(Krutz) The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, 2nd edition, Ronald L.

Krutz and Russell Dean Vines, Wiley, 2004.

(Whitman) Principle of Information Security, 2nd edition, Michael E. Whitman & Herbert J.

Mattord, Thomson, 2005.

(Pfleeger) Security in Computing, 3rd

edition (or the newest), C. P. Pfleeger, S. L. Pfleeger,

Prentice Hall, 2003

Supplemental Materials (SM):

SM-1: NIST SP 800-37: Guide for Security Certification and Accreditation of Federal Information

Systems

SM-2: NCSC-TG-029: Introduction to Certification and Accreditation

SM-3: NIST SP 800-12: An Introduction to Computer Security: This NIST handbook

SM-4: NIST SP 800-30: Risk Management Guide for Information Technology Systems

SM-5: NSTISSI-1000 National Information Assurance Certification and Accreditation Process

(NIACAP)

SM-6: NASA Consolidation of Active Directory (NCAD) Compliance Waiver Form

SM-7: NASA Mission Focus Review 137 Non-ODIN Waiver Form

SM-8: NASA Mission Focus Review 137 Non-ODIN Waiver Form

SM-9: DOE-Cyber Security Process Requirements Manual

SM-10: A Model for Information Assurance: An Integrated Approach

SM-11: NIST SP 800-61-rev1 Computer Security Incident Handling Guide

SM-12: Army Regulation 25-2 Information Assurance

SM-13: IETF RFC 3227 Guidelines for Evidence Collection and Archiving

SM-14: Federal Records Act

SM-15: Electronic Records Management Guideline

SM-16: Federal Managers Financial Integrity Act of 1982

SM-17: Federal Property and Administration Service Act

SM-18: OMB-GPEA Implementation of the Government Paper Elimination Act

SM-19: National Archives Act 1986

SM-20: General Federal Records Act

SM-21: Public Law 108-383 National Archives and Records Administration Efficiency Act of

2004


3

SM-22: The Freedom of Information Act

SM-23: Electronic Freedom of Information Act Amendments of 1996

SM-24: Public Law 107-347

SM-25: Administrative Communications System - US Department of Education

SM-26: GAO-AIMD-12-19-6 Federal Information System Controls Audit Manual

SM-27: Delegation of Authority - signature authorization

SM-28: Guidebook on Delegation of Authority

SM-29: GAO-GGD-96-154 Federal Law Enforcement - Investigative Authority and Personnel at

13 Agencies

SM-30: NIST SP 800-57-Part1 Recommendation for Key Management - Part 1: General (Revised)

SM-31: NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems

SM-32: NIST SP 800-88_rev1 Guide for Media Sanitization

SM-33: NSA/CSS Storage Device Declassification Manual

SM-34: Automated Security Support Tools - The Key to Successful FISMA Implementation

SM-35: NIST CSL Bulletin - Disposition of Sensitive Automated Information

SM-36: NIST SP 800-16 Information Technology Security Training Requirements - A Role and

Performance Based Model

SM-37: Security Standard Operating Procedure NO. 04 - Naval Command, Control, and Ocean

Surveillance Center

SM-38: NIST SP 800-53-rev2-final Recommended Security Controls for Federal Information

Systems

SM-39: NSTISSP NO 11 National Information Assurance Acquisition Policy - Fact Sheet

SM-40: CJCSI 3312-01A Joint Military Intelligence Requirements Certification

SM-41: ESFOR 2004 An Empirical Evaluation of Automated Theorem Proves in Software

Certification

SM-42: NIST SP 800-36 Guide to Selecting Information Technology Security Products

SM-43: NIST SP 800-23 Guidelines to Federal Organizations on Security Assurance and

Acquisition-Use of Tested-Evaluated Products

SM-44: NISTIR-6985 COTS Security Protection Profile - Operating Systems (CSPP-OS)

SM-45: NIST SP 800-70-DRAFT Security Configuration Checklists Program for IT Products

SM-46: NIST SP 800-64-2 Security Considerations in the Information System Development Life

Cycle

SM-47: NIST SP 800-35 Guide to Information Technology Security Services

SM-48: NISTIR 4909 Software Quality Assurance - Documentation and Reviews

SM-49: NAVSO P-5239-04 Information Systems Security Manager (ISSM) Guidebook

SM-50: USAID-General Notice-Policy-Improper Disclosure of Information

SM-51: State of Texas-Department of Information Resources-Information Resources Manager

(IRM) Overview

SM-52: USAID-Information Technology Security Roles and Responsibilities

SM-53: Roles and Responsibilities Policy-for Security and Access of UCSC Electronic

Information Resources

SM-54: DISA-DOD Application Security and Development-Security Technical Implementation

Guide

SM-55: DOD-Final Report of the Defense Science Board-Task Force on Globalization and

Security-Dec-1999

SM-56: Memorandum of Agreement (MOA)

SM-57: Memorandum of Agreement between the Secretary of the Interior and the State of Idaho

SM-58: Definition of Memorandum of Understanding (MOU)


4

SM-59: Memorandum of Understanding

SM-60: Memorandum of Understanding Concerning Cooperation Between the US Securities and

Exchange Commission and the US Department of Labor

SM-61: NIST SP 800-13 Telecommunications Security Guidelines for Telecommunications

Management Network

SM-62: TEMPEST

SM-63: NSA-TEMPEST-A Signal Problem

SM-64: NSTISSM TEMPEST 2-95

SM-65: Information Leakage from Optical Emanations

Tentative Course Outline: Regular class schedule

Week Topics

Text chapters (see

4012 map for the details)

Supplemental

Materials

Tests /

Programs

1

1. Grant Final Approval To Operate

1.1 Responsibilities

1.1.1 Aspects of Security 1.1.2 Accreditation

1.2 Approval

1.2.1 Approval to Operate 1.2.2 Interim Approval to Operate

1.2.3 Recertification

1.2.4 System Security Authorization Agreement 1.2.5 Waive Policy to Continue Operation

Krutz: Ch1, Ch11, Ch14, Appendix D

Whitman: Ch1, Ch10

SM-1, SM-2, SM-3, SM-4, SM-5, SM-6,

SM-7, SM-8

2

2. Grant Review Accreditation

2.1. Threat 2.1.1. Attack

2.1.2. Environmental/Natural threats

2.1.3. Human Threats 2.1.4. Theft

2.1.5. Threat

2.1.6. Threat Analysis 2.1.7. Threat Assessment

2.2. Countermeasures

2.2.1. Education, Training, and Awareness as Countermeasures

2.2.2. Procedural Countermeasures

2.2.3. Technical Countermeasures

Krutz: Ch1, Ch2, Ch6,

Ch12, Appendix D

Whitman: Ch2, Ch4,

Ch5, Ch11

SM-9, SM-10 HW-1

3

2.1. Vulnerability 2.1.1. Vulnerability

2.1.2. Vulnerability Analysis

2.1.3. Network Vulnerabilities 2.1.4. Technical Vulnerabilities

2.2. Risk Management

2.2.1. Cost/Benefit Analysis of Information Assurance 2.2.2. Documentation

2.2.3. Risk

2.2.4. Risk Assessment 2.2.5. Risk Management

2.2.6. Residual Risk

2.2.7. Risk Acceptance Process 2.2.8. Systems Security Authorization Agreement

(SSAA)

Krutz:Ch2, Ch4, Ch10

Whitman: Ch2, Ch4, Ch10

Pfleeger: Ch1, Ch7, Ch8

SM-4, SM-5

4 Laboratory HW-2

5 3. Verify Compliance

3.1. Laws Related To Information Assurance (IA) And

Security

Krutz: Ch1, Ch2, Ch3,

Ch6, Ch9, Ch11,

SM-11, SM-12, SM-13, SM-14,

SM-15, SM-16,


5

3.1.1. Copyright Protection and Licensing

3.1.2. Criminal Prosecution 3.1.3. Due Diligence

3.1.4. Evidence Collection and Preservation

3.1.5. Due Diligence 3.1.6. Laws Related To Information Assurance and

Security

3.1.7. Legal and Liability Issues 3.1.8. Ethics

3.2. Policy Direction

3.2.1. Access Control Policies 3.2.2. Administrative Security Policies And Procedures

3.2.3. Audit Trails and Logging Policies

3.2.4. Documentation Policies 3.2.5. Evidence Collection and Preservation Policies

3.2.6. Information Security Policy

3.2.7. National Information Assurance (IA) Certification & Accreditation (C&A) Process

Policy

3.2.8. Personnel Security Policies & Guidance

Appendix B

Whitman: Ch2, Ch3,

Ch4, Ch10, Ch11,

Ch12

Pfleeger: Ch1, Ch3,

Ch4, Ch8, Ch9

SM-17, SM-18,

SM-19, SM-20, SM-21, SM-22,

SM-23, SM-24,

SM-25, SM-26

6

3.3. Security Requirements

3.3.1. Access Authorization

3.3.2. Auditable Events 3.3.3. Authentication

3.3.4. Background Investigations

3.3.5. Countermeasures 3.3.6. Delegation of Authority

3.3.7. Education, Training, and Awareness

3.3.8. Electronic Records Management 3.3.9. Electronic-Mail Security

3.3.10. Information Classification

3.3.11. Investigative Authorities

3.3.12. Key Management Infrastructure

3.3.13. Information Marking

3.3.14. Non-repudiation 3.3.15. Public Key Infrastructure (PKI)

Krutz: Ch1, Ch2, Ch3, Ch4, Ch6, Ch9,

Appendix B

Whitman: Ch4, Ch5,

Ch7, Ch8, Ch11

Pfleeger: Ch1, Ch2,

Ch7

SM-3, SM-10, SM-

15, SM-25, SM-27, SM-28, SM-29,

SM-30, SM-31,

SM-32, SM-33

HW-3

7 Laboratory

8

4. Ensure Establishment Of Security Controls

4.1. Administration

4.1.1. Accountability for Classified/Sensitive Data 4.1.2. Automated Security Tools

4.1.3. Backups

4.1.4. Change Control/Configuration Management 4.1.5. Declassification/Downgrade of Media

4.1.6. Destruction/Purging/Sanitization of

Classified/Sensitive Information 4.2. Access

4.2.1. Access Controls 4.2.2. Access Privileges

4.2.3. Discretionary Access Controls

4.2.4. Mandatory Access Controls 4.2.5. Biometrics/Biometric Policies

4.2.6. Separation of Duties

4.2.7. Need-To-Know Controls 4.3. Incident Handling And Response

4.3.1. Emergency Destruction Procedures

4.3.2. Organizational/Agency Information Assurance Emergency Response Teams

Krutz: Ch1, Ch2, Ch3, Ch6, Appendix B

Whitman: Ch2, Ch4,

Ch5, Ch7, Ch11, Ch12

Pfleeger: Ch3, Ch4,

Ch5, Ch8

SM-3, SM-11, SM-12, SM-25, SM-26,

SM-32, SM-33, SM-34, SM-35,

SM-36, SM-37

HW-4

9

4.4. Continuity Of Operations Planning

4.4.1. Business Recovery

4.4.2. Contingency/Continuity of Operations Planning 4.4.3. Disaster Recovery

Krutz: Ch3, Ch8 SM-11, SM-12,

SM-38


6

4.4.4. Disaster Recovery Plan

4.4.5. Incident response policies 4.4.6. Law enforcement interfaces/policies

4.4.7. Reconstitution

4.4.8. Restoration

Whitman: Ch5

Pfleeger: Ch8

10 Laboratory HW-5

11

5. Ensure Program Managers Define Security In Acquisitions 5.1. Acquisition

5.1.1. Certification Test & Evaluation (CT&E) 5.1.2. Certification Tools

5.1.3. Product Assurance

5.1.4. Contracting For Security Services 5.1.5. Disposition of Classified Material

5.1.6. Facilities Planning

5.1.7. System Disposition/Reutilization 5.2. Life Cycle Management

5.2.1. Life Cycle System Security Planning

5.2.2. System Security Architecture

Krutz: Ch6, Ch10,

Appendix D

Whitman: Ch5

SM-3, SM-25, SM-

32, SM-33, SM-35, SM-39, SM-40,

SM-41, SM-42,

SM-43, SM-44, SM-45, SM-46,

SM-47, SM-48

12

6. Assign Responsibilities 6.1. Certification and Accreditation (C&A)

6.2. Information Ownership

6.3. System Certifiers and Accreditors 6.4. Risk Analysts

6.5. Information System Security Manager (ISSM)

6.6. Information System Security Officer (ISSO)

Krutz: Ch1, Ch11,

Appendix B, Appendix

D

Whitman: Ch1, Ch10

SM-1, SM-2, SM-3,

SM-5, SM-49 HW-6

13 Laboratory

14

7. Define Criticality And Sensitivity

7.1. Aggregation

7.2. Disclosure of Classified/Sensitive Information 8. Allocate Resources

8.1. Resource Roles and Responsibilities

8.2. Budget/Resource Allocation 8.3. Business Aspects of Information Security

9. Multiple And Joint Accreditation

9.1. Memoranda of Understanding/Agreement (MOU/MOA)

Krutz: Ch2, Ch6, Ch8, Ch12, Appendix D

Whitman: Ch2

Pfleeger: Ch5

SM-36, SM-50, SM-51, SM-52,

SM-53, SM-54,

SM-55, SM-56, SM-57, SM-58,

SM-59, SM-60

15

10. Assess Network Security

10.1. Connectivity 10.2. Emissions Security (EMSEC) and TEMPEST

10.3. Wireless Technology

Krutz: Ch3, Ch9

Whitman: Ch9

Pfleeger: Ch7

SM-3, SM-61, SM-

62, SM-63, SM-64,

SM-65

HW-7

Important Dates:

Exam 1:

Exam 2:

Final Exam:

THE FOLLOWING INFORMATION APPLIES TO ALL STUDENTS IN THE SCHOOL

OF SCIENCE:

In addition to the minimum grade requirements established by Hampton University, all majors within the

School of Science must pass all required courses offered within the School of Science with a grade of “C”

or better in order to satisfy degree requirements. The minimum grade requirement is in effect for all science

courses taken during Fall 2001 and beyond.


7

COURSE ASSIGNMENT AND CALENDAR:

Homework Assignments: There are two types of homework assignments: problems and projects. Both

of them will be issued and specified with their due date in Blackboard. Problems will be used to evaluate

the understanding of course materials and projects will be used to evaluate the complexity of algorithm

studied in class. All of the projects must be implemented by Java in Unix/Linux environments. Late work

will not be accepted and will be counted as zero.

Final Exam: The exam will be given on the date scheduled by the registrar. The exam will be

comprehensive. There are no exemptions from the exam.

Attendance: The attendance policy of Hampton University will be observed. You are expected to attend

all classes and to arrive on time. Your attendance and participation will be 10% of the final grade. More

than 7 absences will constitute a failing grade, regardless to other considerations.

Writing-Across-The-Curriculum: Hampton University adopts the policy in all courses of “writing

across the curricula”. In this course, the objectives will be achieved by homework assignments, program

comments, and various tests.

The Ethics Paper: Details about the ethics paper will be provided at least one month prior to the

due date. The ethics paper will be graded based on the criteria listed in “Hampton University

Scoring Rubric”.

Grades: The final grade of this course will be determined by the combined weight of following

components:

Examine (2) 20 %

Homework (7) 40 %

Laboratory (4) 15%

Attendance & participation 10 %

Ethics Paper 5 %

Final exam 10 %

--------------- ------

Total 100%

Course grades will follow the scale of the university grading system:

A+ 98-100

A 94-97

A- 90-93

B+ 88-89

B 84-87

B- 80-83

C+ 78-79

C 74-77


8

C- 70-73

D+ 68-69

D 64-67

D- 60-63

F Below 60

Make-Up Policy: No make-up tests will be given without pervious arrangements, a written medical

excuse, or an emergency approved by appropriate university official.

Policy on Electronic Devices: Any electronic device (i.e. cell phone, PDA, pagers, etc.) will be turned

off during class. During any test or final, these devices will not be allowed at the test.

Policy on Academic Dishonesty: Please see page 29 of the Student Handbook.

Midterm Evaluation: If “F” is assigned in the midterm evaluation to a student, F will also be this

student’s final grade. Students should withdraw this course before the appropriate date if he/she fails the

midterm evaluation.

Cheating: A student caught cheating on an examination or plagiarizing a paper which forms a part of a

course grade shall be given an "F" in the course and will be subject to dismissal from the University, A

student is considered to be cheating if, in the opinion of the person administering an examination (written

or oral), the student gives, seeks, or receives aid during the process of the examination; the student buys,

sells, steals, or otherwise possesses or transmits an examination without authorization; or, the student

substitutes for another or permits substitution for himself/ herself during an examination. All cases of

cheating shall be reported by the instructor to the chair of the department in which the cheating occurred, to

the school dean/division director and to the Provost.

No penalty shall be imposed until the student has been informed of the charge and of the evidence upon

which it is based and has been given an opportunity to present his/her defense. If the faculty member and

the student cannot agree on the facts pertaining to the charge, or if the student wishes to appeal a penalty,

the issue may be taken to the department chair. Each party will present his/her case to the chair who shall

then call a meeting of all involved parties. If the issue is not resolved at the departmental level, the dean

shall conduct a hearing. If the issue is not resolved at the school level either party may appeal the decision

at the school level to the Provost who shall convene the appropriate individuals and conduct a hearing in

order to resolve the issue.

Plagiarism: Plagiarism is defined as "taking and using as one's own the writing or ideas of another." All

materials used to meet assigned written requirements of a course, from any source, must be given proper credit

by citing the source. A student caught plagiarizing a paper which forms a part of a course grade shall be given

an "F" in the course and will be subject to dismissal from the University.

PENALTIES FOR ACADEMIC DISHONESTY

Cases of academic dishonesty are initially investigated and reported by members of the instructional faculty

to the chairperson of the department in which the cheating occurred, to the school dean, division director

and to the Provost. Also, penalties for minor violations of academic dishonesty are to be recommended at

the discretion of the instructor. The penalties for academic dishonesty on examinations and major course

requirements may include one of the following:


9

1. A grade of "F" on the examination or project.

2. A grade of "F" on the examination or project and dismissal from the course.

3. A grade of “F” on the examination or project, dismissal from the course and from the University.

When dismissal from the University is the recommended penalty, the chairman of the department submits

the details of the case to the Provost who schedules a hearing.

ADMINISTRATIVE ACTION

The Provost has the authority to dismiss or expel any student who fails to meet scholarship requirements or

to abide by academic regulations.

Dress Code:

This code is based on the theory that learning to select attire appropriate to specific occasions and activities

is a critical factor in the total educational process. Understanding and employing the Hampton University

Dress Code will improve the quality of one’s life, contribute to optimum morale, and embellish the overall

campus image. It also plays a major role in instilling a sense of integrity and an appreciation for values and

ethics as students are propelled towards successful careers.

Students will be denied admission to various functions if their manner of dress is inappropriate. On this

premise students at Hampton University are expected to dress neatly at all times. The following are

examples of appropriate dress for various occasions:

1. Classroom, Cafeteria, Student Union and University Offices – causal attire that is neat and modest.

2. Formal programs in Ogden Hall, the Convocation Center, the Student Center Ballroom, the Little

Theater and the Memorial Chapel – event appropriate attire as required by the event

announcement.

3. Interviews – Business attire.

4. Social/Recreational activities, Residence hall lounges (during visitation hours) – casual attire that

is neat and modest.

5. Balls, Galas, and Cabarets – formal, semi-formal and after five attire, respectively.

Examples of inappropriate dress and/or appearance include but not limited to:

1. Do-rags, stocking caps, skullcaps and bandannas are prohibited at all times on the campus of

Hampton University (except in the privacy of the student’s living quarters).

2. Head coverings and hoods for men in any building.

3. Baseball caps and hoods for women in any building.

a. This policy item does not apply to headgear considered as a part of religious or cultural

dress.

4. Midriffs or halters, mesh, netted shirts, tube tops or cutoff tee shirts in classrooms, cafeteria,

Student Union and offices;

5. Bare feet;

6. Short shirts;


10

7. Shorts, all types of jeans at programs dictating professional or formal attire, such as Musical Arts,

Fall Convocation, Founder’s Day, and Commencement;

8. Clothing with derogatory, offensive and/or lewd message either in words or pictures;

9. Men’s undershirts of any color worn outside of the private living quarters of the residence halls.

However, sports jerseys may be worn over a conventional tee-shirt.

Procedure for Cultural or Religious Coverings

1. Students seeking approval to wear headgear as an expression or religious or cultural dress may

make a written request for a review through the Office of the Chaplain.

2. The Chaplain will forward his recommendation the Dean of Students for final approval.

3. Students that are approved will then have their new ID card picture taken by University Police

with the headgear being worn.

All administrative, faculty and support staff members will be expected to monitor student behavior

applicable to this dress code and report any such disregard or violations to the Offices of the Dean or Men,

or Dean of Women for the attention of the Dean of Students.

CODE OF CONDUCT

Joining the Hampton Family is an honor and requires each individual to uphold the policies, regulations, and

guidelines established for students, faculty, administration, professional and other employees, and the laws of

the Commonwealth of Virginia. Each member is required to adhere to and conform to the instructions and

guidance of the leadership of his/her respective area. Therefore, the following are expected of each member

of the Hampton Family:

1. To respect himself or herself.

2. To respect the dignity, feelings, worth, and values of others.

3. To respect the rights and property of others and to discourage vandalism and theft.

4. To prohibit discrimination, while striving to learn from differences in people, ideas, and opinions.

5. To practice personal, professional, and academic integrity, and to discourage all forms of dishonesty,

plagiarism, deceit, and disloyalty to the Code of Conduct.

6. To foster a personal professional work ethic within the Hampton University Family.

7. To foster an open, fair, and caring environment.

8. To be fully responsible for upholding the Hampton University Code.

Students with disabilities which require accommodations should (1) register with the Office of

Testing Services and 504 Compliance to provide documentation and (2) bring the necessary

information indicating the need for accommodation and what type of accommodation is needed. This


11

should be done during the first week of classes or as soon as the student receives the information. If

the instructor is not notified in a timely manner, retroactive accommodations may not be provided.

DISCLAIMER

This syllabus is intended to give the student guidance in what may be covered during

the semester and will be followed as closely as possible. However, the professor

reserves the right to modify, supplement and make changes as course needs arise.


12

Hampton University Scoring Rubric

The Hampton University Advisory Council of the Writing Program has approved and recommended the use of

the scoring rubric as a guide for evaluating student-writing performance across the curriculum.

6

A paper in this category:

States purpose (e.g., position or thesis) insightfully, clearly and effectively

Provide thorough, significant development with substantial depth and persuasively marshals support

for position

Demonstrates a focused, coherent, and logical pattern of organization

Displays a high level of audience awareness

Use disciplinary facts critically and effectively

Has support control of diction, sentence structure, and syntactic variety, but may have a few minor

flaws in grammar, usage, punctuation, or spelling

Documents sources consistently and correctly using a style appropriate to the discipline

5


States purpose (e.g., position or thesis) clearly and effectively

Provide development with some depth and complexity of thought and supports position convincingly

Demonstrates effect pattern of organization

Displays a clear sense of audience awareness

Use disciplinary facts effectively

Has good control of diction, sentence structure, and syntactic variety, but may have a few minor errors

in grammar, usage, punctuation, or spelling

Documents sources correctly using a style appropriate to the discipline

4


States purpose (e.g., position or thesis) adequately

Provides competent development with little evidence of complexity of thought

Demonstrates an adequate pattern of organization

Displays some degree of audience awareness

Uses disciplinary facts adequately

Has adequate control of diction, sentence structure, and syntactic variety, but may have some error in

grammar, usage, punctuation, or spelling

Documents sources adequately using a style appropriate to the discipline

3


13


States purpose (e.g., position or thesis) but with varying degree of clarity

Provides some development for most ideas

Demonstrates some pattern of organization, but with some lapses from the pattern

Displays uneven audience awareness

Uses some disciplinary facts

Has some control of diction, sentence structure, and syntactic variety, but may have frequent error in

grammar, usage punctuation, or spelling

Documents sources using a style appropriate to the discipline, but may have errors.

2


States purpose (e.g., position or thesis) unclearly

Provides inadequate development of thesis

Demonstrates inconsistent pattern of organization

Displays very little audience awareness

Uses disciplinary facts ineffectively

Has little control of diction, sentence structure, and syntactic variety, and may have a pattern of errors

in grammar, usage, punctuation, or spelling

Acknowledges sources but does not document them using a style appropriate to the discipline

1


Fails to state purpose (e.g., position or thesis)

Fails to develop most ideas

Lacks a pattern of organization

Displays no audience awareness

Use few or no disciplinary facts

Lakes control of diction, sentence structure, and syntactic variety, with a pattern of errors in grammar,

usage, punctuation, or spelling

Fails to document or acknowledge sources


14

Mapping to NSTISSI 4012 Standard

Course Review Sheet for CNSS No. 4012 Standard

CSC586 Krutz Whitman Pfleeger Supplemental

FUNCTION ONE -

GRANT FINAL ATO

Granting final approval

to operate an IS or

network in a specified

security mode

A

.

RESPONSIBILITIES

1 Aspects of Security

Explain the importance

of SSM role in

Information Assurance

(IA)

Topic 1.1.1 Ch1, Pg. 26 (Roles and

Responsibilities), Pg.

30 (RM Roles)

Ch1, Pg. 28-38

Security

Professionals and

Organization)

2 Accreditation

Discuss accreditation Topic 1.1.2 Ch11, Pg. 560 (Federal

Information

Processing Standard

(FIPS) 102), Pg. 572

(What is Certification

and Accreditation?),

Appendix D, Pg. 977

(Implementation Phase

- Security

Accreditation)

Ch10, Pg. 453

(Certification

Versus

Accreditation)

NIST SP 800-37:

Guide for Security

Certification and

Accreditation of

Federal Information

Systems

NCSC-TG-029:

Introduction to

Certification and

Accreditation

Discuss the certification

process leading to

successful accreditation

Topic 1.1.2 Ch11, Pg. 560 (Federal

Information

Processing Standard

(FIPS) 102), Pg. 561

(DoD Information

Technology Security

Certification and

Accreditation Process

(DITSCAP)), Pg. 565

(The National


Certification and


(NIACAP)), Pg. 567

(Defense Information

Assurance

Certification and


(DIACAP)),

Ch10, Pg. 453-

463 (Information

System

Certification and

Accreditation)


15


of accreditation


Information

Processing Standard

(FIPS) 102), Pg. 572

(What is Certification

and Accreditation),

Appendix D, Pg. 977

(Implementation Phase

- Security

Accreditation)

Ch10, Pg. 453-

454 (Information

System

Certification and

Accreditation)

Explain types of

accreditation

Topic 1.1.2 Ch11, Pg. 566

(NIACAP

Accreditation Types)

Facilitate the

certification process

leading to successful

accreditation


Information

Processing Standard

(FIPS) 102), Pg. 561

(DoD Information

Technology Security

Certification and


(DITSCAP)), Pg. 565

(The National


Certification and


(NIACAP)), Pg. 567


Assurance

Certification and


(DIACAP)),

Ch10, Pg. 453-

463 (Information

System

Certification and

Accreditation)

Discuss the significance

of NSTISSP No. 6

Topic 1.1.2 Ch11, Pg. 565-566

(NIACAP and

NSTISSP #6)

B

.

APPROVAL

1 Approval to Operate

(ATO)

Explain ATO Topic 1.2.1 Ch14, Pg. 647

(Authorization to

Operate (ATO)), Pg.

656-657 (DIACAP

Accreditation Phases)

NIST SP 800-37:

Guide for Security

Certification and

Accreditation of

Federal Information

Systems Discuss purpose and

contents of ATO

Topic 1.2.1 Ch14, Pg. 647

(Accreditation

Decision), Pg. 656-657

(DIACAP



of risk assessment to

support granting an ATO

Topic 1.2.1 Ch14, Pg. 646 (Final

Risk Assessment), Pg.

647 (Accreditation

Decision)


16

2 Interim Approval to

Operate

Describe IATO Topic 1.2.2 Ch14, Pg. 647 (Interim

Authorization to

Operate (IATO)), Pg.

656-657 (DIACAP


Explain the purpose and

contents of IATO

Topic 1.2.2 Ch14, Pg. 647

(Accreditation

Decision), Pg. 656-657

(DIACAP



of risk assessment to

support granting an

IATO

Topic 1.2.2 Ch14, Pg. 646 (Final

Risk Assessment), Pg.

647 (Accreditation

Decision)

NIST SP 800-12: An

Introduction to

Computer Security:

This NIST handbook

NIST SP 800-30: Risk

Management Guide for

Information

Technology Systems

Facilitate

implementation of risk

mitigation strategies

necessary to obtain IATO

Topic 1.2.2 Appendix D, Pg. 988-

989 (Risk Mitigation),

Appendix E, Pg. 1061

(Risk Mitigation)

3 Recertification

Describe recertification Topic 1.2.3 Ch11, Pg. 572 (What

is Certification and

Accreditation?)

NCSC-TG-029:

Introduction to

Certification and

Accreditation

Direct the recertification

effort

Topic 1.2.3


of the recertification

process

Topic 1.2.3

Identify characteristics

of information systems

that need recertification

Topic 1.2.3

Initiate the

recertification effort

Topic 1.2.3

4 Systems Security

Authorization

Agreement (SSAA)


17

Discuss the Systems

Security Authorization

Agreement (SSAA)

Topic 1.2.4 Ch11, Pg. 563 (The

System Security

Authorization

Agreement (SSAA)

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Process

(NIACAP)

NSTISSI-1000

National Information

Assurance Certification

and Accreditation

Process (NIACAP)


of the SSAA

Topic 1.2.4 Ch11, Pg. 563 (The

System Security

Authorization

Agreement (SSAA)

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Process

(NIACAP)

5 Waive Policy to

Continue Operation

Discuss justification for

waiver

Topic 1.2.5 NCSC-TG-029:

Introduction to

Certification and

Accreditation

NASA Consolidation

of Active Directory

(NCAD) Compliance

Waiver Form

NASA Mission Focus

Review 137 Non-

ODIN Waiver Form

Discuss risk mitigation

strategies necessary to

obtain waiver


989 (Risk Mitigation),


(Risk Mitigation)

NCSC-TG-029:

Introduction to

Certification and

Accreditation

NIST SP 800-12: An

Introduction to

Computer Security:

This NIST handbook



Information

Technology Systems

NASA Consolidation

of Active Directory

(NCAD) Compliance

Waiver Form


18

NASA Mission Focus

Review 137 Non-

ODIN Waiver Form

Ensure risk assessment

supports granting waiver

Topic 1.2.5 NCSC-TG-029:

Introduction to

Certification and

Accreditation

NASA Consolidation

of Active Directory

(NCAD) Compliance

Waiver Form

NASA Mission Focus

Review 137 Non-

ODIN Waiver Form

FUNCTION TWO -

GRANT REVIEW

ACCREDITATION

Reviewing the

accreditation

documentation to

confirm that the residual

risk is within acceptable

limits for each network

and/or IS.

A

.

THREATS

1 Attacks

Discuss threats/attacks

to systems

Topic 2.1.1 Ch1, Pg. 28 (Terms

and Definitions), Ch2,

Pg. 61-68 (Access

Control Attack), Ch6,

Pg. 373 (Threats and

Vulnerabilities), Ch12,

Pg. 593-596 (Initial

Risk Estimation),

Appendix D, Pg. 954-

956 (Types and

Classes of Attack),

Appendix D, Pg. 983

(Threat Identification)

Ch2, Pg. 40-63

(Threats), Pg. 63-

73 (Attacks)

Ch1, Pg. 5-6

(Threats,

Vulnerabilities

, and Controls)


of threats/attacks on

systems

Topic 2.1.1 Ch2, Pg. 61-68

(Access Control

Attack), Ch6, Pg. 373

(Threats and



Risk Estimation),


956 (Types and

Classes of Attack),

Appendix D, Pg. 983


Ch2, Pg. 40-63

(Threats), Pg. 63-

73 (Attacks)

Ch1, Pg. 5-6

(Threats,

Vulnerabilities

, and Controls)


19

2 Environmental/Natural

Threats

Discuss

environmental/natural

threats

Topic 2.1.2 Ch12, Pg. 594 (Threat-

Source Identification),

Appendix D, Pg. 983


Ch2, Pg. 59-60

(Forces of

Nature)

Ch8, Pg. 538-

541 (Natural

Disasters)

3 Human Threats


of intentional and

unintentional human

threats

Topic 2.1.3 Ch6, Pg. 374 (Illegal

Computer Operations

and Intentional

Attacks), Ch12, Pg.

594-596 (Human

Threat-Sources),

Appendix D, Pg. 983


Ch2, Pg. 42-43

(Acts of Human

Error or Failure)

Ch8, Pg. 541-

543 (Human

Vandals)

4 Theft


of theft


Computer Operations

and Intentional

Attacks)

Ch2, Pg. 54

(Deliberate Acts

of Theft)

Ch8, Pg. 541-

543 (Theft)

5 Threat

Explain threat Topic 2.1.5 Ch1, Pg. 28 (Terms





Risk Estimation),

Appendix D, Pg. 983


Ch2, Pg. 40-63

(Threats)

Ch1, Pg. 5-6

(Threats,

Vulnerabilities

, and Controls)


of organizational threats

Topic 2.1.5 Ch1, Pg. 28 (Terms





Risk Estimation),

Appendix D, Pg. 983


Ch2, Pg. 40-63

(Threats)

Ch1, Pg. 5-6

(Threats,

Vulnerabilities

, and Controls)

DOE-Cyber Security

Process Requirements

Manual

6 Threat Analysis


of threat analysis

Topic 2.1.6 Ch2, Pg. 68-69

(Penetration Testing),

Ch12, Pg. 593 (Initial

Risk Estimation), Pg.

597 (Threat

Likelihood of

Occurrence), Pg. 597-

600 (Analyzing for

Vulnerabilities),

Appendix D, Pg. 984

(Control Analysis)

Ch7, Pg. 425-

428 (Security

Threat

Analysis)

7 Threat Assessment


of threat assessment

Topic 2.1.6 Ch12, Pg. 593 (Initial

Risk Estimation)

Ch4, Pg. 133-134

(Identify and

Prioritize

Threats)

Ch7, Pg. 425-

428 (Security

Threat

Analysis)


20

B

.

COUNTERMEASURE

S

1 Education, Training, and

Awareness as

Countermeasures


of educational training,

and awareness as

countermeasures

Topic 2.2.1 Ch1, Pg. 42-45

(Security Awareness)

Ch5, Pg. 206-209

(Security

Education,

Training, and

Awareness

Program)

A Model for

Information Assurance:

An Integrated

Approach

Ensure educational

training, and awareness

countermeasures are

implemented

Topic 2.2.1 Ch1, Pg. 42-45


Ch5, Pg. 206-209

(Security

Education,

Training, and

Awareness

Program)

A Model for


An Integrated

Approach

2 Procedural

Countermeasures


of

procedural/administrative

countermeasures

Topic 2.2.2 Ch6, Pg. 354-356

(Administrative

Controls)

Ch11, Pg. 492-

498

(Employment

Policies and

Practices)

Ch8, Pg. 529-

538

(Organization

Security

Policy)

Ensure

procedural/administrative

countermeasures are

implemented

Topic 2.2.2 Ch6, Pg. 354-356

(Administrative

Controls)

Ch11, Pg. 492-

498

(Employment

Policies and

Practices)

Ch1, Pg. 25

(Policies and

Procedures)

3 Technical

Countermeasures


of automated

countermeasures/deterren

ts

Topic 2.2.3 Ch1, Pg. 22-

25 (Methods

of Defense)

A Model for


An Integrated

Approach


of technical


ts

Topic 2.2.3 Ch1, Pg. 22-

25 (Methods

of Defense)

A Model for


An Integrated

Approach

Ensure

technical/automated


ts are implemented

Topic 2.2.3 Ch1, Pg. 22-

25 (Methods

of Defense)

A Model for


An Integrated

Approach

C

.

VULNERABILITY

1 Vulnerability

Explain vulnerability Topic 2.3.1 Ch1, Pg. 28 (Terms


Pg. 375-376

(Vulnerabilities and

Attacks), Ch12, Pg.

593 (Initial Risk

Estimation)

Ch2, Pg. 63

(Attacks)

Ch1, Pg. 12-

19

(Vulnerabilitie

s)

2 Vulnerability Analysis


21


of vulnerability analysis

Topic 2.3.2 Ch12, Pg. 593 (Initial

Risk Estimation), Pg.

597 (Analyzing for

Vulnerabilities),

Appendix D, Pg. 984

(Vulnerability

Identification)

Ch4, Pg. 138-139

(Vulnerability

Identification),

Ch8, Pg. 509-

513 (Step 2:

Determine

Vulnerabilities

)

3 Network Vulnerabilities


of network vulnerabilities

Topic 2.2.3 Ch3, Pg. 190-193

(Network Attacks and

Abuses), Pg. 194-201

(Probing and

Scanning)

Ch7, Pg. 387-

390 (What

Makes a

Network

Vulnerability),

Pg. 426

(Network

Vulnerabilities

)

4 Technical

Vulnerabilities


of technical

vulnerabilities

Topic 2.3.4 Ch6, Pg. 375-376

(Vulnerabilities and

Attacks), Appendix B,

Pg. 937 (Technical

Vulnerability), Ch12,

Pg. 597 (Analyzing for

Vulnerabilities),

Appendix D, Pg. 984

(Vulnerability

Identification)

Ch1, Pg. 12-

19

(Vulnerabilitie

s)

D

.

RISK MANAGEMENT

1 Cost/Benefit Analysis of



of cost/benefit analysis of

information assurance

Topic 2.4.1 Ch1, Pg. 37-38 (Cost-

Benefit Analysis),

Appendix D, Pg. 997

(Cost Control and

Estimating)

Ch4, Pg. 151-154

(Cost Benefit

Analysis (CBA))

NIST SP-30 Risk


Information

Technology Systems

2 Documentation


of documentation role in

reducing risk

Topic 2.4.2 Ch6, Pg. 358

(Documentation

Control),, Ch12, Pg.

610-612

(Documenting

Security Controls in

the System Security

Plan), Appendix D,

Pg. 988 (Results

Documentation)

Ch4, Pg. 143-144

(Documenting

the Results of

Risk

Assessment), Pg.

163-164

(Documenting

Results)

NIST SP-30 Risk


Information

Technology Systems

3 Risk

Explain risk Topic 2.4.3 Ch1, Pg. 26-27 (Risk

Management and

Assessment),

Appendix B, 929

(Risk)

Ch4, Pg 119

(Risk

Identification)

Ch1, Pg. 1.5

(Methods of

Defense)

NIST SP-30 Risk


Information

Technology Systems


22

Discuss principles of

risk

Topic 2.4.3 Ch1, Pg. 27-28 (Risk

Management and

Assessment)

Ch4, Pg 119

(Risk

Identification)

Ch1, Pg. 1.5

(Methods of

Defense)

4 Risk Assessment


of risk assessment


Management and

Assessment),

Appendix B, Pg. 929

(Risk Assessment)

Ch4, Pg. 139-144

(Risk

Assessment)

5 Risk Management


of risk management


Management and

Assessment), Pg. 27

(Principles of Risk

Management),

Appendix B, Pg. 929

(Risk Management)

Ch4, Pg. 117-119

6 Residual Risk

Explain residual risk Topic 2.4.6 Ch1, Pg. 28-29 (Terms

and Definitions)

Ch4, Pg. 162-163

(Residual Risk)

7 Risk Acceptance

Process


of the risk acceptance

process

Topic 2.4.7 Ch4, Pg. 149

(Acceptance)

8 Systems Security

Authorization

Agreement (SSAA)


of the certification and

accreditation (C&A)

effort leading to

accreditation


Information

Processing Standard

(FIPS) 102), Pg. 561

(DoD Information

Technology Security

Certification and


(DITSCAP)), Pg. 565

(The National


Certification and


(NIACAP)), Pg. 567


Assurance

Certification and


(DIACAP)),

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Processes

(NIACAP)

NSTISSI-1000



and Accreditation

Process (NIACAP)


23

Discuss the contents of

SSAA

Topic 2.4.8 Ch11, Pg. 563-564

(The System Security

Authorization

Agreement (SSAA))

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Processes

(NIACAP)

NSTISSI-1000



and Accreditation

Process (NIACAP)

Discuss the purpose of

SSAA

Topic 2.4.8 Ch11, Pg. 563-564


Authorization

Agreement (SSAA))

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Processes

(NIACAP)

Ensure the certifier

understands the mission

and it is reflected in

SSAA the C&A effort

leading to SSAA

Topic 2.4.8 Ch11, Pg. 563-564


Authorization

Agreement (SSAA))

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Processes

(NIACAP)

Facilitate effort leading

to SSAA

Topic 2.4.8 Ch11, Pg. 563-564


Authorization

Agreement (SSAA))

Ch10, Pg. 457-

459 (NSTISS

Instruction-1000:

National

Information

Assurance

Certification and

Accreditation

Processes

(NIACAP)

FUNCTION THREE -

VERIFY

COMPLIANCE

Verifying that each

information system

complies with the


(IA) requirements

A

.

LAWS RELATED TO

INFORMATION

ASSURANCE (IA)

AND SECURITY

1 Copyright Protection

and Licensing


24


of copyright protection

Topic 3.1.1 Ch9, Pg. 480

(Copyright)

Ch2, Pg. 43-44

(Comprise to

Intellectual

Property), Ch3,

Pg. 96-97 (U.S.

Copyright Law)

Ch9, Pg. 556-

561

(Copyrights)


of licensing

Topic 3.1.1 Ch9, Pg. 577

(Licenses)

2 Criminal Prosecution


of criminal prosecution

Topic 3.1.2 Ch9, Pg. 586-

587 (Why

Computer

Crime is Hard

to Prosecute)

NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide

Army Regulation 25-2


3 Due Diligence


of due diligence

Topic 3.1.3 Ch6, Pg. 357 (Due

Care and Due

Diligence), Ch9, Pg.

502-503 (Liability)

Ch3, Pg. 89

(Organizational

Liability and the

Need for

Counsel)

4 Evidence Collection

and Preservation


of evidence collection

Topic 3.1.4 Ch9, Pg. 496-497

(Evidence)

NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide

IETF RFC 3227

Guidelines for

Evidence Collection

and Arch


of evidence preservation

Topic 3.1.4 Ch9, Pg. 498

(Preserved)

NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide

IETF RFC 3227

Guidelines for

Evidence Collection

and Arch

5 Due Diligence


25

Explain fraud, waste, and

abuse


Computer Operations

and Intentional

Attacks), Ch9, Pg. 474

(Fraud), Ch3, Pg. 190

(Network Attacks and

Abuses), Ch9, Pg. 490

(1986 (amended in

1996( U.S. Computer

Fraud and Abuse Act.)

Ch9, Pg. 587-

588 (U.S.

Computer

Fraud and

Abuse Act)

6 Laws Related To


and Security


of implications of

Electronic Records

Management and Federal

Records Act

Topic 3.1.6 Federal Records Act

Electronic Records

Management Guideline


of implications of

Federal Managers

Financial Integrity Act of

1982

Topic 3.1.6 Federal Managers

Financial Integrity Act

of 1982


of implications of

Federal Property and

Administration Service

Act

Topic 3.1.6 Federal Property and

Administration Service

Act


of implications of USA

Patriot Act, GPEA, and

Paperwork Reduction

Acts

Topic 3.1.6 Ch9, Pg. 494-495

(2001 USA Provide

Appropriate Tools

Required to Intercept

and Obstruct

Terrorism (PATRIOT)

Act.), Ch9, Pg. 491

(Paperwork Reduction

Acts of 1980, 1985)

Ch3, Pg. 90-95

(Relevant U.S.

Laws)

Ch9, Pg. 588

(USA Patriot

Act)

OMB-GPEA

Implementation of the

Government Paper

Elimination Act


of implications of legal

issues which can affect


(IA)

Topic 3.1.6 Ch9, Pg. 489-495

(Computer Security,

Privacy, and Crime

Laws)

Ch3, Pg. 90-97

(Relevant U.S.

Laws), Pg. 97-99

(International

Laws and Legal

Bodies)

Ch9, Pg. 587-

589

(Examples of

Statutes), Pg.

589-590

(International

Dimension)


of implications of

National Archives and

Records Act

Topic 3.1.6 National Archives Act

1986

General Federal

Records Act

Public Law 108-383

National Archives and

Records

Administration


26

Efficiency Act of 2004


of implications of the

Computer Fraud and

Abuse Act, P.L. 99474,

18 U.S. Code 1030

Topic 3.1.6 Ch9, Pg. 490 (1986

(amended in 1996(

U.S. Computer Fraud

and Abuse Act.)

Ch3, Pg. 90-95

(Relevant U.S.

Laws)

Ch9, Pg. 587-

588 (U.S.

Computer

Fraud and

Abuse Act)



Freedom of Information

Act and Electronic

Freedom of Information

Act

Topic 3.1.6 Ch9, Pg. 588

(U.S. Freedom

of Information

Act)

The Freedom of

Information Act

Electronic Freedom of

Information Act

Amendments of 1996


of Public Law 107-347,

E-Government Act 0f

2002, Title III, Federal

Information Security

Management Act

(FISMA), 17 Dec 2002

Topic 3.1.6 Ch9, Pg. 495 (2002 E-

Government Act. Title

III, the Federal


Management Act

(FISMA)).



legal responsibilities of

senior systems managers.

Topic 3.1.6 Ch9, Pg. 496-502

(Investigation)



Privacy Act

Topic 3.1.6 Ch9, Pg. 489 (1974

U.S. Federal Privacy

Act. (amended in

1980)), Pg. 490 (1986

U.S. Electronic

Communication

Privacy Act.)

Ch3, Pg. 90-95

(Relevant U.S.

Laws)

Ch9, Pg. 88

(U.S. Privacy

Act)

Discuss implications of

Public Law 107-347

regarding certification

and accreditation

Topic 3.1.6 Public Law 107-347

7 Legal and Liability

Issues


of legal and liability

issues as they apply to

system and mission

Topic 3.1.7 Ch9, Pg. 502-504

(Liability)

Ch3, Pg. 89

(Organizational

Liability and the

Need for

Counsel), Ch5,

Pg. 180

(Limitations of

Liability)

8 Ethics

Discuss ethics Topic 3.1.8 Ch9, Pg. 504-509

(Ethics)

Ch3, Pg. 99-105

(Ethics and

Information

Security)

Ch9, Pg. 605-

610 (Ethical

Issues in

Computer

Security)

B POLICY DIRECTION


27

.

Access Control Policies

1 Explain the importance

of access control policies

Topic 3.2.1 Ch2, Pg. 56

(Controls), Pg. 57

(Models for

Controlling Access),

Ch6, Pg. 364-365

(Physical Access

Controls)

Ch4, Pg. 141-142

(Access Control)

Ch4, Pg. 194-

204 (Control

of Access to

General

Objects)

2 Administrative Security

Policies And

Procedures


of administrative security

policies/procedures

Topic 3.2.2 Ch2, Pg. 56

(Controls), Ch6, Pg.

354-355

(Administrative

Controls)

Ch3, Pg. 171-

172

(Administrativ

e Controls)

3 Audit Trails and

Logging Policies


of audit trail policy

Topic 3.2.3 Ch6, Pg. 369-372

(Auditing)

Ch12, Pg. 517-

518 (Auditing)

Ch3, Pg. 170

(Access Log)

Administrative

Communications

System - US

Department of

Education

GAO-AIMD-12-19-6

Federal Information

System Controls Audit

Manual


of logging policies

Topic 3.2.3 Ch6, Pg. 369-372

(Auditing)

Ch12, Pg. 517-

518 (Auditing)

Ch3, Pg. 170

(Access Log)

4 Documentation Policies


of documentation

policies

Topic 3.2.4 Ch6, Pg. 358

(Documentation

Control), Ch12, Pg.

610-612

(Documenting

Security Controls in

the System Security

Plan), Ch15, Pg. 671

(Documentation and

Reporting)

Ch4, Pg. 143-144

(Documenting

the Results of

Risk

Assessment), Pg.

163-164

(Documenting

Results)

5 Evidence Collection

and Preservation

Policies


of evidence

collection/preservation

policies A8 ANNEX A to

CNSSI No. 4012

Topic 3.2.5 Ch9, Pg. 496-498

(Investigation)

NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide

IETF RFC 3227

Guidelines for

Evidence Collection

and Archiving

6 Information Security

Policy


28

Define information

security policy

Topic 3.2.6 Ch1, Pg. 20-25

(Security Policy

Implementation)

Ch5, Pg. 172-175

(Information

Security Policy,

Standards, and

Practices)

Ch1, Pg. 25

(Policies and

Procedures),

Ch8, Pg. 529-

531

(Organization

al Security

Policy)


of information security

policy

Topic 3.2.6 Ch1, Pg. 20-25

(Security Policy

Implementation)

Ch5, Pg. 172-175

(Information

Security Policy,

Standards, and

Practices)

Ch1, Pg. 25

(Policies and

Procedures),

Ch8, Pg. 529-

531

(Organization

al Security

Policy)

7 National Information

Assurance (IA)

Certification &

Accreditation (C&A)

Process Policy


of the National


(IA) Certification &

Accreditation (C&A)

Policy

Topic 3.2.7 Ch11, Pg. 565-566

(NIACAP and

NSTISSP #6)

Ch10, Pg. 453-

465 (Information

Systems Security

Certification and

Accreditation)

8 Personnel Security

Policies & Guidance


of personnel security

guidance

Topic 3.2.8 Ch1, Pg. 20-25

(Security Policy

Implementation), Pg.

25-26 (Roles and

Responsibilities),

Appendix B, Pg. 924

(Personnel Security)

Ch11, Pg. 470-

502 (Positioning

& Staffing the

Security

Function)

C

.

SECURITY

REQUIREMENTS

1 Access Authorization


of access authorization

Topic 3.3.1 Ch2, Pg. 55-56

(Rationale)

Ch5, Pg. 179

(Authorized

Access and

Usage of

Equipment)

2 Auditable Events

Explain auditable events Topic 3.3.2 Ch6, Pg. 369-372

(Auditing)

3 Authentication

Explain authentication Topic 3.3.3 Ch2, Pg. 69

(Identification and

Authentication),

Appendix B, Pg. 885

(Authentication)

Ch7, Pg. 338

(Authentication)

Ch2, Pg. 59

(symmetric

and

Asymmetric

Encryption

Systems)


29

4 Background

Investigations


of background

investigations

Topic 3.3.4 Ch6, Pg. 354

(Administrative

Controls)

Ch11, Pg. 493-

494 (Background

Checks)

5 Countermeasures


of countermeasures

Topic 3.3.5 Appendix B, Pg. 894

(Countermeasure/Safe

guard)

Ch1, Pg. 22-

25 (Methods

of Defense)

A Model for


An Integrated

Approach

6 Delegation of Authority

Discuss the importance

of delegation of authority

Topic 3.3.6 Ch11, Pg. 471-

492 (Positioning

& Staffing the

Security

Function)

Delegation of

Authority - signature

authorization

Guidebook on

Delegation of

Authority

Ensure that individuals

are assigned to perform

IA functions

Topic 3.3.6 Ch1, Pg. 25-26 (Roles

and Responsibilities),

Pg. 30 (RM Roles)

Ch11, Pg. 471-

492 (Positioning

& Staffing the

Security

Function)

NIST SP 800-12 An

Introduction To

Computer Security-The

NIST Handbook

Delegation of

Authority - signature

authorization

Guidebook on

Delegation of

Authority

7 Education, Training, and

Awareness


of education, training,

and awareness as

countermeasures

Topic 3.3.7 Ch1, Pg. 42-45


Ch5, Pg. 206-209

(Security

Education,

Training, and

Awareness

Program)

A Model for


An Integrated

Approach

Ensure educational,

training, and awareness

countermeasures are

implemented

Topic 3.3.7 Ch1, Pg. 42-45


Ch5, Pg. 206-209

(Security

Education,

Training, and

Awareness

Program)

8 Electronic Records

Management

Discuss electronic

records management

Topic 3.3.8 Electronic Records

Management Guideline


of electronic records

management

Topic 3.3.8

9 Electronic-Mail Security


30

Discuss electronic-mail

security

Topic 3.3.9 Ch6, Pg. 382-386

(Operational E-Mail

Security), Ch9, Pg.

488 (Electronic

Monitoring)

Ch8, Pg. 383-384

(Securing E-mail

with S/MIME,

PEM, and PGP)

Ch7, Pg. 473-

479 (Secure

E-mail)


of electronic-mail

security

Topic 3.3.9 Ch6, Pg. 382-386

(Operational E-Mail

Security), Ch9, Pg.

488 (Electronic

Monitoring)

Ch8, Pg. 383-384

(Securing E-mail

with S/MIME,

PEM, and PGP)

Ch7, Pg. 473-

479 (Secure

E-mail)

1

0

Information

Classification

Discuss information

classification

Topic

3.3.10

Ch1, Pg. 11-20

(Information

Classification Process)

Ch4, Pg. 129-130

(Data

Classification

and

Management)


of information

classification

Topic

3.3.10

Ch1, Pg. 11-20

(Information


Ch4, Pg. 129-130

(Data

Classification

and

Management)

1

1

Investigative Authorities

Discuss investigative

authorities

Topic

3.3.11

GAO-GGD-96-154

Federal Law

Enforcement -

Investigative Authority

and Personnel at 13

Agencies Explain the importance

of investigative

authorities

Topic

3.3.11

1

2

Key Management

Infrastructure

Discuss key management

infrastructure

Topic

3.3.12

Ch4, Pg 271-273 (Key

Management)

NIST SP 800-57-Part1

Recommendation for

Key Management -

Part 1: General

(Revised)

1

3

Information Marking

Discuss information

marking

Topic

3.3.13

Ch6, Pg. 363-364

(Marking)

NIST SP 800-18 Guide

for Developing

Security Plans for

Federal Information

Systems

Administrative

Communications

System - US

Department of

Education


31

NSA/CSS Storage

Device

Declassification

Manual

NIST SP 800-88_rev1

Guide for Media

Sanitization

1

4

Non-repudiation

Discuss non-repudiation Topic

3.3.14

Ch3, Pg. 102 (OSI

Security Services and

Mechanisms),

Appendix B, Pg. 920

(Nonrepudiation)

Ch8, Pg. 377

(Digital

Signature)

Ch7, Pg. 474

(Requirements

and Solutions)


and role of non-

repudiation

Topic

3.3.14

Ch3, Pg. 102 (OSI

Security Services and

Mechanisms),

Appendix B, Pg. 920

(Nonrepudiation)

Ch8, Pg. 377

(Digital

Signature)

Ch7, Pg. 474

(Requirements

and Solutions)

1

5

Public Key Infrastructure

(PKI)


and role of PKI

Topic

3.3.15

Ch4, Pg. 267 (Public-

Key Infrastructure

(PKI))

Ch8, Pg. 375-377

(Public-Key

Infrastructure

(PKI))

Ch7, Pg. 436-

438 (PKI and

Certificates)

FUNCTION FOUR

ENSURE

ESTABLISHMENT OF

SECURITY

CONTROLS

Ensuring the

establishment,

administration, and

coordination of security

for systems that agency,

service, or command

personnel or contractors

operate

A

.

ADMINISTRATION

1 Accountability for

Classified/Sensitive Data


of accountability for

sensitive data

Topic 4.1.1 Ch2, Pg. 7

(Accountability), Pg.

88 (Some Access

Control Issues)

Ch12, Pg. 517-

518 (Accounting

and Auditing

Management)

Ch3, Pg. 170

(Access Log)

Administrative

Communications

System - US

Department of

Education

GAO-AIMD-12-19-6

Federal Information

System Controls Audit

Manual


32

Discuss classification and

declassification of

information

Topic 4.1.1 Ch1, Pg. 11-20

(Information


NSA/CSS Storage

Device

Declassification

Manual

2 Automated Security

Tools


of automated security

tools

Topic 4.1.2 Automated Security

Support Tools - The

Key to Successful

FISMA

Implementation

3 Backups

Discuss backups Topic 4.1.3 Ch6, Pg. 378-382

(Backup Concepts)

Ch5, Pg. 225-227

(Data Storage

and

Management)

Ch8, Pg. 546

(Backup)


of backups

Topic 4.1.3 Ch6, Pg. 378-382

(Backup Concepts)

Ch5, Pg. 225-227

(Data Storage

and

Management)

Ch8, Pg. 546

(Backup)

4 Change

Control/Configuration

Management

Discuss change control Topic 4.1.4 Ch6, Pg. 351-354

(Configuration

Management and

Change Control)

Ch2, Pg. 77

(Neglecting

Change Control),

Ch12, Pg. 514-

517

(Configuration

and Change

Management)

Ch3, Pg. 163-

165

(Configuration

Management)

Discuss configuration

management

Topic 4.1.4 Ch6, Pg. 351-354

(Configuration

Management and

Change Control)

Ch12, Pg. 514-

517

(Configuration

and Change

Management)

Ch3, Pg. 163-

165

(Configuration

Management)


of configuration

management

Topic 4.1.4 Ch6, Pg. 351-354

(Configuration

Management and

Change Control)

Ch12, Pg. 514-

517

(Configuration

and Change

Management)

Ch3, Pg. 163-

165

(Configuration

Management)

5 Declassification/Downgr

ade of Media


of downgrade of media

Topic 4.1.5 Administrative

Communications

System - US

Department of

Education

NIST SP 800-88_rev1

Guide for Media

Sanitization

NSA/CSS Storage

Device

Discuss the importance

of downgrade of

information

Topic 4.1.5


33

Declassification

Manual

6 Destruction/Purging/Sani

tization of

Classified/Sensitive

Information


of

destruction/purging/saniti

zation procedures for

classified/sensitive

information

Topic 4.1.6 Ch6, Pg. 362-363

(Media Security

Controls) Appendix D,

Pg. 977 (Disposition

Phase)

Administrative

Communications

System - US

Department of

Education

NIST SP 800-88_rev1

Guide for Media

Sanitization

NSA/CSS Storage

Device

Declassification

Manual

NIST CSL Bulletin -

Disposition of

Sensitive Automated

Information

NIST SP 800-12 An

Introduction To


NIST Handbook

B

.

ACCESS

1 Access Controls

Define

manual/automated access

controls

Topic 4.2.1 Ch2, Pg. 55-61

(Access Control)

Ch4, Pg. 141-142

(Access Control)

Ch4, Pg. 194-

204 (Control

of Access to

General

Objects)


of manual/automated

access controls

Topic 4.2.1 Ch2, Pg. 55-61

(Access Control)

Ch4, Pg. 141-142

(Access Control)

Ch4, Pg. 194-

204 (Control

of Access to

General

Objects)

2 Access Privileges


of access privileges

Topic 4.2.2 Ch2, Pg. 56

(Controls), Pg. 57-58

(Models for


Ch6, Pg. 355-356

(Least Privilege), Pg.

361 (Privileged-Entity

Ch4, Pg. 141-142

(Access Control)

Ch4, Pg. 194-

204 (Control

of Access to

General

Objects)


34

Controls)

3 Discretionary Access

Controls

Ch2, Pg. 58

(Discretionary Access

Control)

Ch4, Pg. 141-142

(Access Control)

Discuss discretionary

access controls

Topic 4.2.3 Ch2, Pg. 58


Control)

Ch4, Pg. 141-142

(Access Control)


of discretionary access

controls

Topic 4.2.3 Ch2, Pg. 58


Control)

Ch4, Pg. 141-142

(Access Control)

4 Mandatory Access

Controls

Define mandatory access

controls

Topic 4.2.4 Ch2, Pg. 57-58

(Models for

Controlling Access)

Ch4, Pg. 141-142

(Access Control)


of mandatory access

controls A10 ANNEX A

to CNSSI No. 4012

Topic 4.2.4 Ch2, Pg. 57-58

(Models for

Controlling Access)

Ch4, Pg. 141-142

(Access Control)

5 Biometrics/Biometric

Policies

Explain biometric

policies

Topic 4.2.5 Ch2, Pg. 72-74

(Biometrics)

Ch7, Pg. 342

(Acceptability of

Biometrics)

6 Separation of Duties

Define the need to ensure

separation of duties

where necessary

Topic 4.2.6 Ch2, Pg. 56-57


346-348 (Separation of

Duties)

Ch11, Pg. 500-

501 (Internal

Control

Strategies)

Ch3, Pg. 172

(Separation of

Duties), Ch5,

Pg. 237

(Separation of

Duty)


of the need to ensure

separation of duties

where necessary

Topic 4.2.6 Ch2, Pg. 56-57


346-348 (Separation of

Duties)

Ch11, Pg. 500-

501 (Internal

Control

Strategies)

Ch3, Pg. 172

(Separation of

Duties), Ch5,

Pg. 237

(Separation of

Duty)

7 Need-To-Know Controls

Define need to know

controls

Topic 4.2.7 Ch2, Pg. 57-58

(Models for


Ch6, Pg. 355 (Need to

Know), Appendix B,

Pg. 919 (Need to

Know)

Ch4, Pg. 131

(Security

Clearance)

Ch5, Pg. 232

(Military

Security

Policy)

NIST SP 800-16

Information

Technology Security

Training Requirements

- A Role and

Performance Based

Model


of need to know controls

Topic 4.2.7 Ch2, Pg. 57-58

(Models for


Ch6, Pg. 355 (Need to

Know), Appendix B,

Pg. 919 (Need to

Ch4, Pg. 131

(Security

Clearance)

Ch5, Pg. 232

(Military

Security

Policy)


35

Know)

C

.

INCIDENT

HANDLING AND

RESPONSE

1 Emergency Destruction

Procedures


of emergency destruction

procedures

Topic 4.3.1 Ch6, Pg. 363

(Destruction)

Security Standard

Operating Procedure

NO. 04 - Naval

Command, Control,

and Ocean Surveillance

Center

2 Organizational/Agency


Emergency Response

Teams

Explain the role of

organizational/agency


emergency response

teams

Topic 4.3.2 Ch3, Pg. 187-188

(Computer Incident

Response Team)



NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide

D

.

CONTINUITY OF

OPERATIONS

PLANNING

1 Business Recovery

Define business recovery Topic 4.4.1 Ch8, Pg. 435-446

(Business Continuity

Planning)

Ch5, Pg. 209-237

(Continuity

Strategies)



NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide


of business recovery

Topic 4.4.1 Ch8, Pg. 435-446


Planning)

Ch5, Pg. 209-237

(Continuity

Strategies)

2 Contingency/Continuity

of Operations Planning


of contingency/continuity

of operations planning

Topic 4.4.2 Ch8, Pg. 435-446


Planning)

Ch5, Pg. 209-237

(Continuity

Strategies)



NIST SP 800-61-rev1


36

Ensure the establishment

and testing of

contingency/continuity of

operations plans

Topic 4.4.2 Ch8, Pg. 435-446


Planning)

Ch5, Pg. 209-237

(Continuity

Strategies)

Computer Security

Incident Handling

Guide

NIST SP 800-53-rev2-

final Recommended

Security Controls for

Federal Information

Systems

3 Disaster Recovery


of disaster recovery

Topic 4.4.3 Ch8, Pg. 446-463

(Disaster Recovery

Planning (DRP))

Ch5, Pg. 209-237

(Continuity

Strategies)

4 Disaster Recovery Plan


of recovery plan

Topic 4.4.4 Ch8, Pg. 446-463

(Disaster Recovery

Planning (DRP))

Ch5, Pg. 209-237

(Continuity

Strategies)

Ensure the establishment

and testing of recovery

plans

Topic 4.4.4 Ch8, Pg. 446-463

(Disaster Recovery

Planning (DRP))

Ch5, Pg. 209-237

(Continuity

Strategies)

5 Incident response

policies


of incident response

policy

Topic 4.4.5 Ch3, Pg. 187-188

(Computer Incident

Response Team)

Ch5, Pg. 209-237

(Continuity

Strategies)

Ch8, Pg. 503-

504 (Incident

Response

Plans)

6 Law enforcement

interfaces/policies

Discuss law enforcement

interfaces

Topic 4.4.6 Ch5, Pg. 235-237

(Law

Enforcement

Involvement)

Discuss law enforcement

policies

Topic 4.4.6 Ch5, Pg. 235-237

(Law

Enforcement

Involvement)


of law enforcement

interfaces

Topic 4.4.6 Ch5, Pg. 235-237

(Law

Enforcement

Involvement)

7 Reconstitution


37

Define principles of

system reconstitution

Topic 4.4.7 GAO-08-1001

Information Security-

Actions Needed to

Better Protect Los

Alamos National

Laboratory's

Unclassified Computer

Network


final Recommended


Federal Information

Systems


of principles of system

reconstitution

Topic 4.4.7

8 Restoration


of restoration to

continuity of operation

A11 ANNEX A to

CNSSI No. 4012

Topic 4.4.8 Ch8, Pg. 435-446


Planning)

Ch5, Pg. 209-237

(Continuity

Strategies)



NIST SP 800-61-rev1

Computer Security

Incident Handling

Guide


final Recommended


Federal Information

Systems

FUNCTION FIVE

ENSURE PROGRAM

MANAGERS DEFINE

SECURITY IN

ACQUISITIONS

Ensuring that the

Program

Manager/Official defines

the system security

requirements for

acquisitions

A. ACQUISITION

1 Certification Test &

Evaluation (CT&E)

Define CT&E as part of

acquisition process

Topic 5.1.1 NSTISSP NO 11


Assurance Acquisition

Policy - Fact Sheet Discuss the importance

of CT&E as part of

acquisition process

Topic 5.1.1


38

2 Certification Tools

Discuss

significance/results of

certification tools

Topic 5.1.2 CJCSI 3312-01A Joint

Military Intelligence

Requirements

Certification

ESFOR 2004 An

Empirical Evaluation

of Automated Theorem

Proves in Software

Certification

3 Product Assurance


of product assurance role

in acquiring systems, i.e.,

NSTISSP No. 11, Jan 00

Topic 5.1.3 NSTISSP NO 11


Assurance Acquisition

Policy - Fact Sheet


to Selecting

Information

Technology Security

Products

NIST SP 800-23

Guidelines to Federal

Organizations on

Security Assurance and

Acquisition-Use of

Tested-Evaluated

Products


of protection profiles

Topic 5.1.3 NISTIR-6985 COTS

Security Protection

Profile - Operating

Systems (CSPP-OS)


to Selecting

Information

Technology Security

Products


of security targets

Topic 5.1.3 NIST SP 800-70-

DRAFT Security

Configuration

Checklists Program for

IT Products

NISTIR-6985 COTS

Security Protection

Profile - Operating

Systems (CSPP-OS)


to Selecting

Information

Technology Security


39

Products

4 Contracting For Security

Services

Discuss types of

contracts for security

services

Topic 5.1.4 NIST SP 800-64-2

Security

Considerations in the

Information System

Development Life

Cycle


to Information

Technology Security

Services

Define where contracting

for security services is

appropriate

Topic 5.1.4

Explain threats from

contracting for security

services

Topic 5.1.4

5 Disposition of Classified

Material

Discuss disposition of

classified materials

Topic 5.1.5 Ch6, Pg. 362-363

(Overwriting)

(Degaussing)

(Destruction)

NIST CSL Bulletin -

Disposition of

Sensitive Automated

Information

Administrative

Communications

System - US

Department of

Education

NIST SP 800-88_rev1

Guide for Media

Sanitization

NSA/CSS Storage

Device

Declassification

Manual

NIST SP 800-12 An

Introduction To


NIST Handbook


of the correct disposition

of classified material

Topic 5.1.5 Ch6, Pg. 362-363

(Overwriting)

(Degaussing)

(Destruction)


of remanence

Topic 5.1.5 Ch6, Pg. 357 (Data

Remanence)


40

6 Facilities Planning

Discuss facilities

planning

Topic 5.1.6 Ch10, Pg. 520-522

(Facility Requirements

Planning)

NIST SP 800-16

Information

Technology Security

Training Requirements

- A Role and

Performance Based

Model


of facilities planning

Topic 5.1.6 Ch10, Pg. 520-522

(Facility Requirements

Planning)

7 System

Disposition/Reutilization


of vulnerabilities from

improper

disposition/reutilization

Topic 5.1.7 Ch6, Pg. 362-363

(Overwriting)

(Degaussing)

(Destruction)

NIST CSL Bulletin -

Disposition of

Sensitive Automated

Information

Administrative

Communications

System - US

Department of

Education

NIST SP 800-88_rev1

Guide for Media

Sanitization

NSA/CSS Storage

Device

Declassification

Manual

NIST SP 800-12 An

Introduction To


NIST Handbook

B. LIFE CYCLE

MANAGEMENT

1 Life Cycle System

Security Planning

Discuss life cycle

security planning


980 (Implementing


in the System Life

Cycle)

NISTIR 4909 Software

Quality Assurance -

Documentation and

Reviews


of life cycle system

security planning


980 (Implementing


in the System Life

Cycle)

2 System Security

Architecture


41

Discuss system security

architecture

Topic 5.2.2 Ch5, Pg. 198-199

(IETF Security

Architecture),

Pg. 201-206

(Design of

Security

Architecture)

Explain how system

security architecture

supports continuity of

operations CONOPS

A12 ANNEX A to

CNSSI No. 4012

Topic 5.2.2 Ch5, Pg. 198-199

(IETF Security

Architecture),

Pg. 201-206

(Design of

Security

Architecture)

FUNCTION SIX

ASSIGN

RESPONSIBILITIES

Assigning Information

Assurance (IA)

responsibilities to the

individuals reporting

directly to the SSM

1 Certification and

Accreditation (C&A)

Discuss responsibilities

associated with

accreditation

Topic 6.1 Ch11, Pg. 573-577

(C&A Roles and

Responsibilities)

Ch1, Pg. 28-38

Security

Professionals and

Organization)

NCSC-TG-029

Introduction to

Certification and

Accreditation

NSTISSI-1000



and Accreditation

Process (NIACAP)

NIST SP 800-37-final

Guide for the Security

Certification and

Accreditation of

Federal Information

Systems

Discuss roles associated

with certification

Topic 6.1 Ch11, Pg. 573-577

(C&A Roles and

Responsibilities)

Ch1, Pg. 28-38

Security

Professionals and

Organization)

Explain importance of

certification and

accreditation (C&A)

Topic 6.1 Ch11, Pg. 560-561

(Federal Information

Processing Standard

(FIPS) 102), Ch11, Pg.

572-573 (What is

Certification and

Accreditation?)


42

Facilitate the C&A

process

Topic 6.1 Ch11, Pg. 560 (Federal

Information

Processing Standard

(FIPS) 102), Pg. 561

(DoD Information

Technology Security

Certification and


(DITSCAP)), Pg. 565

(The National


Certification and


(NIACAP)), Pg. 567


Assurance

Certification and


(DIACAP)),

2 Information Ownership


of establishing

information ownership

Topic 6.2 Ch1, Pg. 24 (Roles and

Responsibilities),

Ch11, Pg. 573-577

(C&A Roles and

Responsibilities),

Appendix D, Pg. 981

(Roles of Key

Personnel in the Risk

Management Process)

Ch1, Pg. 29-30

(Data

Ownership)

3 System Certifiers and

Accreditors

Discuss risk as it applies

to certification and

accreditation

Topic 6.3 Ch1, Pg. 30-38

(Overview of Risk

Analysis), Ch12, Pg.

593-603 (Initial Risk

Estimation), Appendix

B, Pg. 929 (Risk)

Ch10, Pg. 453-

463 (Information

System Security

Certification and

Accreditation)

NIST SP 800-37-final

Guide for the Security

Certification and

Accreditation of

Federal Information

Systems

NSTISSI-1000



and Accreditation

Process (NIACAP)

4 Risk Analysts

Discuss risk analyst’s

reports

Topic 6.4 Ch1, Pg. 30-38

(Overview of Risk

Analysis)

Discuss systems certifiers

and accreditors in risk

mitigation

Topic 6.4 Appendix D, Pg. 988

(Risk Mitigation),


(Risk Mitigation)



Information

Technology Systems

5 Information System


43

Security Manager

(ISSM)

Define the role of


Manager (ISSM)

Topic 6.5 NAVSO P-5239-04

Information Systems

Security Manager

(ISSM) Guidebook

6 Information System

Security Officer (ISSO)

Define the role of System

Security Officer (ISSO)

Topic 6.6 Ch1, Pg. 30 (RM

Roles), Ch11, Pg. 576

(Information Systems

Security Officer

(ISSO)), Appendix B,

Pg. 910 (Information

System Security

Officer (ISSO))

NIST SP-30 Risk


Information

Technology Systems

FUNCTION SEVEN

DEFINE

CRITICALITY AND

SENSITIVITY

Defining the criticality

and

classification/sensitivity

levels of each IS and

approving the

classification level

required for the

applications implemented

on them

1 Aggregation


of the vulnerabilities

associated with

aggregation

Topic 7.1 Ch2, Pg. 61-68

(Access Control

Attack), Ch6, Pg. 373

(Threats and



Risk Estimation),


956 (Types and

Classes of Attack),

Appendix D, Pg. 983


Ch2, Pg. 40-63

(Threats), Pg. 63-

73 (Attacks)

Ch1, Pg. 5-6

(Threats,

Vulnerabilities

, and Controls)

2 Disclosure of

Classified/Sensitive

Information

Explain the liabilities

associated with

disclosure of


information

Topic 7.2 USAID-General

Notice-Policy-

Improper Disclosure of

Information

FUNCTION EIGHT

ALLOCATE

RESOURCES


44

Allocate resources to

achieve an acceptable

level of security and to

remedy security

deficiencies

1 Resource Roles and

Responsibilities

Discuss the respective

roles and responsibilities

of resource management

staff

Topic 8.1 State of Texas-

Department of

Information Resources-

Information Resources

Manager (IRM)

Overview


to Selecting

Information

Technology Security

Products

USAID-Information

Technology Security

Roles and

Responsibilities

Roles and

Responsibilities

Policy-for Security and

Access of UCSC

Electronic Information

Resources

Assign/appoint key

resource managers A13

ANNEX A to CNSSI No.

4012

Topic 8.1

2 Budget/Resource

Allocation

Evaluate the information

assurance budget

Topic 8.2 DISA-DOD

Application Security

and Development-

Security Technical

Implementation Guide

DOD-Final Report of

the Defense Science

Board-Task Force on

Globalization and

Security-Dec-1999


of the information

assurance budget

Topic 8.2

Defend the budget for


Topic 8.2

3 Business Aspects of



45

Discuss business aspects

of information security

Topic 8.3 Ch8, Pg. 435-446


Planning)

Ch2, Pg. 39-40

(Business Needs

First), Ch5, Pg.

209-237

(Continuity

Strategies)

Discuss protection of

commercial proprietary

information

Topic 8.3 Ch8, Pg. 435-446


Planning)

Ch2, Pg. 39-40

(Business Needs

First), Ch5, Pg.

209-237

(Continuity

Strategies)


of business aspects of

information security

Topic 8.3 Ch8, Pg. 435-446


Planning)

Ch2, Pg. 39-40

(Business Needs

First), Ch5, Pg.

209-237

(Continuity

Strategies)


of protecting commercial

proprietary information

Topic 8.3 Ch8, Pg. 435-446


Planning)

Ch2, Pg. 39-40

(Business Needs

First), Ch5, Pg.

209-237

(Continuity

Strategies)

FUNCTION NINE

MULTIPLE AND

JOINT

ACCREDITATION

Resolve issues regarding

those systems requiring

multiple or joint

accreditation. This may

require documentation of

conditions or agreements

in Memoranda of

Agreement (MOA); and

1 Memoranda of

Understanding/Agreemen

t (MOU/MOA)


of MOU/MOA

Topic 9.1 Memorandum of

Agreement (MOA)

Memorandum of

Agreement between the

Secretary of the

Interior and the State of

Idaho

Definition of

Memorandum of

Understanding (MOU)

Memorandum of

Understanding

Memorandum of

Facilitate development

and execution of

MOU/MOA

Topic 9.1


46

Understanding

Concerning

Cooperation Between

the US Securities and

Exchange Commission

and the US Department

of Labor

FUNCTION TEN

ASSESS NETWORK

SECURITY

Ensure that when


information is exchanged

between IS or networks

(internal or external), the

content of this

communication is

protected from

unauthorized

observation,

manipulation, or denial

1 Connectivity

Discuss connected

organizations

Topic 10.1 NIST SP 800-12 An

Introduction To


NIST Handbook

NIST SP 800-13

Telecommunications

Security Guidelines for

Telecommunications

Management Network Discuss connectivity

involved in

communications

Topic 10.1 Ch3, Pg. 97

(Availability)


of connectivity involved

in communications

Topic 10.1 Ch3, Pg. 97

(Availability)

2 Emissions Security

(EMSEC) and

TEMPEST


47

Define TEMPEST

requirements

Topic 10.2 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)

TEMPEST

NSA-TEMPEST-A

Signal Problem

NSTISSM TEMPEST

2-95

Information Leakage

from Optical

Emanations

Discuss threats from

Emissions Security

(EMSEC)

Topic 10.2 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)


TEMPEST failures

Topic 10.2 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)


of the threats from

Emissions Security

(EMSEC)

Topic 10.2 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)


of the threats from

TEMPEST failures.

Topic 10.2 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)

3 Wireless Technology

Discuss electronic

emanations

Topic 10.3 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)


electronic emanations

Topic 10.3 Ch9, Pg. 474

(Emanation

Eavesdropping)

Ch9, Pg. 425

(Interception of

Data)


of wireless technology

Topic 10.3 Ch3, Pg. 164-173

(Wireless

Technologies)

Ch7, Pg. 370

(Wireless)

Explain the risks

associated with portable

wireless systems, viz.,

PDAs, etc.

Topic 10.3 Ch3, Pg. 182 (PDA

Security Issues)


of vulnerabilities

associated with

connected systems

wireless technology

Topic 10.3 Ch3, Pg. 175-182

(Wireless

Vulnerability)

Ch7, Pg. 400-

402 (Wireless)