Strategic Security Intelligence

NSTISSI Security Education Standards


Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

Section 1.0 - National Training Standard for Information Systems Security (INFOSEC) Professionals
Section 1.1 SECTION I - Purpose
Section 1.2 SECTION II - Scope and Applicability
Section 1.3 SECTION III - References
Section 1.4 SECTION IV - Responsibilities
Section 1.5 SECTION V - Training Standard
Section 1.A Information Systems Security: A Comprehensive Model 1
Section 1.R References

Section 2.0 Designated Approving Authorities
Section 2.1 SECTION I - Purpose
Section 2.2 SECTION II - Applicability
Section 2.3 SECTION III - Responsibilities
Section 2.A Minimal INFOSEC Performance Standard for the DAA
Section 2.A.1 Legal Liabilities Issues
Section 2.A.2 Policy
Section 2.A.3 Threats and Incidents
Section 2.A.4 Access
Section 2.A.5 Administrative (DAA administrative responsibility)
Section 2.A.6 COMSEC
Section 2.A.7 Tempest
Section 2.A.8 General
Section 2.A.9 - Life Cycle Management
Section 2.A.10 Continuity of Operations (COOP)
Section 2.A.11 Risk Management
Section 2.B References

Section 3.0 Systems Administrators
Section 3.1 SECTION I - Purpose
Section 3.2 SECTION II - Applicability
Section 3.3 Responsibilities
Section 3.A Minimal INFOSEC Performance Standard for System Administrators
Section 3.A.1 General
Section 3.A.2 Access Control
Section 3.A.3 Administrative
Section 3.A.4 Audit
Section 3.A.5 Operations
Section 3.A.6 Contingency
Section 3.A.7 Platform Specific Security Features/Procedures
Section 3.B References
Section 3.C Bibliography

Section 4.0 Information System Security Officers
Section 4.1 SECTION I - Purpose
Section 4.2 SECTION II - Scope and Applicability
Section 4.3 Responsibilities
Section 4.A INFOSEC Performance Standard for the ISSO (Entry, Intermediate & Advanced Levels)
Section 4.A.1 Maintain a plan for site security improvements and progress toward meeting the accreditation
Section 4.A.2 Ensure the IS is operated, used, maintained, and disposed of in accordance with security policies and practices
Section 4.A.3 Ensure the IS is accredited and certified if it processes sensitive information
Section 4.A.4 Ensure users and system support personnel have the required security clearances, authorization, and need-to-know, are indoctrinated, and are familiar with internal security practices before access to the IS is granted
Section 4.A.5 Enforce security policies and safeguards on all personnel having access to the IS for which the ISSO is responsible
Section 4.A.6 Ensure audit trails are reviewed periodically (e.g., weekly, daily), and audit records are archived for future reference, if required
Section 4.A.7 Initiate protective or corrective measures
Section 4.A.8 Report security incidents in accordance with agency-specific policy to the DAA when an IS is compromised
Section 4.A.9 Report the security status of an IS, as required by the DAA
Section 4.A.10 Evaluate known vulnerabilities to ascertain if additional safeguards are needed (risk management)
Section 4.B References
Section 4.C Bibliography

Section 5.0 System Certifiers
Section 5.1 SECTION I - Purpose
Section 5.2 SECTION II - Applicability
Section 5.3 Responsibilities
Section 5.4 Preface
Section 5.A Minimal INFOSEC Performance Standard for System Certifiers
Section 5.A.1 Document Mission Needs
Section 5.A.2 Conduct Registration
Section 5.A.3 Negotiate
Section 5.A.4 Prepare SSAA
Section 5.A.5 Support Systems Development
Section 5.A.6 Perform Certification Analysis
Section 5.A.7 Certification Evaluation
Section 5.A.8 Recommend to DAA
Section 5.A.9 Compliance Evaluation
Section 5.A.10 Maintain the SSAA
Section 5.B Concomitant Capabilities for System Certifiers
Section 5.C References and Bibliography