CSC 382 Introduction to Information Assurance …science.hamptonu.edu/compsci/docs/iac/csc382.pdfQuality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics

Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy

1

CSC 382 Introduction to Information Assurance (Online)

Online Comments

This is an online course. The following information is very important. CSC 382 is the capstone course for

CSC/CIS majors receiving CNSS 4011. It is also the prerequisite for students starting the CNSS 4012 course

sequence. An awareness of the materials is the goal. You will be responsible for a number of readings and

Cyber Security Training modules (see http://www.teexwmdcampus.com/index.k2?locRef=1) . The

workload is reasonable but continuous. I will not accept any late submissions and you are expected to

follow instructions.

If you have questions, contact me at once (see contact information below). If you have trouble with

BlackBoard or using the Hampton University intranet system, contact me immediately.

Course Description

An introduction to the various technical and administrative aspects of Information Security and Assurance.

This course provides the foundation for understanding the key issues associated with protecting

information assets, determining the levels of protection and response to security incidents, and designing a

consistent, reasonable information security system, with appropriate intrusion detection and reporting

features. The purpose of the course is to provide the student with an overview of the field of Information

Security and Assurance. Students will be exposed to the spectrum of Security activities, methods,

methodologies, and procedures. Coverage will include inspection and protection of information assets,

detection of and reaction to threats to information assets, and examination of pre- and post-incident

procedures, technical and managerial responses and an overview of the Information Security Planning and

Staffing functions.

INSTRUCTOR: Mr. Robert A. Willis Jr. Office: ST 120 Telephone: 757-727-5556

Office Hours:

MWF 9:00 – 11:00

TR 11:00 – 1:00

Contact:

E-Mail: [email protected]

Skype: rwjr1944

mailto:[email protected]


2

Twitter: rwjr1944

Course Objectives: After completing the course, students will be able to:

Identify and prioritize information assets.

Identify and prioritize threats to information assets.

Define an information security strategy and architecture.

Plan for and respond to intruders in an information system

Describe legal and public relations implications of security and privacy issues.

Present a disaster recovery plan for recovery of information assets after an incident.

Minimum Competencies: Students meeting minimum competencies should expect to receive a grade between 74% and 77%. Minimum competencies for this course are as follows:

Identify and prioritize information assets.

Identify and prioritize threats to information assets.

Define an information security strategy and architecture.

Plan for and respond to intruders in an information system

Describe legal and public relations implications of security and privacy issues.

Course Topics: This course will cover most of the information assurance concepts including:

Introduction to Information Security (3 hours)

The Need for Security (3 hours)

Legal, Ethical, and Professional Issues in Information Security (3 hours)

Risk Management (3 hours)

Planning for Security (3 hours)

Technology: Firewalls, VPNs, IDS, and Access Control (3 hours)

Cryptography (3 hours)

Physical Security (3 hours)

Implementing Security (3 hours)

Security and Personnel (3 hours)

Information Security Maintenance (3 hours)

Supplement Materials (contents from the optional textbooks) (3 hours)

Laboratory (9 hours)

Mapping to CNSSI 4011 can be found here.

Textbooks:


3

(required) Principle of Information Security, 3rd edition, Michael E. Whitman & Herbert J.

Mattord, Thomson, 2009.

(on reserve for required readings) The CISSP Prep Guide: Mastering the CISSP and ISSEP

Exams, 2nd edition, Ronald L. Krutz and Russell Dean Vines, Wiley, 2004.

(on reserve for required readings) Security in Computing, 3rd

edition, C. P. Pfleeger, S. L.

Pfleeger, Prentice Hall, 2003.

Supplemental Materials (SM):

Materials not available via the Internet are posted

on BlackBoard

(SM-1) Maconachy, Schou, Ragsdale and Welch, A Model for Information Assurance: An

Integrated Approach, Proceedings of the 2001 IEEE Workshop on IAS, USMA, West Point, NY 5-

6 June 2001. (required reading)

(SM-2) NSTISSAM TEMPEST/1 & 2 - 95, December 1995 (some required readings)

(SM-3) Operations Security (OPSEC), Joint Publication 3-13.3, 29 June, 2006 (some required

readings).

(SM-4) HUMINT, http://en.wikipedia.org/wiki/HUMINT (some required reading)

(SM-5) Technical Surveillance Countermeasures Program, Department of Defense, Number

5240.05, Feb. 22, 2006 (some required reading)

(SM-6) NASA COMSEC Procedures and Guidelines, NPG 1600.6A, Effective Date: March 2,

2000, Expiration Date: March 2, 2002 (some required reading)

(SM-7) Automated Information Systems (AIS) Security, Department of Veterans Affairs, VHA

Directive 6210, Transmittal Sheet, March 7, 2000 (some required reading)

(SM-8) Automated Information Systems Security Policy, U.S. Customs Service, Office of

Information and Technology (some required reading)

(SM-9) Security Standard Operating Procedure No. 4, SSOP NO.4, NAVAL COMMAND,

CONTROL, AND OCEAN SURVEILLANCE CENTER (some required reading)

(SM-10) Personnel Security Standard, Virginia's Community College,

http://system.vccs.edu/its/InformationSecurityProgram/PersonnelSecurityStandard.htm (some

required reading)

(SM-11) Personnel Security, University of Mary Washington,

http://www.umw.edu/policies/itsecurityprogram/personnel_security/default.php (some required

reading)

(SM-12) Standard Practice Procedures for Security Service, George Mason University,

http://www.gmu.edu/departments/universityoperations/SPP%20-%20REV%20Feb%202008.pdf

(some required reading)

(SM-13) Security Mechanism, RBC bank, http://www.rbcbankusa.com/privacy_security/cid-

101718.html (some required reading)

http://en.wikipedia.org/wiki/HUMINT

http://system.vccs.edu/its/InformationSecurityProgram/PersonnelSecurityStandard.htm

http://www.umw.edu/policies/itsecurityprogram/personnel_security/default.php

http://www.gmu.edu/departments/universityoperations/SPP%20-%20REV%20Feb%202008.pdf

http://www.rbcbankusa.com/privacy_security/cid-101718.html

http://www.rbcbankusa.com/privacy_security/cid-101718.html


4

(SM-14) Software Security Policy, Purdue University,

http://www.purdue.edu/securepurdue/standards/softwareSecurity.cfm (some required reading)

(SM-15) Audit Trials, HP, http://docs.hp.com/en/5992-3387/ch10s05.html (some required

reading)

(SM-16) Audit Logging Security Standards, IRS, http://www.irs.gov/irm/part10/ch01s05.html

(some required reading)

(SM-17) Defending Medical Information Systems Against Malicious Software, Joint

NEMA/COCIR/JIRA Security and Privacy Committee (SPC),

http://www.himss.org/content/files/medical-defendingNEMAwhitepaper.pdf (some required

reading)

(SM-18) Declassification and Downgrading, Army Regulation 280-5, Chapter 3,

http://www.fas.org/irp/doddir/army/ar380-5/iii.htm (some required reading)

(SM-19) Using Context- and Content-Based Trust Policies on the Semantic Web, Christian Bizer

& Radoslaw Oldakowski, In Proceeding of WWW2004, May 17-22, 2004, New York, NY, USA,

www4.wiwiss.fu-berlin.de/bizer/SWTSGuide/p747-bizer.pdf (some required reading)

(SM-20) Input Signal Rage Guidance, www.altra.com,

http://www.altera.com/literature/wp/wp_edge_rate_guidance.pdf (some required reading)

(SM-21) Design of an intelligent materials data base for the IFR, Transactions of the American

Nuclear Society ; Vol/Issue: 65; American Nuclear Society annual meeting; 7-12 Jun 1992;

Boston, MA (United States); DOE Project,

http://www.osti.gov/energycitations/product.biblio.jsp?osti_id=7232432 (some required reading)

(SM-22) An Introduction to Computer Security - The NIST Handbook,

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf (some required reading)

Tentative Course Outline:

Please note that this is an online course and that the

schedule will be followed. You are expected to

follow the schedule.

Week Topics Text chapters Tests /

Assignments

1 1. Introduction to Information Security

1.1. The History of Information Security

1.2. What is Security / Information Security?

1.3. Critical Characteristics of Information

Security?

Whitman Ch1 &

Krutz Ch11, 12 &

SM-1

HW1

http://www.purdue.edu/securepurdue/standards/softwareSecurity.cfm

http://docs.hp.com/en/5992-3387/ch10s05.html

http://www.irs.gov/irm/part10/ch01s05.html

http://www.himss.org/content/files/medical-defendingNEMAwhitepaper.pdf

http://www.fas.org/irp/doddir/army/ar380-5/iii.htm

www4.wiwiss.fu-berlin.de/bizer/SWTSGuide/p747-bizer.pdf

http://www.altera.com/literature/wp/wp_edge_rate_guidance.pdf

http://www.osti.gov/energycitations/product.biblio.jsp?osti_id=7232432

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf


5

1.4. NSTISSC Security Model

1.5. Information Assurance Model

(Maconachy, Schou, Ragsdale (MSR)

Cube) (Supplemental Materials SM-1)

1.6. Components of an Information System

1.7. Securing Components

1.8. Balancing Information Security and

Access

1.9. Approaches to Information Security

Implementation

1.10. The Systems Development Life Cycle

1.11. The Security Systems Development Life

Cycle

1.12. Systems Life Cycle Processes,

Certification, and Accreditation (Krutz

Ch11, Ch12)

1.13. Security Professionals and the

Organization

1.14. Communities of Interest

1.15. Information Security: Is it an Art or a

Science?

1.16. Information Security Terminology

2 2. The Need for Security

2.1. Business Needs First

2.2. Threats

2.3. Attacks

2.4. OPSEC Process (Operations Security)

(Krutz Ch6 & Supplemental Material SM-

Whitman Ch2 &

Krutz Ch6 &

SM-3, SM-4, SM-13,

SM-14

HW2


6

3)

2.5. OPSEC Surveys / OPSEC Planning

(Operations Security) (Krutz Ch6 &

Supplemental Material)

2.6. Unclassified Indicators (Operations

Security) (Krutz Ch6 & Supplemental

Material SM-3)

2.7. HUMINT (Krutz Ch6, Supplemental

Materials SM-4)

2.8. Media Processes - Attribution,

Destruction, Classification, Sanitization,

Transportation, Inventory (Krutz Ch6)

2.9. Security Software Development (Whitman

Ch2, Supplemental Materials SM-13, SM-

14)

3 3. Legal, Ethical, and Professional Issues in

Information Security

3.1. Law and Ethics in Information Security

3.2. Types of Law

3.3. Relevant U.S. Laws

3.4. International Laws and Legal Bodies

3.5. Policy versus Laws

3.6. Ethics and Information Security

3.7. Codes of Ethics and Professional

Organizations

3.8. evidence collection and preservation

(Krutz Chapter 9)

Whitman Ch3 &

Krutz Ch9

HW3

4 Laboratory 1

Review

TBA Exam 1 -

TBA


7

5 4. Risk Management

4.1. An Overview of Risk Management

4.2. Risk Identification

4.3. Risk Assessment

4.4. Risk Control Strategies

4.5. Selecting a Risk Control Strategy

4.6. Risk Management Discussion Points

4.7. Documenting Results

4.8. Recommended Practices in Controlling

Risk

4.9. National Threats, Vulnerabilities,

Countermeasures, Risk Management, and

other facets of NSTISS (Krutz Ch1)

Whitman Ch4 &

Krutz Ch1

6 5. Planning for Security

5.1. Information Security Policy, Standards,

and Practices

5.2. Telecommunication Systems,

Telecommunications Policies and

Security, Contracts and Reference,

Vulnerabilities, Threats, Countermeasures

(Krutz Ch3)

5.3. Security Policies Implementation (Krutz

Ch1)

5.4. The Information Security Blueprint

5.5. Security Education, Training, and

Awareness Program

5.6. Continuity Strategies

5.7. AIS Security Policy (Supplemental

Whitman Ch5 &

Krutz Ch1, Ch3 &

SM-6, SM-7, SM-8,

SM-9

HW4


8

Materials SM-7 & SM-8)

5.8. Security Standard Operating Procedure

(Supplemental Materials SM-9)

5.9. COMSEC (Supplemental Materials SM-6)

7 6. Security Technology

6.1. Physical Design

6.2. Computer Security - Access Control,

Audit, Identification and Authentication,

operating system security, trusted

operating system, and Object Reuse

(Pfleeger Ch3, Ch4, Ch5)

6.3. Firewalls

6.4. Protecting Remote Connection

6.5. Introduction Detection Systems

6.6. Honey Pots, Honey Nets, and Padded Cell

Systems

6.7. Scanning and Analysis Tools

6.8. Access Control Devices

6.9. Technical Surveillance Countermeasures

(Supplemental Materials SM-5)

Whitman Ch6, Ch7 &

Pfleeger Ch3, Ch4,

Ch5

& SM-5

HW5

8 7. Cryptography

7.1. A Short History of Cryptology

7.2. Principles of Cryptography

7.3. Cryptography Tools

7.4. Protocols for Secure Communications

7.5. Attacks on Cryptosystems

Whitman Ch8 Exam 2 –

TBA


9

9 8. Physical Security

8.1. Physical Access Control

8.2. Fire Security and Safety

8.3. Failure of Supporting Utilities and

Structural Collapse

8.4. Interception of Data

8.5. Mobile and Portable Systems

8.6. Special Consideration for Physical

Security Threats

Whitman Ch9

HW7

Laboratory 2

10 9. Implementing Information Security

9.1. Project Management for Information

Security

9.2. Technical Topics of Implementation

9.3. Nontechnical Aspects of Implementation

9.4. Operations Security (Krutz Ch6)

9.5. Security Architectures and Design

Whitman Ch10 &

Krutz Ch5, Ch6

HW8

11 10. Security and Personnel

10.1. The Security Function Within an

Organization's Structure

10.2. Positioning and Staffing the Security

Function

10.3. Credentials of Information Security

Professionals

10.4. Employment Policies and Practices

10.5. Security Considerations for Nonemployees

10.6. Separation of Duties and Collusion (Krutz

Ch1, Ch6)

Whitman Ch11 &

Krutz Ch1, Ch6 &

SM-10, SM-11, SM-12

HW9


10

10.7. Privacy and the Security of Personnel

Data

10.8. Information Classification Roles (Krutz

Ch1)

10.9. Personnel Security Standard

(Supplemental Materials SM-10, SM-11,

SM-12)

12 Laboratory 3

11. Information Security Maintenance

11.1. Managing for Change

11.2. Security Management Models

11.3. The Maintenance Model

Digital Forensics

Whitman Ch12 HW10,

13 12. TEMPEST Security (Supplemental Materials

SM-2)

12.1. Introduction

12.2. Definition

12.3. RED/BLACK Installation

Recommendation

12.4. Guidance for TEMPEST Integrity

12.5. Secure Voice Systems

12.6. Sensitive Compartment Information

SM-2

Important Dates:

TBA

The following information applies to all students in the School of Science:


11

In addition to the minimum grade requirements established by Hampton University, all majors within the

School of Science must pass all required courses offered within the School of Science with a grade of “C”

or better in order to satisfy degree requirements. The minimum grade requirement is in effect for all

science courses taken during Fall 2001 and beyond.

Course Assignment and Calendar:

Homework Assignments: There are two types of homework assignments: problems and projects. Both of

them will be issued and specified with their due date in Blackboard. Problems will be used to evaluate the

understanding of course materials and projects will be used to evaluate the complexity of algorithm studied

in class. All of the projects must be implemented by Java in Unix/Linux environments (when appropriate).

Late submissions will not be accepted and will be counted as zero.

Final Exam

The exam will be given on the date scheduled by the registrar. The exam will be comprehensive. There are

no exemptions from the exam.

TBA

Attendance

Hampton University’s attendance policy will be observed, which means that you are expected to attend all

classes as scheduled. You are responsible for any assignments, deliveries, and class discussions at all

times. I will take attendance at the beginning of each class period. If you are not present for the roll call,

attendance points will be deducted from your grade. I will not tolerate habitual tardiness; it is disruptive

and unfair to your fellow students.

Writing-Across-The-Curriculum

Hampton University adopts the policy in all courses of “writing across the curricula”. In this course, the

objectives will be achieved by homework assignments, program comments, and various tests.

The Ethics Paper: Details about the ethics paper will be provided at least one month prior to the

due date. The ethics paper will be graded based on the criteria listed in “Hampton University

Scoring Rubric”.

Grades

The final grade of this course will be determined by the combined weight of following components:


12

Examinations (2) 20 %

Homework (10) 40 %

Laboratory (3) 15%

Ethics Paper 5 %

Final exam (Comprehensive) 20 %

Course grades will follow the scale of the university grading system:

A+ 98-100

A 94-97

A- 90-93

B+ 88-89

B 84-87

B- 80-83

C+ 78-79

C 74-77

C- 70-73

D+ 68-69

D 64-67

D- 60-63


13

F Below 60

Make-Up Policy: No make-up tests will be given without pervious arrangements, a

written medical excuse, or an emergency approved by appropriate university official.

Policy on Academic Dishonesty: Please see page 29 of the Student Handbook.

Cheating: A student caught cheating on an examination or plagiarizing a paper which forms a part of a

course grade shall be given an "F" in the course and will be subject to dismissal from the University, A

student is considered to be cheating if, in the opinion of the person administering an examination (written

or oral), the student gives, seeks, or receives aid during the process of the examination; the student buys,

sells, steals, or otherwise possesses or transmits an examination without authorization; or, the student

substitutes for another or permits substitution for himself/ herself during an examination. All cases of

cheating shall be reported by the instructor to the chair of the department in which the cheating occurred,

to the school dean/division director and to the Provost.

No penalty shall be imposed until the student has been informed of the charge and of the evidence upon

which it is based and has been given an opportunity to present his/her defense. If the faculty member and

the student cannot agree on the facts pertaining to the charge, or if the student wishes to appeal a penalty,

the issue may be taken to the department chair. Each party will present his/her case to the chair who shall

then call a meeting of all involved parties. If the issue is not resolved at the departmental level, the dean

shall conduct a hearing. If the issue is not resolved at the school level either party may appeal the decision

at the school level to the Provost who shall convene the appropriate individuals and conduct a hearing in

order to resolve the issue.

Plagiarism: Plagiarism is defined as "taking and using as one's own the writing or ideas of another." All

materials used to meet assigned written requirements of a course, from any source, must be given proper

credit by citing the source. A student caught plagiarizing a paper which forms a part of a course grade

shall be given an "F" in the course and will be subject to dismissal from the University.

PENALTIES FOR ACADEMIC DISHONESTY

Cases of academic dishonesty are initially investigated and reported by members of the instructional

faculty to the chairperson of the department in which the cheating occurred, to the school dean, division

director and to the Provost. Also, penalties for minor violations of academic dishonesty are to be

recommended at the discretion of the instructor. The penalties for academic dishonesty on examinations

and major course requirements may include one of the following:

1. A grade of "F" on the examination or project.

2. A grade of "F" on the examination or project and dismissal from the course.


14

3. A grade of “F” on the examination or project, dismissal from the course and from the University.

When dismissal from the University is the recommended penalty, the chairman of the department submits

the details of the case to the Provost who schedules a hearing.

ADMINISTRATIVE ACTION

The Provost has the authority to dismiss or expel any student who fails to meet scholarship requirements or

to abide by academic regulations.

Dress Code:

This code is based on the theory that learning to select attire appropriate to specific occasions and

activities is a critical factor in the total educational process. Understanding and employing the Hampton

University Dress Code will improve the quality of one’s life, contribute to optimum morale, and embellish

the overall campus image. It also plays a major role in instilling a sense of integrity and an appreciation

for values and ethics as students are propelled towards successful careers.

Students will be denied admission to various functions if their manner of dress is inappropriate. On this

premise students at Hampton University are expected to dress neatly at all times. The following are

examples of appropriate dress for various occasions:

1. Classroom, Cafeteria, Student Union and University Offices – casual attire that is neat and

modest.

2. Formal programs in Ogden Hall, the Convocation Center, the Student Center Ballroom, the Little

Theater and the Memorial Chapel – event appropriate attire as required by the event

announcement.

3. Interviews – Business attire.

4. Social/Recreational activities, Residence hall lounges (during visitation hours) – casual attire that

is neat and modest.

5. Balls, Galas, and Cabarets – formal, semi-formal and after five attire, respectively.

Examples of inappropriate dress and/or appearance include but not limited to:

1. Do-rags, stocking caps, skullcaps and bandannas are prohibited at all times on the campus of

Hampton University (except in the privacy of the student’s living quarters).

2. Head coverings and hoods for men in any building.

3. Baseball caps and hoods for women in any building.

a. This policy item does not apply to headgear considered as a part of religious or cultural

dress.

4. Midriffs or halters, mesh, netted shirts, tube tops or cutoff tee shirts in classrooms, cafeteria,

Student Union and offices;


15

5. Bare feet;

6. Short shirts;

7. Shorts, all types of jeans at programs dictating professional or formal attire, such as Musical Arts,

Fall Convocation, Founder’s Day, and Commencement;

8. Clothing with derogatory, offensive and/or lewd message either in words or pictures;

9. Men’s undershirts of any color worn outside of the private living quarters of the residence halls.

However, sports jerseys may be worn over a conventional tee-shirt.

Procedure for Cultural or Religious Coverings

1. Students seeking approval to wear headgear as an expression or religious or cultural dress may

make a written request for a review through the Office of the Chaplain.

2. The Chaplain will forward his recommendation the Dean of Students for final approval.

3. Students that are approved will then have their new ID card picture taken by University Police

with the headgear being worn.

All administrative, faculty and support staff members will be expected to monitor student behavior

applicable to this dress code and report any such disregard or violations to the Offices of the Dean or Men,

or Dean of Women for the attention of the Dean of Students.

CODE OF CONDUCT

Joining the Hampton Family is an honor and requires each individual to uphold the policies, regulations, and

guidelines established for students, faculty, administration, professional and other employees, and the laws of

the Commonwealth of Virginia. Each member is required to adhere to and conform to the instructions and

guidance of the leadership of his/her respective area. Therefore, the following are expected of each member

of the Hampton Family:

1. To respect himself or herself.

2. To respect the dignity, feelings, worth, and values of others.

3. To respect the rights and property of others and to discourage vandalism and theft.

4. To prohibit discrimination, while striving to learn from differences in people, ideas, and opinions.

5. To practice personal, professional, and academic integrity, and to discourage all forms of dishonesty,

plagiarism, deceit, and disloyalty to the Code of Conduct.

6. To foster a personal professional work ethic within the Hampton University Family.

7. To foster an open, fair, and caring environment.


16

8. To be fully responsible for upholding the Hampton University Code.

Students with disabilities which require accommodations should (1)

register with the Office of Testing Services and 504 Compliance to provide

documentation and (2) bring the necessary information indicating the need

for accommodation and what type of accommodation is needed. This should

be done during the first week of classes or as soon as the student receives

the information. If the instructor is not notified in a timely

manner, retroactive accommodations may not be provided.

DISCLAIMER

This syllabus is intended to give the student guidance in what may be covered during the semester and will

be followed as closely as possible. However, the professor reserves the right to modify, supplement and make

changes as course needs arise.


17

Hampton University Scoring Rubric

The Hampton University Advisory Council of the Writing Program has approved and recommended the use of

the scoring rubric as a guide for evaluating student-writing performance across the curriculum.

6

A paper in this category:

States purpose (e.g., position or thesis) insightfully, clearly and effectively

Provide thorough, significant development with substantial depth and persuasively marshals support

for position

Demonstrates a focused, coherent, and logical pattern of organization

Displays a high level of audience awareness

Use disciplinary facts critically and effectively

Has support control of diction, sentence structure, and syntactic variety, but may have a few minor

flaws in grammar, usage, punctuation, or spelling

Documents sources consistently and correctly using a style appropriate to the discipline

5


States purpose (e.g., position or thesis) clearly and effectively

Provide development with some depth and complexity of thought and supports position convincingly

Demonstrates effect pattern of organization

Displays a clear sense of audience awareness

Use disciplinary facts effectively

Has good control of diction, sentence structure, and syntactic variety, but may have a few minor

errors in grammar, usage, punctuation, or spelling

Documents sources correctly using a style appropriate to the discipline

4


States purpose (e.g., position or thesis) adequately

Provides competent development with little evidence of complexity of thought

Demonstrates an adequate pattern of organization

Displays some degree of audience awareness

Uses disciplinary facts adequately


18

Has adequate control of diction, sentence structure, and syntactic variety, but may have some error in

grammar, usage, punctuation, or spelling

Documents sources adequately using a style appropriate to the discipline

3


States purpose (e.g., position or thesis) but with varying degree of clarity

Provides some development for most ideas

Demonstrates some pattern of organization, but with some lapses from the pattern

Displays uneven audience awareness

Uses some disciplinary facts

Has some control of diction, sentence structure, and syntactic variety, but may have frequent error in

grammar, usage punctuation, or spelling

Documents sources using a style appropriate to the discipline, but may have errors.

2


States purpose (e.g., position or thesis) unclearly

Provides inadequate development of thesis

Demonstrates inconsistent pattern of organization

Displays very little audience awareness

Uses disciplinary facts ineffectively

Has little control of diction, sentence structure, and syntactic variety, and may have a pattern of

errors in grammar, usage, punctuation, or spelling

Acknowledges sources but does not document them using a style appropriate to the discipline

1


Fails to state purpose (e.g., position or thesis)

Fails to develop most ideas

Lacks a pattern of organization

Displays no audience awareness

Use few or no disciplinary facts

Lakes control of diction, sentence structure, and syntactic variety, with a pattern of errors in

grammar, usage, punctuation, or spelling


19

Fails to document or acknowledge sources


20

Mapping to NSTISSI 4011 Standard

C. Security Basics (Awareness

Level)

Instructional/Behavioral

Content

a Using the Comprehensive

Model of Information Systems

Security, introduce a

comprehensive model of

information systems security

that addresses:

* The student will list and describe

the elements of AIS security.

Topic 1.2-1.3 Pg. 8-9 Whitman

* The student will summarize security

disciplines used in protecting

government automated information

systems.


b critical characteristics of

information information states,

and security measures.

* Student will give examples of

determinants of critical

information.


Topical Content

a INFOSEC Overview: Chapter 2: The Need for Security Whitman

* threats Topic 2.2, Chapter 2: Threats Pg. 38- 59 Whitman

* vulnerabilities Topic 2.2, 2.3, 4.9, Whitman Chapter 2: Attacks

Pg. 60-68 / Krutz Chapter1: Information Security

and Risk Management Pg. 28

Whitman +

Krutz


21

* critical information characteristics Chapter 1: Introduction Whitman

+ confidentiality Topic 1.2-1.5, Chapter 1: Confidentiality Pg. 10 Whitman

+ integrity Topic 1.2-1.5, Chapter 1: Integrity Pg. 12 Whitman

+ availability Topic 1.2-1.5, Chapter 1: Availability Pg. 10 Whitman

* information states Whitman

+ transmission Topic 1.4-1.5, Chapter 1: NSTISSC Security

Model Pg. 13

Whitman

+ storage Topic 1.4-1.5, Chapter 1: NSTISSC Security

Model Pg. 13

Whitman

+ processing Topic 1.4-1.5, Chapter 1: NSTISSC Security

Model Pg. 13

Whitman

* security countermeasures

+ technology Topic 6.1-6.8 Chapter 6 & 7: Security

Technology Pg. 243-282

Whitman

+ policy, procedures and practices Topic 1.4-1.5, 5.1,5.3,5.4, Chapter 1:

Information Security Policy, Standards, and

Practices Pg. 173-185

Whitman

+ education, training and awareness Topic 1.4-1.5, 5.6, Chapter 5: Security

Education, Training, and Awareness Program

Pg. 203-206

Whitman

b Operations Security (OPSEC):

* OPSEC process Topic 2.4, Krutz Chapter 6: Operations Security

Pg. 339-358 / OPSEC (Supplemental materials

SM-3)

Krutz +

Supplemental

materials

* INFOSEC and OPSEC

interdependency

Topic 2.4, Krutz Chapter 6: Operations Security


SM-3)

Krutz +

Supplemental

materials


22

* unclassified indicators Topic 2.4, Krutz Chapter 6: Operations Security


SM-3)

Krutz +

Supplemental

materials

* OPSEC surveys/OPSEC planning Topic 2.4, Krutz Chapter 6: Operations Security


SM-3)

Krutz +

Supplemental

materials

c Information Security:

* policy Topic 5.1, Chapter 5: Information Security

Policy, Standards, and Practices Pg. 174

Whitman

* roles and responsibilities Topic 10.2, Chapter 11: Positioning & Staffing

the Security Function Pg. 473-479

Whitman

* application dependent guidance Input Signal Rage Guidance (supplemental

materials SM-20); Design of an intelligent

materials data base for the IFR (supplemental

materials SM-21)

Supplemental

materials

d INFOSEC

* cryptography

+ strength (e.g., complexity, secrecy,

characteristics of the key)

Topic 7.2 Chapter 8: Cryptographic algorithims.

354-375

Whitman

+ encryption (e.g., point-to-point, network,

link)


354-375

Whitman

+ key management (to include electronic

key)


354-375

Whitman

* transmission security Topic 1.4-1.5 Whitman Chapter 1: NSTISSC

Security Model Pg. 14 / Information Assurance

Model (Maconachy, Schou, Ragsdale (MSR)

Cube)(Supplemental materials SM-1)

Whitman +

Supplemental

materials

* emanations security Topic 12.1, 12.3, 12.4 12. TEMPEST Security

(supplemental materials SM-2)

Supplemental

materials


23

* physical, personnel and

administrative security

Topic 8.1-8.6, 10.1-10.7 Chapter 9: Physical

security Pg. 391-429. Chapter 11: Security and

Personnel Pg. 469-502

Whitman

* computer security

+ identification and authentication Topic 1.5, 6.2, 6.8, Pfleeger Chapter 2, 3, 5 /

Whitman Chapter 7: Security Technology Pg.

338 / Information Assurance Model (Maconachy,

Schou, Ragsdale (MSR) Cube)(Supplemental

materials SM-1)

Pfleger +

Whitman +

supplemental

materials

+ access control Topic 6.2, 6.8, Pfleeger Chapter 2, 3, 5: Security

Features of Trusted Operating Systems Pg. 208-

213 / Whitman Chapter 7: Security Technology

Pg. 338

Pfleeger +

Whitman

+ audit Topic 6.2, 11.1, Pfleeger Chapter 2, 3, 5:

Security Features of Trusted Operating Systems

Pg. 269-273 / Whitman Chapter 12: Information

Security Maintenance Pg. 517

Pfleeger +

Whitman

+ object reuse Topic 6.2, Chapter 5: Security Features of

Trusted Operating Systems Pg. 270

Pfleeger

D. NSTISS Basics (Awareness

Level)


Content

a Describe components (with

examples to include: national

policy, threats and

vulnerabilities,

countermeasures, risk

management, of organizational

units, facets of NSTISS)


24

* Outline national NSTISS Policies. Topic 5.1, 5.3, Whitman Chapter 5: Information

Security Policy, Standards, and Practices Pg.

172-186 / Krutz Chapter 1: Security Policy

Implementation Pg. 20-24

Whitman +

Krutz

* Cite examples of threats and

vulnerabilities of an AIS.

Topic 2.2-2.3, 4.9, Whitman Chapter 2: Threats

and Attacks Pg. 40-73 / Krutz Chapter 1:

Information Security and Risk Management Pg.

28

Whitman +

Krutz

* Give examples of Agency

implementation of NSTISS policy,

practices and procedures.

Topic 5.1-5.3, Whitman Chapter 5: Information



Implementation 20-24

Whitman +

Krutz

Topical Content

a National Policy and Guidance:

* AIS security Topic 5.1, 5.3, Whitman Chapter 5: Information



Implementation Pg. 20-24

Whitman +

Krutz

* communications security Topic 5.2, Chapter 3: Telecommunications and

Network Security Pg. 95-96

Krutz

* protection of information Topic 1.4-1.5, 5.5-5.6, Whitman Chapter 1:

NSTISSC Security Model Pg. 13, Chapter 5:

Planning for Security Pg. 186-208 / Information

Assurance Model (Maconachy, Schou, Ragsdale

(MSR) Cube)(Supplemental materials SM-1)

Whitman +

supplemental

materials

* employee accountability for agency

information

Topic 10.4 chapter 11: Privacy and the security

of Personnel Data. Pg. 492-500

Whitman

b Threats to and Vulnerabilities of

Systems:

* definition of terms (e.g., threats,

vulnerabilities, risk)

Topic 1.16 Chapter 1: Information Security

Terminology. Pg. 30-31

Whitman


25

* major categories of threats (e.g.,

fraud, Hostile Intelligence Service

(HOIS), malicious logic, hackers,

environmental and technological

hazards, disgruntled employees,

careless employees, HUMINT, and

monitoring)

Topic 2.2 Chapter 2: Threats Pg. 40-63 Whitman

* threat impact areas Topic 2.2 Chapter 2: Threats Pg. 40-63 Whitman

c Legal Elements:

* fraud, waste and abuse Topic 3.1-3.5 Chapter 3: Legal, Ethical, and

Professional Issues Pg. 87-99

Whitman

* criminal prosecution Topic 3.1-3.5 Chapter 3: Legal, Ethical, and


Whitman

* evidence collection and

preservation

Topic 3.8, Chapter 9: Legal, Regulations,

Compliance, and Inverstigation Pg. 497-498

Krutz

* investigative authorities Topic 3.1-3.5 Chapter 3: Legal, Ethical, and


Whitman

d Countermeasures:

* cover and deception Topic 6.6, Chapter 7: Security Technology Pg.

320-321

Whitman

* HUMINT Topic 2.7, Krutz Chapter 6: Operational E-mail

Security Pg. 382-386 / HUMINT (supplemental

materials SM-4)

Krutz +

supplemental

materials

* monitoring (e.g., data, line) Topic 6.5, 6.7, 6.8, Chapter 6: Security

Technology Pg. 289-300

Whitman

* technical surveillance

countermeasures

Topic 6.9, Technical Surveillance

Countermeasures (supplemental materials SM-5)

supplemental

materials

* education, training, and awareness Topic 5.5, Chapter 5: Security Education,

Training, and Awareness Pg. 206-209

Whitman


26

* assessments (e.g., surveys,

inspections)

Topic 6.1-6.8, Chapter 6 & 7: Security

Technology Pg. 243-279, 287-342

Whitman

e Concepts of Risk Management:

* threat and vulnerability assessment Topic 4.3, 4.9, Whitman Chapter 4: Risk

Assessment Pg. 139-144 / Krutz Chapter 1: Risk

Management and Assessment Pg. 26-30

Whitman +

Krutz

* cost/benefit analysis of controls Topic 4.4-4.5, Chapter 4: Risk Management Pg.

145-154

Whitman

* implementation of cost-effective

controls

Topic 4.4-4.5, Chapter 4: Risk Management Pg.

145-154

Whitman

* consequences (e.g., corrective

action, risk assessment)


145-154

Whitman

* monitoring the efficiency and

effectiveness of controls (e.g.,

unauthorized or inadvertent

disclosure of information)


145-154

Whitman

f Concepts of System Life Cycle

Management:

* requirements definition (e.g.,

architecture)

Topic 1.10-1.12,10.3, Whitman Chapter 1:

Introduction to Information Security Pg. 20-28;

Whitman Chapter 11: Security and Presonnel

Pg. 479-491 / Krutz Chapter 11: Understanding

Certification and Accredittion Pg. 559-578;

Krutz Chapter 12: Initiation of System

Authorization Process Pg. 585-610

Whitman +

Krutz

* development Topic 1.10-1.12,10.3, Whitman Chapter 1:

Introduction to Information Security Pg. 20-28,



Certification and Accredittion Pg. 559-578,



Whitman +

Krutz


27

* demonstration and validation

(testing)


Introduction to Information Security Pg. 20-28,



Certification and Accredittion Pg. 559-578,



Whitman +

Krutz

* implementation Topic 1.10-1.12,10.3, Whitman Chapter 1:







Whitman +

Krutz

* security (e.g., certification and

accreditation)








Whitman +

Krutz

* operations and maintenance (e.g.,

configuration management)








Whitman +

Krutz

g Concepts of Trust:


28

* policy Topic 6.2, 9.4, Pfleeger Chapter 5: Designing

Trusted Operating Systems Pg. 229-232 / Krutz

Chapter 6: Operations Security Pg. 346-349 /

Using Context- and Content-Based Trust Policies

on the Semantic Web (supplemental materials

SM-19)

Pfleeger +

Krutz +

supplemental

materials

* mechanism Topic 6.2, 9.4, Pfleeger Chapter 5: Designing

Trusted Operating Systems Pg. 229-232 / Krutz

Chapter 6: Operations Security Pg. 346-349 /

Using Context- and Content-Based Trust Policies

on the Semantic Web (supplemental materials

SM-19)

Pfleeger +

Krutz +

supplemental

materials

* assurance Topic 2.9, 6.2, 9.5, Krutz Chapter 2: Secure

Software Development, Pg. 73-74; Krutz Chapter

5: Security Architecture and Design Pg. 314-316

/ Pfleeger Chapter 5: Designing Trusted

Operating Systems Pg. 229-232

Krutz +

Pfleeger

h Modes of Operation:

* dedicated Topic 9.4, Chapter 6: Operations Security Pg.

349-350

Krutz

* system-high Topic 9.4, Chapter 6: Operations Security Pg.

349-350

Krutz

* compartmented/partitioned Topic 9.4, Chapter 6: Operations Security Pg.

349-350

Krutz

* multilevel Topic 9.4, Chapter 6: Operations Security Pg.

349-350

Krutz

i Roles of Various Organizational

Personnel

* senior management Topic 10.1-10.4, 10.8 Whitman Chapter 11:

Security and Personnel Pg. 471-479 / Krutz

Chapter 1: Information Classification Roles Pg.

16-20

Whitman +

Krutz


29

* program or functional managers Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* system manager and system staff Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* telecommunications office and staff Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* security office Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* COMSEC custodian Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* INFOSEC Officer Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* information resources management

staff

Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* audit office Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz


30

* OPSEC managers Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

* end users Topic 10.1-10.4, 10.8 Whitman Chapter 11:



16-20

Whitman +

Krutz

j Facets of NSTISS:

* protection of areas Topic 8.1-8.6 Chapter 9: Physical Security Pg.

399-429

Whitman

* protection of equipment Topic 8.1-8.6 Chapter 9: Physical Security Pg.

399-429

Whitman

* protection of passwords Topic 6.8 Chapter 7: Security Technology Pg.

338-339

Whitman

* protection of files and data Topic 6.5-6.8 Chapter 7: Security Technology

Pg. 287-342

Whitman

* protection against malicious logic Topic 2.9 Chapter 2: The Need For Security Pg.

73-80

Whitman

* backup of data and files Topic 9.4 Chapter 6: Operation Security Pg.

378-382

Krutz

* protection of magnetic storage

media

Topic 2.8 Chapter 6: Operation Security Pg.

362-364

Krutz

* protection of voice communications Topic 5.2 Chapter 3: Telecommunications and

Network Security Pg. 95

Krutz

* protection of data communications Topic 5.2 Chapter 3: Telecommunications and

Network Security Pg. 95

Krutz

* protection of keying material Topic 7.2 Chapter 8: Cryptography Pg. 364-375

/ NASA COMSEC Procedures and Guidelines


Whitman +

supplemental

materials

* application of cryptographic

systems

Topic 7.3 Chapter 8: Cryptography, Pg. 375-382 Whitman


31

* transmission security

countermeasures (e.g., callsigns,

frequency, and pattern forewarning

protection)

Topic 5.2 Chapter 3: Telecommunications and

Network Security Pg. 95-221

Krutz

* reporting security violations Topic 3.7, 11.3, Chapter 3: Legal and

Professional Issues in Information Security 108-

111; Chapter 12: Information Security

Maintenance Pg. 524-525

Whitman

E. System Operating Environment

(Awareness Level)


Content

a Outline Agency specific AIS and

telecommunications systems.

* Summarize Agency AIS and

telecommunications systems in

operation.

Topic 5.1-5.3, 5,7, Whtiman Chapter 5:


Practices Pg. 172-186 / Krutz Chapter 1:

Policies, Standards, Guidelines, and Procedure

Pg. 20-26; Krutz Chapter 3:

Telecommunications and Network Security Pg.

95-98 / AIS Security (Policy) (supplemental

materials SM-7, SM-8)

Whitman +

Krutz +

supplemental

materials

b Describe Agency "control

points" for purchase and

maintenance of Agency AIS and

telecommunications systems


32

* Give examples of current Agency

AIS/telecommunications systems

and configurations.









Whitman +

Krutz +

supplemental

materials

c Review Agency AIS and

telecommunications security

policies

* List Agency-level contact points for

AIS and telecommunications

systems and maintenance.









Whitman +

Krutz +

supplemental

materials

* Cite appropriate policy and

guidance.









Whitman +

Krutz +

supplemental

materials

Topical Content

c Agency Specific Security

Policies:


33

* guidance Topic 5.1-5.3, 5,7, Whtiman Chapter 5:








Whitman +

Krutz +

supplemental

materials

* roles and responsibilities Topic 5.1-5.3, 5,7, Whtiman Chapter 5:








Whitman +

Krutz +

supplemental

materials

* points of contact Topic 5.1-5.3, 5,7, Whtiman Chapter 5:








Whitman +

Krutz +

supplemental

materials

d Agency specific AIS and

telecommunications policies

* points of contact Topic 5.1-5.3, 5,7, Whtiman Chapter 5:








Whitman +

Krutz +

supplemental

materials


34

* references Topic 5.1-5.3, 5,7, Whtiman Chapter 5:








Whitman +

Krutz +

supplemental

materials

F. NSTISS Planning and

Management (Performance

Level)


Content

a Discuss practical performance

measures employed in designing

security measures and

programs

* Builds a security plan that

encompasses NSTISS components

in designing protection/security for

an instructor-supplied description

of an AIS telecommunications

system.

Topic 5.4, Chapter 5: The Information Security

Bluepint, Pg. 186-201

Whitman

b Introduce generic security

planning guidelines/documents

Topic 5.1-5.4, Whtiman Chapter 5: Information


172-201 / Krutz Chapter 1: Policies, Standards,

Guidelines, and Procedure Pg. 20-26; Krutz

Chapter 3: Telecommunications and Network

Security Pg. 95-98

Whitman +

Krutz

Topical Content


35

a Security Planning

* directives and procedures for

NSTISS policy

Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC

Security Model Pg. 13-14 / Krutz Chapter 1:

Security Policy Implementation Pg. 20-26

Whitman +

Krutz

* NSTISS program budget Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC



Whitman +

Krutz

* NSTISS program evaluation Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC



Whitman +

Krutz

* NSTISS training (content and

audience definition)

Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC



Whitman +

Krutz

b Risk Management

* information identification Topic 4.1-4.2, Chapter 4: Risk Management Pg.

115-138

Whitman

* roles and responsibilities of all the

players in the risk analysis process


115-138

Whitman

* risk analysis and/or vulnerability

assessment components


115-138

Whitman

* risk analysis results evaluation Topic 4.1-4.2, Chapter 4: Risk Management Pg.

115-138

Whitman

* corrective actions Topic 4.1-4.2, Chapter 4: Risk Management Pg.

115-138

Whitman

* acceptance of risk (accreditation) Topic 4.1-4.2, Chapter 4: Risk Management Pg.

115-138

Whitman

c Systems Life Cycle Management


36

* management control process

(ensure that appropriate

administrative, physical,and

technical safeguards are

incorporated into all new

applications and into significant

modifications to existing

applications)

Topic 1.1, 9.4, Whitman Chapter 1: Introduction

to Information Security Pg. 25-28 / Krutz

Chapter 6: Operations Security Pg. 339-387

Whitman +

Krutz

* evaluation of sensitivity of the

application based upon risk

analysis - determination of security

specifications

Topic 1.11, 4.1-4.2, Chapter 1: Introduction to

Information Security Pg. 25-28; Chapter 4: Risk

Management Pg. 115-138

Whitman

* design review and systems test

performance (ensure required

safeguards are operationally

adequate)

Topic 1.11, Chapter 1: Introduction to

Information Security Pg. 25-28

Whitman

* systems certification and

accreditation process

Topic 1.12, Chapter 11: Understanding

Ceertification and Accrediation Pg. 559-578;

Chapter 12: Initiation of the System


Krutz

* acquisition Topic 1.11, 11.4, Chapter 1: Introduction to

Information Security Pg. 25-28; Chapter 12:

Information Security Maintenance Pg. 550

Whitman

d Contingency Planning/Disaster

Recovery

* contingency plan components Topic 5.6, Chapter 5: Planning for Security, Pg.

210

Whitman

* agency response procedures and

continuity of operations

Topic 5.6 Chapter 5: Planning for Security, Pg.

215-230

Whitman

* team member responsibilities in

responding to an emergency

situation


215-230

Whitman

* guidelines for determining critical

and essential workload

Topic 5.4, 5.6, Chapter 5: Planning for Security,

Pg. 186-201, 209-233

Whitman

* determination of backup Topic 5.6 Chapter 5: Planning for Security, Pg. Whitman


37

requirements 225-228

* development of procedures for off-

site processing


230-230

Whitman

* development of plans for recovery

actions after a disruptive event


228-232

Whitman

* emergency destruction procedures Topic 5.8, Security Standard Operating

Procedure No.4 (supplemental materials SM-9)

supplemental

materials

G. NSTISS Policies and

Procedures (Performance

Level)


Content

a List and describe: specific

technological, policy, and

educational solutions for

NSTISS.

* Playing the role of either a system

penetrator or system protector, the

student will discover points of

exploitation and apply appropriate

and countermeasures in an

instructor-supplied description of

an Agency AIS/telecommunications

system.

Topic 5.1-5.2, Whitman Chapter 5: Planning for

Security Pg. 172-186 / Krutz Chapters 3:


95-98

Whitman +

Krutz

b List and describe: elements of

vulnerability threat that exist in

an AIS/ telecommunications

system corresponding

protection measures.

Topic 2.2-2.3, 5.2, Whitman Chapter 2: The

Need for Security Pg. 40-73 / Krutz Chapters 3:

Telecommunication and Network Security Pg.

95-98

Whitman +

Krutz


38

Topical Content

a Physical Security Measures:

* building construction Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* alarms Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* information systems centers Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* communications centers Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* shielding Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* cabling Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* filtered power Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* physical access control systems

(key cards, locks and alarms)

Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* stand-alone systems and

peripherals


399-430

Whitman

* environmental controls (humidity

and air conditioning)


399-430

Whitman

* fire safety controls Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* storage area controls Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

* power controls (regulator,

uninterrupted power service (UPS),

and emergency poweroff switch)


399-430

Whitman


39

* protected distributed systems Topic 8.1-8.6 chapter 9: Physical Security Pg.

399-430

Whitman

b Personnel Security Practices

and Procedures:

* position sensitivity Topic 10.4, 10.9, Whitman Chapter 11: Security

and Personnel, Pg. 492-496 / Personnel Security

Standard (Supplemental Materials SM-10, SM-

11, SM-12)

Whitman +

supplemental

materials

* employee clearances Topic 10.4, 10.9, Whitman Chapter 11: Security

and Personnel, Pg. 492-496 / Personnel Security


11, SM-12)

Whitman +

supplemental

materials

* access authorization/verification

(need-to-know)

Topic 5.5, 10.6, 10.9, Whitman Chapter 5,

Planning for Security Pg. 206-208 / Krutz

Chapter 1: Information Security and Risk

Management Pg. 25-26 / Personnel Security


11, SM-12)

Whitman +

Krutz +

supplemental

materials

* security training and awareness

(initial and refresher)

Topic 5.5, 10.6, 10.9, Whitman Chapter 5,

Planning for Security Pg. 206-208 / Krutz

Chapter 1: Information Security and Risk

Management Pg. 25-26 / Personnel Security


11, SM-12)

Whitman +

Krutz +

supplemental

materials

* systems maintenance personnel -

contractors

Topic 10.2, 10.9, Whitman Chapter 11: Security

and Personnel Pg. 471-473 / Personnel Security


11, SM-12)

Whitman +

Krutz +

supplemental

materials

c Software Security:

* configuration management Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:

The System Development Life Cycle Pg. 20-25;

Whitman Chapter 5: The Information Security

Blueprint Pg. 186-201; Whitman Chapter 12:

Managing for Change Pg. 514 / Krutz Chapter 6:

Operations Security Pg. 351-358

Whitman +

Krutz


40

* programming standards and

controls

Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:






Whitman +

Krutz

* documentation Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:






Whitman +

Krutz

* change controls Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:






Whitman +

Krutz

* software security mechanisms to

protect information

Topic 2.9, Security Mechanism / Security

Software Policy (supplemental materials SM-13,

SM-14)

supplemental

materials

* segregation of duties Topic 10.6, Krutz Chapter 1: Information

Security and Risk Management Pg. 25-26;

Chapter 6: Operations Security Pg. 346-347

Krutz

* concept of least privilege Topic 9.4, Chapter 6: Operations Security Pg.

355-356

Krutz

* application security features Topic 1.6, 1.7, 2.9, Chapter 1: Introduction to

Information Security Pg. 14-16; Chapter 2:

Secure Software Development Pg. 73-74

Whitman

* audit trails and logging Topic 11.2 Whitman Chapter 12: Information

Security Maintenance Pg. 517-518 / Audit Trails

(supplemental materials SM-15, SM-16)

Whitman +

supplemental

materials


41

* operating systems security features Topic 6.2, Pfleeger Chapter 5: Designing

Trusted Operating Systems, Pg. 229-230

Pfleeger

* need-to-know controls Topic 9.4, Chapter 6: Operations Security Pg.

360-361

Krutz

* malicious logic protection Topic 2.9, Whitman Chapter 2: Secure Software

Development, Pg. 75-80 / Defending Medical

Information Systems Against Malicious Software


Whitman +

supplemental

materials

* assurance Topic 2.9, 9.5, Chapter 2: Secure Software

Development, Pg. 73-74; Chapter 5: Security

Architecture and Design Pg. 314-316

Whitman

e Administrative Security

Procedural Controls:

* external marking of media Topic 2.8, Chapter 6: Operations Security Pg.

362-364

Krutz

* destruction of media Topic 2.8, Chapter 6: Operations Security Pg.

363

Krutz

* sanitization of media - construction,

changing, issuing and deleting

passwords

Topic 2.8, Chapter 6: Operations Security Pg.

362

Krutz

* transportation of media Topic 2.8, Chapter 6: Operations Security Pg.

362-364

Krutz

* reporting of computer misuse or

abuse

Topic 3.7, 11.3, Chapter 3: Legal and

Professional Issues in Information Security 108-

111; Chapter 12: Information Security


Whitman

* preparation of security plans Topic 5.4, Whitman Chapter 5: Planning for

Security, Pg. 186-201

Whitman

* emergency destruction Topic 2.8, 5.8, Whitman Chapter 6: Operations

Security Pg. 363 / Security Standard Operating

Procedure No.4 (supplemental materials SM-9)

Krutz +

supplemental

materials


42

* media downgrade and

declassification

Topic 2.8, Chapter 6: Operations Security Pg.

362-364 / Declassification and Downgrading,

AR 380-5 Chapter III (supplemental materials

SM-18)

Krutz +

supplemental

materials

* attribution Topic 2.8, Chapter 6: Operations Security Pg.

362-364 / An Introduction to Computre Security -

The NIST Handbook (supplemental Materials

SM-22)

Krutz +

supplemental

materials

* repudiation Topic 2.8, Chapter 6: Operations Security Pg.

362-364 / An Introduction to Computre Security -

The NIST Handbook (supplemental Materials

SM-22)

Krutz +

supplemental

materials

f Auditing and Monitoring:

* effectiveness of security programs Topic 9.4, 11.2 Krutz Chapter 6: Operations

Security Pg. 365-372 / Whitman Chapter 12:

Information Security Maintenance Pg. 519-544

Whitman +

Krutz

* conducting security reviews Topic 9.4, 11.2 Krutz Chapter 6: Operations



Whitman +

Krutz

* verification, validation, testing, and

evaluation processes

Topic 1.11, 9.4, Whitman Chapter 1:

Introduction to Information Security pg 23-25 /

Krutz Chapter 6: Operations Security Pg. 365-

372

Whitman +

Krutz

* monitoring systems for accuracy

and abnormalities

Topic 9.4, 11.2 Krutz Chapter 6: Operations



Whitman +

Krutz

* investigation of security breaches Topic 1.10, 5.6, Chapter 1: Introduction to

Information Security Pg. 21; Chapter 6: Planing

for Security Pg. 209-235

Whitman

* review of audit trails and logs Topic 11.2 Whitman Chapter 12: Information

Security Maintenance Pg. 517-518 / Audit Trails

(supplemental materials SM-15, SM-16)

Whitman +

supplemental

materials

* review of software design standards Topic 2.9 Chapter 2: Secure Software Whitman


43

Development pg 73-74

* review of accountability controls Topic 11.2, Chapter 12: Information Security


Whitman

* privacy Topic 3.3, 10.7, Chapter 3: Relevant U.S. Law

Pg. 91; Chapter 11: Security and Personnel Pg.

502

Whitman

g Cryptosecurity:

* encryption/decryption method,

procedure, algorithm

Topic 7.2 Chapter 8: Principles of Cryptography

Pg. 346-348

Whitman

* cryptovariable or key Topic 7.2 Chapter 8: Principles of Cryptography

Pg.361-366

Whitman

* electronic key management system Topic 7.2 Chapter 8: Principles of Cryptography

Pg. 366

Whitman

h Key Management:

* identify and inventory COMSEC

material

Topic 5.9, COMSEC (supplemental materials

SM-6)

supplemental

materials

* report COMSEC incidents Topic 5.9, COMSEC (supplemental materials

SM-6)

supplemental

materials

* destruction procedures for

COMSEC material


SM-6)

supplemental

materials

* key management protocols

(bundling, electronic key, over-the-

air rekeying)


SM-6)

supplemental

materials

j TEMPEST Security:

* shielding Topic 12.4 NSTISSAM TEMPEST (supplemental

materials SM-2)

supplemental

materials

* grounding Topic 12.4 NSTISSAM TEMPEST (supplemental

materials SM-2)

supplemental

materials

* attenuation Topic 12.3-12.4 NSTISSAM TEMPEST


supplemental

materials


44

* banding Topic 12.4 NSTISSAM TEMPEST (supplemental

materials SM-2)

supplemental

materials

* filtered power Topic 12.4 NSTISSAM TEMPEST (supplemental

materials SM-2)

supplemental

materials

* cabling Topic 12.4 NSTISSAM TEMPEST (supplemental

materials SM-2)

supplemental

materials

* zone of control/zoning Topic 12.3-12.4 NSTISSAM TEMPEST


supplemental

materials

* TEMPEST separation Topic 12.4 NSTISSAM TEMPEST (supplemental

materials SM-2)

supplemental

materials