NSTSSI Security Education Standards
5. SUPPORTING SYSTEMS DEVELOPMENT a. Coordination with Related Disciplines 1) explain to the development team and to the accreditor the need for coordination with related disciplines; 2) perform coordination with the various offices responsible for the related disciplines; and 3) verify coordination with related security disciplines, e.g., physical, emanations, personnel, operations, and cryptographic security. b. Configuration Control 1) appraise current system configuration control; 2) discuss configuration control with the development team for compliance with required INFOSEC policy and technology; 3) propose configuration control changes; 4) report the configuration control deficiencies to the developer; and 5) verify that the activities associated with configuration control, i.e., physical and functional audits, inventory of the hardware and software components, etc., are adequately documented and performed. c. Information Security Policy 1) identify applicable information security policy; 2) explain information security policy to the development team for the secure operation of the system; and 3) use information security policy to ensure the appropriate secure operation of the system. d. Life-Cycle System Security Planning 1) appraise the life-cycle system security planning proposed by the development team; 2) assist with the information security planning for life-cycle system security; 3) explain the life-cycle system security planning to the development team; 4) influence the development team's approach to life-cycle system security planning; and 5) verify that life-cycle system security planning has been accomplished. e. Parameters of the Certification 1) propose alterations to the parameters of the certification process as the system development progresses and the design is modified; 2) compare the parameters of the certification to those of similar systems or during parallel certification; 3) determine the parameters of the certification to ensure mission accomplishment; 4) explain the parameters of the certification to system developers and maintainers; 5) use the parameters of the certification; and 6) verify adherence to the parameters of the certification. f. Principles and Practices of Information Security 1) understand the principles and practices of information security; 2) identify principles and practices of information security that pertain to the certification; == MicroEMACS 3.7i () == 4015.html 3) adhere to recognized principles and practices of information security; and 4) explain the principles and practices of information security that pertain to the certification to the developers. g. Network Vulnerabilities 1) identify any network vulnerabilities for the system developers and maintainers; 2) demonstrate to the system developers and maintainers the network vulnerabilities that are present during the development of the system; 3) evaluate the impact of network vulnerabilities; 4) explain unacceptable network vulnerabilities to the developers; 5) respond to network vulnerabilities by suggesting corrective measures when possible; and 6) stay current on network vulnerabilities. h. Security Engineering 1) assist developers and maintainers with system security engineering principles as required for information security and certification and accreditation; 2) define security engineering principles that are applicable to information security; 3) explain security engineering principles and practices; 4) review security engineering principles and practices for compliance with information security policies; and 5) outline best security engineering practices as defined by the National Information Assurance Partnership (NIAP). i. Access Control Policies 1) be aware of access control policies; 2) evaluate for the developers and maintainers the strengths and weaknesses of access control policies; 3) explain the need for access control policies; 4) identify to the developers and maintainers access control policies that are applicable to information security; and 5) recommend access control policy changes that are appropriate for the system being certified.