NSTSSI Security Education Standards
8. DEVELOPING RECOMMENDATION TO DAA a. Access Control Policies 1) explain the access control policies as implemented in the current system to the DAA; 2) define who in the current system has access to information views, who grants the access authorization, and the parameters which will be used to validate access authorization; 3) identify the adequacy of the implemented access control mechanisms identified in the access control policy and comment on this in the report; 4) evaluate the access control mechanisms implemented in accordance with the policy, and include the results of this evaluation in the report; and 5) recommend changes to the implemented access control mechanisms in the report as needed to meet requirements identified in the access control policies. b. Administrative Security Policies and Procedures 1) address all pertinent security policies and procedures not covered under the laws, agency-specific procedures, etc. (NOTE: this review examines these procedures and policies in respect to applicable national laws and governing regulations consistent with security requirements); and 2) recommend administrative security policies and procedures to limit the impact of system technical security deficiencies. c. Certification 1) recommend the conditions upon which an accreditation decision is to be made, including the technical evaluation of security features, as well as other safeguards; 2) identify the deficiency and alternative safeguards and procedures that could be employed to limit the impact of system deficiency; 3) recommend the adoption of requirements which were previously unspecified, but which may be crucial to secure deployment and operation of the system; and 4) report on the comprehensive evaluation of the technical and non-technical security features of the IS and other safeguards, to meet the security and accreditation requirement. d. Roles and Responsibilities 1) outline current roles and responsibilities of personnel assigned access to the systems being certified; and 2) recommend changes to include additions for improving the roles and responsibilities and accountability for personnel with various levels of access to the information systems being certified. e. Brief and Defend ST&E Results 1) describe the ST&E results; and 2) explain and defend the specific findings, including risk analysis/mitigation. f. Communicate Results of ST&E 1) render the technical findings into comprehensible language for non- technical managers; and 2) communicate the results/findings to technical personnel who would be responsible for correcting the findings. g. Identify Potential Corrective Approaches 1) identify potential avenues of corrective action; 2) provide corrective approaches to the DAA as potential mitigating factors, if adopted; and 3) address the technical aspects of the system to meet the technical security requirements for its intended use and to identify those areas where non-technical means such as procedures; or 4) restrictions are needed to reduce the risk of operating the system to an acceptable level. h. Determine Residual Risk 1) report the findings and the overall level of residual risk in the current system; and 2) compare and contrast the non-technical and technical test/evaluation results, the impact of any countermeasures, and determine the residual risk.