NSTSSI Security Education Standards
10. Evaluate known vulnerabilities to ascertain if additional safeguards are needed (risk management) a. Threats E - define threats. (1) Human Threats E - describe how people can threaten a system's security; E - describe types of human threats to a system (insider, outsider, hacker, unauthorized user); I - identify suspicious activity on a system; A - proposes/develop countermeasures to identified threats; E - describe how industrial espionage can impact the security of an IS; and E - describe how international espionage can impact the security of an IS. (2) Environmental/Natural Threats E - describe the threat from electronic emanations; E - identify appropriate TEMPEST authorities; E - describe the threat from floods; I - identify flood countermeasures; E - describe the threat from fire; I - identify fire-related countermeasures; E - describe the threat from earthquake; I - identify earthquake-related countermeasures; E - describe the types of environmental controls (air conditioning, filtered power, etc.); and I - monitor the impact of environmental controls on systems operations. (3) Technological Threats (Commercial Off-The-Shelf (COTS), Development, Maintenance) E - define technological threats; I - identify the sources of technological threats: hardware, software (operating systems, applications, malicious code), firmware, networks (local area networks, wide area networks, metropolitan area networks, and direct connect); I - describe countermeasures to known threats/vulnerabilities; and I - propose new countermeasures to threats/vulnerabilities. (4) Security Reviews E - describe how security reviews can be used to identify threats to an IS. b. Vulnerability Analysis E - describe vulnerability analysis; E - assist in the performance of vulnerability analysis; I - conduct/perform vulnerability analysis; A - analyze the results of a vulnerability analysis; A - recommend fixes for deficiencies identified by the vulnerability analysis; and A - recommend approval/rejection to the DAA of a system based on vulnerability analysis. c. Countermeasures E - describe how countermeasures can reduce the impact of threats. (1) Evaluated Products E - define evaluated products/Evaluated Products List (EPL); E - know how to use evaluated products; I - integrate evaluated products into a system; and A - recommend evaluated products for use in a system. (2) Technical Surveillance Countermeasures E - describe technical surveillance countermeasures; I - monitor technical surveillance; A - recommend starting/stopping surveillance to the DAA; and A - develop procedures for performing surveillance. (3) Disaster Recovery E - define disaster recovery; E - describe the need for disaster recovery; I - review disaster recovery plans; and I - review results of annual tests of recovery plans. (4) Third Party Evaluation E - describe how third party evaluations can be used as a countermeasure; I - interpret results of third party evaluations; and A - recommend acceptance or rejection of system based on third party evaluation to the DAA. (5) Security Reviews E - discuss how security reviews can be used as a countermeasure; I - conduct annual security reviews; I - develop plans for annual security reviews; A - interpret results of annual security reviews; A - recommend changes to appropriate authorities; and A - develop policies for conducting security reviews. (6) Cost/Benefit Analysis E - define cost/benefit analysis; I - conduct cost/benefit analysis procedures; and A - recommend changes to the DAA based on results of a cost/benefit analysis. (7) Security Policies & Procedures E - describe how effective security policies and procedures can reduce threats to an IS; E - identify security policy-making bodies; I - write local guidance; and A - interpret policy and procedures. d. Risks E - define risk and residual risk (threat and vulnerability pairs). (1) Risk Assessment E - define risk assessment; and I - describe the risk assessment process to include: (a) risk assessment E - define information criticality; and I - estimate information criticality. (b) information states E - describe the three states of information. (c) information valuation E - define information valuation; and I - estimate information valuation. I - conduct risk assessments; I - write risk assessment reports; A - develop policy and procedures for conducting a risk assessment; A - coordinate resources to perform a risk assessment; and A - interpret results of a risk assessment. (2) Risk Acceptance E - define risk acceptance; I - describe the risk acceptance process; A - recommend actions to management based on risk acceptance; andA- recommend accreditation of a system to the DAA based on risk assessment.