Strategic Security Intelligence

NSTSSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

2.    POLICY
      a.    Computer Security Policy

            (1)    define the term "computer security policy"; and
            (2)    identify national security information using Executive Order 12958.

      b.    P. L. 100-235, Computer Security Act of 1987

            (1)    explain the purpose of P. L. 100-235; and
            (2)    outline the roles and responsibilities assigned by P. L. 100-235.

      c.    OPM 5 CFR 930, Training Requirements for the Computer Security Act

            (1)    explain the purpose of OPM 5 CFR 930; and
            (2)    describe responsibilities under OPM 5 CFR 930.

      d.    OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal
            Automated Information Systems

            (1)    evaluate the purpose of OMB Circular A-130; and
            (2)    summarize the responsibilities assigned by OMB Circular A-130.

      e.    Freedom of Information Act

            discuss importance of the Freedom of Information Act.

      f.    National Security Directive (NSD) 42

            explain the purpose and history of NSD 42.  
      g.    Electronic Records Management

            (1)    identify public law related to electronic records management; and
            (2)    discuss the concept of electronic mail as an electronic record.

      h.    Other Federal Statutes

            relate the following Federal Acts to INFOSEC:
                   Federal Managers Financial Integrity Act of 1982
                   Federal Property and Administration Service Act
                   Federal Records Act
                   National Archives and Records Act
                   Privacy Act of 1974 (P. L. 93-579, U.S. Code 532(a))

      i.    Copyright Protection and License

      (2)    distinguish between patent laws which protect products and contract laws which cover trade
      (3)    determine which protection (copyright, patent, or contract) applies to a computer applications
      (4)    identify basic concepts of software licensing;
      (5)    identify legal policy against software piracy; and
      (6)    discuss system software contracts.

j.    Guiding Directives                                                                        

      (1)    state the purpose of federal information processing standards;
      (2)    explain the purpose of National Security Telecommunications and Information Systems Security
             (NSTISS) publications;
      (3)    discuss the purpose of National Institute of Standards and Technology (NIST) publications;
      (4)    explain the DAA responsibilities assigned by the Department of Defense Trusted Computer
             System Evaluation Criteria (DOD 5200.28-STD), or Orange Book; and
      (5)    explain the content of the Rainbow Series of documents.   

k.    Access Control Policy

      (1)    define the DAA's responsibility for security policy statements relating to access control;
      (2)    explain the general concept underlying access control models; and
      (3)    establish an access authorization process.

l.    Sensitive Data

      (1)    define policy statements relating to accountability for sensitive data;
      (2)    use an approved method of providing individual accountability and access verification; and
      (3)    define process for designation of sensitive data, applications and systems and marking and
             handling of sensitive data.

m.    Local Policy

      (1)    establish agency specific INFOSEC policy and procedure;
      (2)    identify command authority(s) relating to INFOSEC;
      (3)    identify INFOSEC roles and responsibilities by local policy; and
      (4)    determine policy for local storage area controls.
n.    Accreditation
      (1)    define the term "accreditation authority";
      (2)    establish accreditation policy;
      (3)    identify the directive allowing delegation of authority;
      (4)    delegate responsibilities in the accreditation process, if permitted;
      (5)    establish policy for recertification; and
      (6)    define security requirements for accreditation.

o.    Threats, Vulnerabilities, and Incidents

      (1)    identify policy which must be followed for handling computer security incidents;
      (2)    establish policy for handling computer security incidents;
      (3)    incorporate information from assistance programs into local policy as appropriate for the
             organization (e.g., the Computer Security Technical Vulnerability Reporting Program (CSTVRP),
                         the Automated Information Systems Security Incident Support Team (ASSIST), The Computer
                      Incident Advisory Capability (CIAC), and the CERT);
            (4)       identify legal investigative authorities by agency specific charter;
            (5)       identify requirements for the CERT; and  
            (6)       identify requirements for vulnerability reporting to the CERT.

      p.    Documentation Policies

            (1)       state documentation policies to which the DAA must adhere;
            (2)       establish documentation policies as required; and
            (3)       establish change control policies.

      q.    Issues

            (1)       discuss the concept of common criteria;
            (2)       define computer matching responsibilities;
            (3)       define intellectual property rights;
            (4)       discuss legal liabilities issues;
            (5)       explain legal liability issues for maintenance procedures for contract employees;
            (6)       explain legal liability issues for maintenance procedures for local employees;
            (7)       discuss policy requiring separation of duties; and
            (8)       discuss local and national policy for national security systems monitoring.