NSTSSI Security Education Standards
6. PERFORMING CERTIFICATION ANALYSIS a. Access Control 1) appraise access control privilege assignment; 2) appraise access controls defined as appropriate for the IS under review for subjects (e.g., local and remote users and/or processes); 3) appraise access controls for objects (e.g., data, information, and applications); 4) appraise access controls for privileged users and/or processes; 5) appraise management of the access control tables and lists; 6) appraise identification and authentication mechanisms which identify users and/or processes; 7) appraise the implementation of user privileges and group management assignments; 8) appraise managed and default file permission settings and factory settings; 9) appraise the effectiveness of password management implemented to enforce policies and procedures; 10) appraise whether the identification and authentication mechanism can correctly identify users and/or processes; 11) identify the requirement for discretionary/mandatory access controls (DAC/MAC); 12) explain to other team members and managers how access privileges are set; 13) match data ownership and responsibilities with access control rights; 14) match the requirements for respective access control features with appraised controls implemented; 15) match the access control requirements with user roles and group management; 16) determine the security countermeasures to implement effective access control; 17) verify the contents of the user registry and access control tables; 18) verify the effectiveness of password management software in enforcing policies and procedures; 19) identify representative processes which must use an appropriate identification and authentication mechanism; 20) propose the security test and evaluation plan/procedures and schedule to test and evaluate agreed upon security countermeasures for access control; and 21) report recommended changes to the implemented access control mechanisms as needed to meet the requirements identified in the access control policies. b. Audits 1) appraise the system's ability to produce viable, inclusive audit data for review and analysis (e.g., selection capabilities for review of audit information); 2) appraise the alert capabilities provided by audit/intrusion detection tools; 3) verify the criteria for generating alerts provided by audit/intrusion detection tools; 4) appraise the availability of audits including recovery from permanent storage; 5) appraise the identification of anomalies which indicate successful violation/bypass of security capabilities; 6) appraise the inherent audit capabilities and the proposed implementation; 7) appraise the processes for analyzing audit information; 8) appraise the report generation capability; 9) appraise the use of audit information to identify attempts to violate/bypass the proper operation of system security capabilities; 10) appraise the use of audit information to validate the proper operation of automated system security capabilities; 11) identify the audit elements and capabilities available on the system being evaluated; 12) identify the audit event characteristics and their granularity (i.e., type of event, success/failure, date/time stamp, user ID); 13) summarize the data which supports trend analysis; 14) verify that the audit elements capture information that meets specified security requirements; 15) verify that the audit log overflow policy is correctly implemented; 16) verify that audit procedures exist to implement the policy (i.e., data reviews, audit retention and protection, response to alerts, etc); 17) verify that audit processes support interpretation of the audit data; 18) verify that the audit retention capability meets the system security requirements; 19) verify that protections are in place to prevent the audit trails from being modified by any means, including direct edits of media or memory; 20) report the audit collection requirements to meet a stated authorization policy; 21) report any alternative means to satisfy the audit collection requirements; 22) propose aperiodic security test and evaluation plans and procedures to test and evaluate agreed upon audit functionality and events; 23) verify that system resources are sufficient to log all required events; 24) interpret the audit policy to be implemented (to include which events are to be recorded, what action should occur when the log fills, how long audits are to be retained, etc.); 25) determine the impact of audit requirements on the system operation requirements; and 26) appraise the capabilities of the add-on audit analysis and intrusion detection tools that are implemented. c. Applications Security 1) appraise the effectiveness of applications security mechanisms and their interactions with other systems and network security mechanisms; 2) differentiate between the operating system and application system security features; and 3) propose security test and evaluation plans and procedures to test and evaluate agreed upon security countermeasures provided by application security mechanisms. d. Confidentiality, Integrity and Availability (CIA) 1) explain the stated system requirements for confidentiality, integrity, and availability in the system design/SSAA documentation; 2) appraise the network architecture and what security mechanisms are used to enforce the CIA security policy; and 3) appraise the network security posture in light of the CONOPS and the abilities of the expected users and system administrators. e. Countermeasures 1) appraise the requirements for additional countermeasures based on the security policy being implemented (e.g., routers, firewalls, guards, intrusion detection devices); 2) study the security countermeasures documented in the SSAA; and 3) propose security test and evaluation plans and procedures to test and evaluate agreed upon security countermeasures documented in the SSAA. f. Documentation 1) identify the documentation of security-related function parameters, defaults and settings; 2) report the review of the documentation, noting the adequacy of detail; and 3) identify the deficiencies in the system documentation, whether they be missing documents or inadequate detail in the existing documentation. g. Network Security 1) appraise the network connectivity policy and the proposed implementation for connection; 2) appraise the security requirements for interconnectivity with other systems/networks; 3) verify that formal approvals have been granted for other systems and networks for which interconnectivity is sought; 4) appraise the security attributes of both the data and users accessing the connected system to determine whether additional security requirements result; and 5) propose security test and evaluation plans and procedures to test and evaluate agreed upon security countermeasures for network connectivity. h. Maintenance Procedures appraise the proposed system maintenance and upgrade procedures to ensure that they comply with configuration management procedures (e.g., remote software updates). i. Operating System Security 1) appraise the documentation and system configuration of security function defaults and settings, ensuring that all inappropriate factory defaults have been changed; 2) appraise how the system handles error conditions; 3) appraise the system recovery capability during loss of power situations; 4) assess and report any variance between documented and actually installed software and operating systems; 5) propose security test and evaluation plan/procedures to test and evaluate agreed upon security countermeasures enforced by the operating system; 6) verify that capabilities are employed to enforce the protection of the operating system by preventing programs or users from writing over system areas; 7) verify that protections are in place to prevent configuration files and pointers that can run in a supervisory state from unauthorized access or unauthorized modifications, deletions, etc.; and 8) verify that protections are in place to prevent the operating system kernel from being modified by any process, program or individual except through an approved organizational configuration management procedure. j. Vulnerabilities identify vulnerabilities inherent to the system's specific operating system, applications, and network configuration. k. Contingency Operations 1) appraise whether the disaster recovery mechanism adequately addressees the needs of the site; 2) appraise whether the plan sufficiently protects the security of the information and the investment made in life-cycle security processes; 3) match the requirements for disaster recovery/continuity of operation with mission requirements; and 4) match the requirements for emergency destruction procedures with mission requirements.