NSTSSI Security Education Standards
2. POLICY a. Computer Security Policy (1) define the term "computer security policy"; and (2) identify national security information using Executive Order 12958. b. P. L. 100-235, Computer Security Act of 1987 (1) explain the purpose of P. L. 100-235; and (2) outline the roles and responsibilities assigned by P. L. 100-235. c. OPM 5 CFR 930, Training Requirements for the Computer Security Act (1) explain the purpose of OPM 5 CFR 930; and (2) describe responsibilities under OPM 5 CFR 930. d. OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Systems (1) evaluate the purpose of OMB Circular A-130; and (2) summarize the responsibilities assigned by OMB Circular A-130. e. Freedom of Information Act discuss importance of the Freedom of Information Act. f. National Security Directive (NSD) 42 explain the purpose and history of NSD 42. g. Electronic Records Management (1) identify public law related to electronic records management; and (2) discuss the concept of electronic mail as an electronic record. h. Other Federal Statutes relate the following Federal Acts to INFOSEC: Federal Managers Financial Integrity Act of 1982 Federal Property and Administration Service Act Federal Records Act National Archives and Records Act Privacy Act of 1974 (P. L. 93-579, U.S. Code 532(a)) i. Copyright Protection and License registered; (2) distinguish between patent laws which protect products and contract laws which cover trade secrets; (3) determine which protection (copyright, patent, or contract) applies to a computer applications program; (4) identify basic concepts of software licensing; (5) identify legal policy against software piracy; and (6) discuss system software contracts. j. Guiding Directives (1) state the purpose of federal information processing standards; (2) explain the purpose of National Security Telecommunications and Information Systems Security (NSTISS) publications; (3) discuss the purpose of National Institute of Standards and Technology (NIST) publications; (4) explain the DAA responsibilities assigned by the Department of Defense Trusted Computer System Evaluation Criteria (DOD 5200.28-STD), or Orange Book; and (5) explain the content of the Rainbow Series of documents. k. Access Control Policy (1) define the DAA's responsibility for security policy statements relating to access control; (2) explain the general concept underlying access control models; and (3) establish an access authorization process. l. Sensitive Data (1) define policy statements relating to accountability for sensitive data; (2) use an approved method of providing individual accountability and access verification; and (3) define process for designation of sensitive data, applications and systems and marking and handling of sensitive data. m. Local Policy (1) establish agency specific INFOSEC policy and procedure; (2) identify command authority(s) relating to INFOSEC; (3) identify INFOSEC roles and responsibilities by local policy; and (4) determine policy for local storage area controls. n. Accreditation (1) define the term "accreditation authority"; (2) establish accreditation policy; (3) identify the directive allowing delegation of authority; (4) delegate responsibilities in the accreditation process, if permitted; (5) establish policy for recertification; and (6) define security requirements for accreditation. o. Threats, Vulnerabilities, and Incidents (1) identify policy which must be followed for handling computer security incidents; (2) establish policy for handling computer security incidents; (3) incorporate information from assistance programs into local policy as appropriate for the organization (e.g., the Computer Security Technical Vulnerability Reporting Program (CSTVRP), the Automated Information Systems Security Incident Support Team (ASSIST), The Computer Incident Advisory Capability (CIAC), and the CERT); (4) identify legal investigative authorities by agency specific charter; (5) identify requirements for the CERT; and (6) identify requirements for vulnerability reporting to the CERT. p. Documentation Policies (1) state documentation policies to which the DAA must adhere; (2) establish documentation policies as required; and (3) establish change control policies. q. Issues (1) discuss the concept of common criteria; (2) define computer matching responsibilities; (3) define intellectual property rights; (4) discuss legal liabilities issues; (5) explain legal liability issues for maintenance procedures for contract employees; (6) explain legal liability issues for maintenance procedures for local employees; (7) discuss policy requiring separation of duties; and (8) discuss local and national policy for national security systems monitoring.