NSTSSI Security Education Standards
1. Maintain a plan for site security improvements and progress towards meeting the accreditation a. Facilities (1) Planning E - cite significance of facilities planning in INFOSEC; E - identify issues that need to be addressed in facilities plan; make suggestions for enhancement to plan; and I - review facility plan and make suggestions for upgrades and modifications to enhance INFOSEC posture; (2) Management E - list basic principles of facility management; and I - ensure the plan is implemented as planned. (3) Housekeeping E - list general procedures in facility, e.g., standard operating procedures (SOP), access roster, etc.; I - develop the SOP, maintain the access roster. (4) Data Processing Center (DPC) Security E - list unique security requirements above and beyond general facility management for DPCs. b. INFOSEC Program Planning E - describe the overall program to users and managers; E - prepare input to the overall security plan; I - prepare the plan; I - present the plan to management and users; and I - propose changes to the plan. (1) Procedures E - describe the policy, etc. to users and managers; E - identify potential flaws in policy, etc., and initiate corrective actions; E - provide periodic reports to managers with status and recommendations; I - write the procedures as required; I - design the procedures and test them; and I - modify procedures as required. (2) Contingency Plans E - prepare input to contingency plan; E - write the contingency plan; E - identify items for which plans must be developed; and I - modify the contingency plan to reflect changes. (3) Continuity Plans E - prepare input to continuity plan; E - write the continuity plan; E - identify items for which plans must be developed; and I - modify the contingency plan reflecting changes. (4) Emergency Destruction Procedures (EDP) E - explain the EDP to those who execute the plans; E - ensure executors of EDP plans are trained in environmental and safety issues; I - demonstrate the EDP to users and managers; and I - integrate EDP into overall plans. (5) Network Monitoring E - list capabilities, limitations, and data available from network monitors; E - identify networks to be monitored including times and amount/types of data to be collected; E - ensure laws, for instance, warning banners in place, are followed; I - determine the need to monitor suspicious activity; start the monitoring process; and I - justify to management the need for the detailed monitoring. (6) Password Management E - list the underlying password management principles explaining the need for password management; E - issue passwords to users; ensure that passwords are chosen in accordance with policy; disable accounts when necessary; E - address questions or concerns of users and managers; and I - develop local policies and procedures for password management in accordance with higher level policies, etc. (a) Password Sharing E - inform users they are not to share passwords and the consequences of doing so (explain the potential criminal penalties involved); I - identify abuses, e.g., who is sharing passwords or files; and I - propose methods to share files without sharing passwords. (b) Password Choosing E - describe to users how to choose appropriate passwords, and how/why to protect them; I - enforce good selection of passwords in accordance with password management practices, and also notify user/managers of violations for appropriate action; and I - provide examples of good and bad passwords as an awareness activity. (7 ) Rules-based Access Controls (RBAC) E - defin e RBAC; I - integrate the access controls into the appropriate operating plans, procedures, etc.; and I - ensure the access controls are properly and correctly installed in accordance with the security policy. (8) Protection from Malicious Code E - describe malicious code and outline the various types of malicious code; E - describe techniques for protection from malicious code to users, and provide examples (real and theoretical); E - report suspected or actual occurrences of malicious code and initiate corrective actions as appropriate; I - propose methods and policies to combat introduction of malicious code into a site; and I - integrate protection techniques into the system and into policies. c. Administrative Security E - outline the components of administrative security; E - prepare input to the administrative security plan for which he/she is responsible; E - implement parts of plan for which he/she is responsible; E - report to management on variations from the plan and suggest improvements to the plan; I - modify the administrative security plan in accordance with higher level policies; and I - enforce the plan.