Strategic Security Intelligence

NSTSSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

4.    Ensure users and system support personnel have the required security clearances,
authorization, and need-to-know, are indoctrinated, and are familiar with internal security
practices before access to the IS is granted

      a.    Personnel
            (1)    Position Sensitivity
                   E  - identify sensitive positions; and
                   I     - justify sensitive positions.
            (2)    Disgruntled Employees
                   E  - identify characteristics of disgruntled employees; and
                   I     - monitor access of identified disgruntled employees.

            (3)    Separation of Duties
                   A  - direct the separation of duties of personnel in accordance with established
                           policies and procedures.

      (4)    Security Staffing Requirement
             E  - monitor staffing requirements; and   
             A  - direct security staffing.
      (5)    Background Investigations
             A  - monitor background investigations of personnel assigned.

      (6)    Termination Process
             I     - identify the requirement for termination of an employee's access to a
                    system; and
             A  - comply with established policies and procedures when terminating the
                    employee's access to an IS.

b.    Policy & Procedures
      (1)    Emergency Destruction
             A  - develop policies and procedures for the destruction of hardware, software,
                    and firmware under emergency conditions.
      (2)    Access Control Policy (ACP)
             I     - report non-compliance with ACP; and
             A  - develop access control policies.
      (3)    Organizational Placement of IS/Information Technology (IT) Security Functions
             I     - monitor and report IS/IT security functions and report on effectiveness.
      (4)    Disposition of Classified Information

             I     - dispose of classified hardware and software in accordance with written
                    instructions; and
             A  - develop  procedures for disposing of classified hardware, software and

c.    Education, Training, & Awareness                                                  
      (1)    Security Awareness
             I     - use and present security awareness materials; and
             A  - develop security awareness materials for IS users.
      (2)    Security Training
             I     - present security training to IS users;
             I     - monitor security training of all IS user; and
             A     - develop security training materials.
            (3)    Security Education

                   I     - present security education to IS users/managers;
                   I     - monitor security education of all IS users; and
                   A  - develop/design IS education programs.
      d.    General Information
            (1)    Organization Culture
                   I     - monitor the organization's culture and it's affect on the security of an IS.
            (2)    Basic/Generic Management Issues
                   I     - identify basic management issues and their impact on an IS security
      e.    Operations
            (1)    Account Administration
                   E  - establish user accounts in accordance with policy;
                   I     - develop security policy for account administration; and
                   A     - conduct oversight for account administration.

            (2)    Intrusion Detection
                   E  - test operability of physical intrusion detection systems.

            (3)    Backups
                   E  - outline security policy for backup procedures;
                   I     - review backup policy; and
                   A  - enforce compliance with backup policy.
            (4)    Password Management
                   E - issue
                   I     - enforce control and use of passwords in accordance with policy,
                          procedures and requirements; and
                   A  - develop password management policy.