NSTSSI Security Education Standards
1. GENERAL a. Security Policy (1) define local accountability policies; (2) explain accreditation; (3) discuss three agency specific security policies; (4) define assurance; (5) explain certification policies as related to local requirements; (6) define local e-mail privacy policies; (7) describe local security policies relative to electronic records management; (8) explain security policies relating to ethics; (9) describe relevant FAX security policies; (10) discuss the concept of information confidentiality; (11) identify information ownership of data held under his/her cognizance; (12) identify information resource owner/custodian; (13) define local information security policy; (14) describe information sensitivity in relation to local policies; (15) discuss integrity concepts; (16) describe local policies relevant to Internet security; (17) explain local area network (LAN) security as related to local policies; (18) define policies relating to marking of sensitive information; (19) understands fundamental concepts of multilevel security; (20) describe policies relevant to network security; (21) define the functional requirements for operating system integrity; (22) perform operations security (OPSEC) in conformance with local policies; (23) explain physical security policies; (24) discuss local policies relating to secure systems operations; (25) identify appropriate security architecture for use in assigned IS(s); (26) describe security domains as applicable to local policies; (27) define local policies relating to separation of duties; (28) identify systems security standards policies; (29) identify DoD 5200.28-STD, Trusted Computer System Evaluation Criteria (TCSEC), or Orange Book policies; (30) identify TEMPEST policies; (31) define TEMPEST policies; (32) define validation and testing policies; (33) identify verification and validation process policies; (34) define verification and validation process policies; (35) describe wide area network (WAN) security policies; (36) use/implement WAN security policies; (37) describe workstation security policies; (38) use/implement workstation security policies; and (39) describe zoning and zone of control policies. b. Procedures (1) practice/use facility management procedures; (2) describe FAX security procedures; (3) practice/use FAX security procedures; (4) describe housekeeping procedures; (5) perform housekeeping procedures; (6) describe information states procedures; (7) distinguish among information states procedures; (8) explain Internet security procedures; (9) use Internet security procedures; (10) explain marking of sensitive information procedures (defined in C.F.R. 32 Section 2003, National Security Information - Standard Forms, March 30, 1987); (11) perform marking of sensitive information procedures (defined in C.F.R. 32 Section 2003, National Security Information - Standard Forms, March 30, 1987); (12) apply multilevel security; (13) explain the principles of network security procedures; (14) use network security procedures; (15) describe operating system integrity procedures; (16) perform operating systems security procedures; (17) assist in local security procedures; (18) describe purpose and contents of National Computer Security Center TG-005, Trusted Network Interpretation (TNI), or Red Book; (19) describes secure systems operations procedures; (20) define TEMPEST procedures; (21) identify TEMPEST procedures; (22) identify certified TEMPEST technical authority (CTTA); (23) describe WAN security procedures; (24) practice WAN security procedures; and (25) explain zoning and zone of control procedures. c. Education, Training, and Awareness (1) discuss the principle elements of security training; (2) explain security training procedures; (3) explain threat in its application to education, training, and awareness; (4) use awareness materials as part of job; (5) distinguish between education, training, and awareness; (6) give examples of security awareness; (7) give examples of security education; (8) discuss the objectives of security inspections/reviews; and (9) identify different types of vulnerabilities. d. Countermeasures/Safeguards (1) discuss the different levels of countermeasures/safeguards assurance; (2) describe e-mail privacy countermeasures/safeguards; (3) define Internet security; (4) describe what is meant by countermeasures/safeguards; (5) describe separation of duties; (6) define countermeasures/safeguards used to prevent software piracy; (7) define TEMPEST countermeasures/safeguards; and (8) explain what is meant by zoning and zone of control. e. Risk Management (1) explain ways to provide protection for Internet connections; (2) describe operating system integrity; (3) define TEMPEST as it relates to the risk management process; (4) identify different types of threat; (5) explain WAN security; and (6) explain what zoning and zone of control ratings are based on.