Upload
trinhcong
View
218
Download
0
Embed Size (px)
Citation preview
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
1
CSC 382 Introduction to Information Assurance (Online)
Online Comments
This is an online course. The following information is very important. CSC 382 is the capstone course for
CSC/CIS majors receiving CNSS 4011. It is also the prerequisite for students starting the CNSS 4012 course
sequence. An awareness of the materials is the goal. You will be responsible for a number of readings and
Cyber Security Training modules (see http://www.teexwmdcampus.com/index.k2?locRef=1) . The
workload is reasonable but continuous. I will not accept any late submissions and you are expected to
follow instructions.
If you have questions, contact me at once (see contact information below). If you have trouble with
BlackBoard or using the Hampton University intranet system, contact me immediately.
Course Description
An introduction to the various technical and administrative aspects of Information Security and Assurance.
This course provides the foundation for understanding the key issues associated with protecting
information assets, determining the levels of protection and response to security incidents, and designing a
consistent, reasonable information security system, with appropriate intrusion detection and reporting
features. The purpose of the course is to provide the student with an overview of the field of Information
Security and Assurance. Students will be exposed to the spectrum of Security activities, methods,
methodologies, and procedures. Coverage will include inspection and protection of information assets,
detection of and reaction to threats to information assets, and examination of pre- and post-incident
procedures, technical and managerial responses and an overview of the Information Security Planning and
Staffing functions.
INSTRUCTOR: Mr. Robert A. Willis Jr. Office: ST 120 Telephone: 757-727-5556
Office Hours:
MWF 9:00 – 11:00
TR 11:00 – 1:00
Contact:
E-Mail: [email protected]
Skype: rwjr1944
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
2
Twitter: rwjr1944
Course Objectives: After completing the course, students will be able to:
Identify and prioritize information assets.
Identify and prioritize threats to information assets.
Define an information security strategy and architecture.
Plan for and respond to intruders in an information system
Describe legal and public relations implications of security and privacy issues.
Present a disaster recovery plan for recovery of information assets after an incident.
Minimum Competencies: Students meeting minimum competencies should expect to receive a grade between 74% and 77%. Minimum competencies for this course are as follows:
Identify and prioritize information assets.
Identify and prioritize threats to information assets.
Define an information security strategy and architecture.
Plan for and respond to intruders in an information system
Describe legal and public relations implications of security and privacy issues.
Course Topics: This course will cover most of the information assurance concepts including:
Introduction to Information Security (3 hours)
The Need for Security (3 hours)
Legal, Ethical, and Professional Issues in Information Security (3 hours)
Risk Management (3 hours)
Planning for Security (3 hours)
Technology: Firewalls, VPNs, IDS, and Access Control (3 hours)
Cryptography (3 hours)
Physical Security (3 hours)
Implementing Security (3 hours)
Security and Personnel (3 hours)
Information Security Maintenance (3 hours)
Supplement Materials (contents from the optional textbooks) (3 hours)
Laboratory (9 hours)
Mapping to CNSSI 4011 can be found here.
Textbooks:
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
3
(required) Principle of Information Security, 3rd edition, Michael E. Whitman & Herbert J.
Mattord, Thomson, 2009.
(on reserve for required readings) The CISSP Prep Guide: Mastering the CISSP and ISSEP
Exams, 2nd edition, Ronald L. Krutz and Russell Dean Vines, Wiley, 2004.
(on reserve for required readings) Security in Computing, 3rd
edition, C. P. Pfleeger, S. L.
Pfleeger, Prentice Hall, 2003.
Supplemental Materials (SM):
Materials not available via the Internet are posted
on BlackBoard
(SM-1) Maconachy, Schou, Ragsdale and Welch, A Model for Information Assurance: An
Integrated Approach, Proceedings of the 2001 IEEE Workshop on IAS, USMA, West Point, NY 5-
6 June 2001. (required reading)
(SM-2) NSTISSAM TEMPEST/1 & 2 - 95, December 1995 (some required readings)
(SM-3) Operations Security (OPSEC), Joint Publication 3-13.3, 29 June, 2006 (some required
readings).
(SM-4) HUMINT, http://en.wikipedia.org/wiki/HUMINT (some required reading)
(SM-5) Technical Surveillance Countermeasures Program, Department of Defense, Number
5240.05, Feb. 22, 2006 (some required reading)
(SM-6) NASA COMSEC Procedures and Guidelines, NPG 1600.6A, Effective Date: March 2,
2000, Expiration Date: March 2, 2002 (some required reading)
(SM-7) Automated Information Systems (AIS) Security, Department of Veterans Affairs, VHA
Directive 6210, Transmittal Sheet, March 7, 2000 (some required reading)
(SM-8) Automated Information Systems Security Policy, U.S. Customs Service, Office of
Information and Technology (some required reading)
(SM-9) Security Standard Operating Procedure No. 4, SSOP NO.4, NAVAL COMMAND,
CONTROL, AND OCEAN SURVEILLANCE CENTER (some required reading)
(SM-10) Personnel Security Standard, Virginia's Community College,
http://system.vccs.edu/its/InformationSecurityProgram/PersonnelSecurityStandard.htm (some
required reading)
(SM-11) Personnel Security, University of Mary Washington,
http://www.umw.edu/policies/itsecurityprogram/personnel_security/default.php (some required
reading)
(SM-12) Standard Practice Procedures for Security Service, George Mason University,
http://www.gmu.edu/departments/universityoperations/SPP%20-%20REV%20Feb%202008.pdf
(some required reading)
(SM-13) Security Mechanism, RBC bank, http://www.rbcbankusa.com/privacy_security/cid-
101718.html (some required reading)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
4
(SM-14) Software Security Policy, Purdue University,
http://www.purdue.edu/securepurdue/standards/softwareSecurity.cfm (some required reading)
(SM-15) Audit Trials, HP, http://docs.hp.com/en/5992-3387/ch10s05.html (some required
reading)
(SM-16) Audit Logging Security Standards, IRS, http://www.irs.gov/irm/part10/ch01s05.html
(some required reading)
(SM-17) Defending Medical Information Systems Against Malicious Software, Joint
NEMA/COCIR/JIRA Security and Privacy Committee (SPC),
http://www.himss.org/content/files/medical-defendingNEMAwhitepaper.pdf (some required
reading)
(SM-18) Declassification and Downgrading, Army Regulation 280-5, Chapter 3,
http://www.fas.org/irp/doddir/army/ar380-5/iii.htm (some required reading)
(SM-19) Using Context- and Content-Based Trust Policies on the Semantic Web, Christian Bizer
& Radoslaw Oldakowski, In Proceeding of WWW2004, May 17-22, 2004, New York, NY, USA,
www4.wiwiss.fu-berlin.de/bizer/SWTSGuide/p747-bizer.pdf (some required reading)
(SM-20) Input Signal Rage Guidance, www.altra.com,
http://www.altera.com/literature/wp/wp_edge_rate_guidance.pdf (some required reading)
(SM-21) Design of an intelligent materials data base for the IFR, Transactions of the American
Nuclear Society ; Vol/Issue: 65; American Nuclear Society annual meeting; 7-12 Jun 1992;
Boston, MA (United States); DOE Project,
http://www.osti.gov/energycitations/product.biblio.jsp?osti_id=7232432 (some required reading)
(SM-22) An Introduction to Computer Security - The NIST Handbook,
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf (some required reading)
Tentative Course Outline:
Please note that this is an online course and that the
schedule will be followed. You are expected to
follow the schedule.
Week Topics Text chapters Tests /
Assignments
1 1. Introduction to Information Security
1.1. The History of Information Security
1.2. What is Security / Information Security?
1.3. Critical Characteristics of Information
Security?
Whitman Ch1 &
Krutz Ch11, 12 &
SM-1
HW1
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
5
1.4. NSTISSC Security Model
1.5. Information Assurance Model
(Maconachy, Schou, Ragsdale (MSR)
Cube) (Supplemental Materials SM-1)
1.6. Components of an Information System
1.7. Securing Components
1.8. Balancing Information Security and
Access
1.9. Approaches to Information Security
Implementation
1.10. The Systems Development Life Cycle
1.11. The Security Systems Development Life
Cycle
1.12. Systems Life Cycle Processes,
Certification, and Accreditation (Krutz
Ch11, Ch12)
1.13. Security Professionals and the
Organization
1.14. Communities of Interest
1.15. Information Security: Is it an Art or a
Science?
1.16. Information Security Terminology
2 2. The Need for Security
2.1. Business Needs First
2.2. Threats
2.3. Attacks
2.4. OPSEC Process (Operations Security)
(Krutz Ch6 & Supplemental Material SM-
Whitman Ch2 &
Krutz Ch6 &
SM-3, SM-4, SM-13,
SM-14
HW2
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
6
3)
2.5. OPSEC Surveys / OPSEC Planning
(Operations Security) (Krutz Ch6 &
Supplemental Material)
2.6. Unclassified Indicators (Operations
Security) (Krutz Ch6 & Supplemental
Material SM-3)
2.7. HUMINT (Krutz Ch6, Supplemental
Materials SM-4)
2.8. Media Processes - Attribution,
Destruction, Classification, Sanitization,
Transportation, Inventory (Krutz Ch6)
2.9. Security Software Development (Whitman
Ch2, Supplemental Materials SM-13, SM-
14)
3 3. Legal, Ethical, and Professional Issues in
Information Security
3.1. Law and Ethics in Information Security
3.2. Types of Law
3.3. Relevant U.S. Laws
3.4. International Laws and Legal Bodies
3.5. Policy versus Laws
3.6. Ethics and Information Security
3.7. Codes of Ethics and Professional
Organizations
3.8. evidence collection and preservation
(Krutz Chapter 9)
Whitman Ch3 &
Krutz Ch9
HW3
4 Laboratory 1
Review
TBA Exam 1 -
TBA
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
7
5 4. Risk Management
4.1. An Overview of Risk Management
4.2. Risk Identification
4.3. Risk Assessment
4.4. Risk Control Strategies
4.5. Selecting a Risk Control Strategy
4.6. Risk Management Discussion Points
4.7. Documenting Results
4.8. Recommended Practices in Controlling
Risk
4.9. National Threats, Vulnerabilities,
Countermeasures, Risk Management, and
other facets of NSTISS (Krutz Ch1)
Whitman Ch4 &
Krutz Ch1
6 5. Planning for Security
5.1. Information Security Policy, Standards,
and Practices
5.2. Telecommunication Systems,
Telecommunications Policies and
Security, Contracts and Reference,
Vulnerabilities, Threats, Countermeasures
(Krutz Ch3)
5.3. Security Policies Implementation (Krutz
Ch1)
5.4. The Information Security Blueprint
5.5. Security Education, Training, and
Awareness Program
5.6. Continuity Strategies
5.7. AIS Security Policy (Supplemental
Whitman Ch5 &
Krutz Ch1, Ch3 &
SM-6, SM-7, SM-8,
SM-9
HW4
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
8
Materials SM-7 & SM-8)
5.8. Security Standard Operating Procedure
(Supplemental Materials SM-9)
5.9. COMSEC (Supplemental Materials SM-6)
7 6. Security Technology
6.1. Physical Design
6.2. Computer Security - Access Control,
Audit, Identification and Authentication,
operating system security, trusted
operating system, and Object Reuse
(Pfleeger Ch3, Ch4, Ch5)
6.3. Firewalls
6.4. Protecting Remote Connection
6.5. Introduction Detection Systems
6.6. Honey Pots, Honey Nets, and Padded Cell
Systems
6.7. Scanning and Analysis Tools
6.8. Access Control Devices
6.9. Technical Surveillance Countermeasures
(Supplemental Materials SM-5)
Whitman Ch6, Ch7 &
Pfleeger Ch3, Ch4,
Ch5
& SM-5
HW5
8 7. Cryptography
7.1. A Short History of Cryptology
7.2. Principles of Cryptography
7.3. Cryptography Tools
7.4. Protocols for Secure Communications
7.5. Attacks on Cryptosystems
Whitman Ch8 Exam 2 –
TBA
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
9
9 8. Physical Security
8.1. Physical Access Control
8.2. Fire Security and Safety
8.3. Failure of Supporting Utilities and
Structural Collapse
8.4. Interception of Data
8.5. Mobile and Portable Systems
8.6. Special Consideration for Physical
Security Threats
Whitman Ch9
HW7
Laboratory 2
10 9. Implementing Information Security
9.1. Project Management for Information
Security
9.2. Technical Topics of Implementation
9.3. Nontechnical Aspects of Implementation
9.4. Operations Security (Krutz Ch6)
9.5. Security Architectures and Design
Whitman Ch10 &
Krutz Ch5, Ch6
HW8
11 10. Security and Personnel
10.1. The Security Function Within an
Organization's Structure
10.2. Positioning and Staffing the Security
Function
10.3. Credentials of Information Security
Professionals
10.4. Employment Policies and Practices
10.5. Security Considerations for Nonemployees
10.6. Separation of Duties and Collusion (Krutz
Ch1, Ch6)
Whitman Ch11 &
Krutz Ch1, Ch6 &
SM-10, SM-11, SM-12
HW9
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
10
10.7. Privacy and the Security of Personnel
Data
10.8. Information Classification Roles (Krutz
Ch1)
10.9. Personnel Security Standard
(Supplemental Materials SM-10, SM-11,
SM-12)
12 Laboratory 3
11. Information Security Maintenance
11.1. Managing for Change
11.2. Security Management Models
11.3. The Maintenance Model
Digital Forensics
Whitman Ch12 HW10,
13 12. TEMPEST Security (Supplemental Materials
SM-2)
12.1. Introduction
12.2. Definition
12.3. RED/BLACK Installation
Recommendation
12.4. Guidance for TEMPEST Integrity
12.5. Secure Voice Systems
12.6. Sensitive Compartment Information
SM-2
Important Dates:
TBA
The following information applies to all students in the School of Science:
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
11
In addition to the minimum grade requirements established by Hampton University, all majors within the
School of Science must pass all required courses offered within the School of Science with a grade of “C”
or better in order to satisfy degree requirements. The minimum grade requirement is in effect for all
science courses taken during Fall 2001 and beyond.
Course Assignment and Calendar:
Homework Assignments: There are two types of homework assignments: problems and projects. Both of
them will be issued and specified with their due date in Blackboard. Problems will be used to evaluate the
understanding of course materials and projects will be used to evaluate the complexity of algorithm studied
in class. All of the projects must be implemented by Java in Unix/Linux environments (when appropriate).
Late submissions will not be accepted and will be counted as zero.
Final Exam
The exam will be given on the date scheduled by the registrar. The exam will be comprehensive. There are
no exemptions from the exam.
TBA
Attendance
Hampton University’s attendance policy will be observed, which means that you are expected to attend all
classes as scheduled. You are responsible for any assignments, deliveries, and class discussions at all
times. I will take attendance at the beginning of each class period. If you are not present for the roll call,
attendance points will be deducted from your grade. I will not tolerate habitual tardiness; it is disruptive
and unfair to your fellow students.
Writing-Across-The-Curriculum
Hampton University adopts the policy in all courses of “writing across the curricula”. In this course, the
objectives will be achieved by homework assignments, program comments, and various tests.
The Ethics Paper: Details about the ethics paper will be provided at least one month prior to the
due date. The ethics paper will be graded based on the criteria listed in “Hampton University
Scoring Rubric”.
Grades
The final grade of this course will be determined by the combined weight of following components:
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
12
Examinations (2) 20 %
Homework (10) 40 %
Laboratory (3) 15%
Ethics Paper 5 %
Final exam (Comprehensive) 20 %
Course grades will follow the scale of the university grading system:
A+ 98-100
A 94-97
A- 90-93
B+ 88-89
B 84-87
B- 80-83
C+ 78-79
C 74-77
C- 70-73
D+ 68-69
D 64-67
D- 60-63
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
13
F Below 60
Make-Up Policy: No make-up tests will be given without pervious arrangements, a
written medical excuse, or an emergency approved by appropriate university official.
Policy on Academic Dishonesty: Please see page 29 of the Student Handbook.
Cheating: A student caught cheating on an examination or plagiarizing a paper which forms a part of a
course grade shall be given an "F" in the course and will be subject to dismissal from the University, A
student is considered to be cheating if, in the opinion of the person administering an examination (written
or oral), the student gives, seeks, or receives aid during the process of the examination; the student buys,
sells, steals, or otherwise possesses or transmits an examination without authorization; or, the student
substitutes for another or permits substitution for himself/ herself during an examination. All cases of
cheating shall be reported by the instructor to the chair of the department in which the cheating occurred,
to the school dean/division director and to the Provost.
No penalty shall be imposed until the student has been informed of the charge and of the evidence upon
which it is based and has been given an opportunity to present his/her defense. If the faculty member and
the student cannot agree on the facts pertaining to the charge, or if the student wishes to appeal a penalty,
the issue may be taken to the department chair. Each party will present his/her case to the chair who shall
then call a meeting of all involved parties. If the issue is not resolved at the departmental level, the dean
shall conduct a hearing. If the issue is not resolved at the school level either party may appeal the decision
at the school level to the Provost who shall convene the appropriate individuals and conduct a hearing in
order to resolve the issue.
Plagiarism: Plagiarism is defined as "taking and using as one's own the writing or ideas of another." All
materials used to meet assigned written requirements of a course, from any source, must be given proper
credit by citing the source. A student caught plagiarizing a paper which forms a part of a course grade
shall be given an "F" in the course and will be subject to dismissal from the University.
PENALTIES FOR ACADEMIC DISHONESTY
Cases of academic dishonesty are initially investigated and reported by members of the instructional
faculty to the chairperson of the department in which the cheating occurred, to the school dean, division
director and to the Provost. Also, penalties for minor violations of academic dishonesty are to be
recommended at the discretion of the instructor. The penalties for academic dishonesty on examinations
and major course requirements may include one of the following:
1. A grade of "F" on the examination or project.
2. A grade of "F" on the examination or project and dismissal from the course.
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
14
3. A grade of “F” on the examination or project, dismissal from the course and from the University.
When dismissal from the University is the recommended penalty, the chairman of the department submits
the details of the case to the Provost who schedules a hearing.
ADMINISTRATIVE ACTION
The Provost has the authority to dismiss or expel any student who fails to meet scholarship requirements or
to abide by academic regulations.
Dress Code:
This code is based on the theory that learning to select attire appropriate to specific occasions and
activities is a critical factor in the total educational process. Understanding and employing the Hampton
University Dress Code will improve the quality of one’s life, contribute to optimum morale, and embellish
the overall campus image. It also plays a major role in instilling a sense of integrity and an appreciation
for values and ethics as students are propelled towards successful careers.
Students will be denied admission to various functions if their manner of dress is inappropriate. On this
premise students at Hampton University are expected to dress neatly at all times. The following are
examples of appropriate dress for various occasions:
1. Classroom, Cafeteria, Student Union and University Offices – casual attire that is neat and
modest.
2. Formal programs in Ogden Hall, the Convocation Center, the Student Center Ballroom, the Little
Theater and the Memorial Chapel – event appropriate attire as required by the event
announcement.
3. Interviews – Business attire.
4. Social/Recreational activities, Residence hall lounges (during visitation hours) – casual attire that
is neat and modest.
5. Balls, Galas, and Cabarets – formal, semi-formal and after five attire, respectively.
Examples of inappropriate dress and/or appearance include but not limited to:
1. Do-rags, stocking caps, skullcaps and bandannas are prohibited at all times on the campus of
Hampton University (except in the privacy of the student’s living quarters).
2. Head coverings and hoods for men in any building.
3. Baseball caps and hoods for women in any building.
a. This policy item does not apply to headgear considered as a part of religious or cultural
dress.
4. Midriffs or halters, mesh, netted shirts, tube tops or cutoff tee shirts in classrooms, cafeteria,
Student Union and offices;
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
15
5. Bare feet;
6. Short shirts;
7. Shorts, all types of jeans at programs dictating professional or formal attire, such as Musical Arts,
Fall Convocation, Founder’s Day, and Commencement;
8. Clothing with derogatory, offensive and/or lewd message either in words or pictures;
9. Men’s undershirts of any color worn outside of the private living quarters of the residence halls.
However, sports jerseys may be worn over a conventional tee-shirt.
Procedure for Cultural or Religious Coverings
1. Students seeking approval to wear headgear as an expression or religious or cultural dress may
make a written request for a review through the Office of the Chaplain.
2. The Chaplain will forward his recommendation the Dean of Students for final approval.
3. Students that are approved will then have their new ID card picture taken by University Police
with the headgear being worn.
All administrative, faculty and support staff members will be expected to monitor student behavior
applicable to this dress code and report any such disregard or violations to the Offices of the Dean or Men,
or Dean of Women for the attention of the Dean of Students.
CODE OF CONDUCT
Joining the Hampton Family is an honor and requires each individual to uphold the policies, regulations, and
guidelines established for students, faculty, administration, professional and other employees, and the laws of
the Commonwealth of Virginia. Each member is required to adhere to and conform to the instructions and
guidance of the leadership of his/her respective area. Therefore, the following are expected of each member
of the Hampton Family:
1. To respect himself or herself.
2. To respect the dignity, feelings, worth, and values of others.
3. To respect the rights and property of others and to discourage vandalism and theft.
4. To prohibit discrimination, while striving to learn from differences in people, ideas, and opinions.
5. To practice personal, professional, and academic integrity, and to discourage all forms of dishonesty,
plagiarism, deceit, and disloyalty to the Code of Conduct.
6. To foster a personal professional work ethic within the Hampton University Family.
7. To foster an open, fair, and caring environment.
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
16
8. To be fully responsible for upholding the Hampton University Code.
Students with disabilities which require accommodations should (1)
register with the Office of Testing Services and 504 Compliance to provide
documentation and (2) bring the necessary information indicating the need
for accommodation and what type of accommodation is needed. This should
be done during the first week of classes or as soon as the student receives
the information. If the instructor is not notified in a timely
manner, retroactive accommodations may not be provided.
DISCLAIMER
This syllabus is intended to give the student guidance in what may be covered during the semester and will
be followed as closely as possible. However, the professor reserves the right to modify, supplement and make
changes as course needs arise.
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
17
Hampton University Scoring Rubric
The Hampton University Advisory Council of the Writing Program has approved and recommended the use of
the scoring rubric as a guide for evaluating student-writing performance across the curriculum.
6
A paper in this category:
States purpose (e.g., position or thesis) insightfully, clearly and effectively
Provide thorough, significant development with substantial depth and persuasively marshals support
for position
Demonstrates a focused, coherent, and logical pattern of organization
Displays a high level of audience awareness
Use disciplinary facts critically and effectively
Has support control of diction, sentence structure, and syntactic variety, but may have a few minor
flaws in grammar, usage, punctuation, or spelling
Documents sources consistently and correctly using a style appropriate to the discipline
5
A paper in this category:
States purpose (e.g., position or thesis) clearly and effectively
Provide development with some depth and complexity of thought and supports position convincingly
Demonstrates effect pattern of organization
Displays a clear sense of audience awareness
Use disciplinary facts effectively
Has good control of diction, sentence structure, and syntactic variety, but may have a few minor
errors in grammar, usage, punctuation, or spelling
Documents sources correctly using a style appropriate to the discipline
4
A paper in this category:
States purpose (e.g., position or thesis) adequately
Provides competent development with little evidence of complexity of thought
Demonstrates an adequate pattern of organization
Displays some degree of audience awareness
Uses disciplinary facts adequately
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
18
Has adequate control of diction, sentence structure, and syntactic variety, but may have some error in
grammar, usage, punctuation, or spelling
Documents sources adequately using a style appropriate to the discipline
3
A paper in this category:
States purpose (e.g., position or thesis) but with varying degree of clarity
Provides some development for most ideas
Demonstrates some pattern of organization, but with some lapses from the pattern
Displays uneven audience awareness
Uses some disciplinary facts
Has some control of diction, sentence structure, and syntactic variety, but may have frequent error in
grammar, usage punctuation, or spelling
Documents sources using a style appropriate to the discipline, but may have errors.
2
A paper in this category:
States purpose (e.g., position or thesis) unclearly
Provides inadequate development of thesis
Demonstrates inconsistent pattern of organization
Displays very little audience awareness
Uses disciplinary facts ineffectively
Has little control of diction, sentence structure, and syntactic variety, and may have a pattern of
errors in grammar, usage, punctuation, or spelling
Acknowledges sources but does not document them using a style appropriate to the discipline
1
A paper in this category:
Fails to state purpose (e.g., position or thesis)
Fails to develop most ideas
Lacks a pattern of organization
Displays no audience awareness
Use few or no disciplinary facts
Lakes control of diction, sentence structure, and syntactic variety, with a pattern of errors in
grammar, usage, punctuation, or spelling
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
19
Fails to document or acknowledge sources
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
20
Mapping to NSTISSI 4011 Standard
C. Security Basics (Awareness
Level)
Instructional/Behavioral
Content
a Using the Comprehensive
Model of Information Systems
Security, introduce a
comprehensive model of
information systems security
that addresses:
* The student will list and describe
the elements of AIS security.
Topic 1.2-1.3 Pg. 8-9 Whitman
* The student will summarize security
disciplines used in protecting
government automated information
systems.
Topic 1.2-1.7 Pg. 8-17 Whitman
b critical characteristics of
information information states,
and security measures.
* Student will give examples of
determinants of critical
information.
Topic 1.2-1.8 Pg. 3-18 Whitman
Topical Content
a INFOSEC Overview: Chapter 2: The Need for Security Whitman
* threats Topic 2.2, Chapter 2: Threats Pg. 38- 59 Whitman
* vulnerabilities Topic 2.2, 2.3, 4.9, Whitman Chapter 2: Attacks
Pg. 60-68 / Krutz Chapter1: Information Security
and Risk Management Pg. 28
Whitman +
Krutz
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
21
* critical information characteristics Chapter 1: Introduction Whitman
+ confidentiality Topic 1.2-1.5, Chapter 1: Confidentiality Pg. 10 Whitman
+ integrity Topic 1.2-1.5, Chapter 1: Integrity Pg. 12 Whitman
+ availability Topic 1.2-1.5, Chapter 1: Availability Pg. 10 Whitman
* information states Whitman
+ transmission Topic 1.4-1.5, Chapter 1: NSTISSC Security
Model Pg. 13
Whitman
+ storage Topic 1.4-1.5, Chapter 1: NSTISSC Security
Model Pg. 13
Whitman
+ processing Topic 1.4-1.5, Chapter 1: NSTISSC Security
Model Pg. 13
Whitman
* security countermeasures
+ technology Topic 6.1-6.8 Chapter 6 & 7: Security
Technology Pg. 243-282
Whitman
+ policy, procedures and practices Topic 1.4-1.5, 5.1,5.3,5.4, Chapter 1:
Information Security Policy, Standards, and
Practices Pg. 173-185
Whitman
+ education, training and awareness Topic 1.4-1.5, 5.6, Chapter 5: Security
Education, Training, and Awareness Program
Pg. 203-206
Whitman
b Operations Security (OPSEC):
* OPSEC process Topic 2.4, Krutz Chapter 6: Operations Security
Pg. 339-358 / OPSEC (Supplemental materials
SM-3)
Krutz +
Supplemental
materials
* INFOSEC and OPSEC
interdependency
Topic 2.4, Krutz Chapter 6: Operations Security
Pg. 339-358 / OPSEC (Supplemental materials
SM-3)
Krutz +
Supplemental
materials
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
22
* unclassified indicators Topic 2.4, Krutz Chapter 6: Operations Security
Pg. 339-358 / OPSEC (Supplemental materials
SM-3)
Krutz +
Supplemental
materials
* OPSEC surveys/OPSEC planning Topic 2.4, Krutz Chapter 6: Operations Security
Pg. 339-358 / OPSEC (Supplemental materials
SM-3)
Krutz +
Supplemental
materials
c Information Security:
* policy Topic 5.1, Chapter 5: Information Security
Policy, Standards, and Practices Pg. 174
Whitman
* roles and responsibilities Topic 10.2, Chapter 11: Positioning & Staffing
the Security Function Pg. 473-479
Whitman
* application dependent guidance Input Signal Rage Guidance (supplemental
materials SM-20); Design of an intelligent
materials data base for the IFR (supplemental
materials SM-21)
Supplemental
materials
d INFOSEC
* cryptography
+ strength (e.g., complexity, secrecy,
characteristics of the key)
Topic 7.2 Chapter 8: Cryptographic algorithims.
354-375
Whitman
+ encryption (e.g., point-to-point, network,
link)
Topic 7.2 Chapter 8: Cryptographic algorithims.
354-375
Whitman
+ key management (to include electronic
key)
Topic 7.2 Chapter 8: Cryptographic algorithims.
354-375
Whitman
* transmission security Topic 1.4-1.5 Whitman Chapter 1: NSTISSC
Security Model Pg. 14 / Information Assurance
Model (Maconachy, Schou, Ragsdale (MSR)
Cube)(Supplemental materials SM-1)
Whitman +
Supplemental
materials
* emanations security Topic 12.1, 12.3, 12.4 12. TEMPEST Security
(supplemental materials SM-2)
Supplemental
materials
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
23
* physical, personnel and
administrative security
Topic 8.1-8.6, 10.1-10.7 Chapter 9: Physical
security Pg. 391-429. Chapter 11: Security and
Personnel Pg. 469-502
Whitman
* computer security
+ identification and authentication Topic 1.5, 6.2, 6.8, Pfleeger Chapter 2, 3, 5 /
Whitman Chapter 7: Security Technology Pg.
338 / Information Assurance Model (Maconachy,
Schou, Ragsdale (MSR) Cube)(Supplemental
materials SM-1)
Pfleger +
Whitman +
supplemental
materials
+ access control Topic 6.2, 6.8, Pfleeger Chapter 2, 3, 5: Security
Features of Trusted Operating Systems Pg. 208-
213 / Whitman Chapter 7: Security Technology
Pg. 338
Pfleeger +
Whitman
+ audit Topic 6.2, 11.1, Pfleeger Chapter 2, 3, 5:
Security Features of Trusted Operating Systems
Pg. 269-273 / Whitman Chapter 12: Information
Security Maintenance Pg. 517
Pfleeger +
Whitman
+ object reuse Topic 6.2, Chapter 5: Security Features of
Trusted Operating Systems Pg. 270
Pfleeger
D. NSTISS Basics (Awareness
Level)
Instructional/Behavioral
Content
a Describe components (with
examples to include: national
policy, threats and
vulnerabilities,
countermeasures, risk
management, of organizational
units, facets of NSTISS)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
24
* Outline national NSTISS Policies. Topic 5.1, 5.3, Whitman Chapter 5: Information
Security Policy, Standards, and Practices Pg.
172-186 / Krutz Chapter 1: Security Policy
Implementation Pg. 20-24
Whitman +
Krutz
* Cite examples of threats and
vulnerabilities of an AIS.
Topic 2.2-2.3, 4.9, Whitman Chapter 2: Threats
and Attacks Pg. 40-73 / Krutz Chapter 1:
Information Security and Risk Management Pg.
28
Whitman +
Krutz
* Give examples of Agency
implementation of NSTISS policy,
practices and procedures.
Topic 5.1-5.3, Whitman Chapter 5: Information
Security Policy, Standards, and Practices Pg.
172-184 / Krutz Chapter 1: Security Policy
Implementation 20-24
Whitman +
Krutz
Topical Content
a National Policy and Guidance:
* AIS security Topic 5.1, 5.3, Whitman Chapter 5: Information
Security Policy, Standards, and Practices Pg.
172-186 / Krutz Chapter 1: Security Policy
Implementation Pg. 20-24
Whitman +
Krutz
* communications security Topic 5.2, Chapter 3: Telecommunications and
Network Security Pg. 95-96
Krutz
* protection of information Topic 1.4-1.5, 5.5-5.6, Whitman Chapter 1:
NSTISSC Security Model Pg. 13, Chapter 5:
Planning for Security Pg. 186-208 / Information
Assurance Model (Maconachy, Schou, Ragsdale
(MSR) Cube)(Supplemental materials SM-1)
Whitman +
supplemental
materials
* employee accountability for agency
information
Topic 10.4 chapter 11: Privacy and the security
of Personnel Data. Pg. 492-500
Whitman
b Threats to and Vulnerabilities of
Systems:
* definition of terms (e.g., threats,
vulnerabilities, risk)
Topic 1.16 Chapter 1: Information Security
Terminology. Pg. 30-31
Whitman
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
25
* major categories of threats (e.g.,
fraud, Hostile Intelligence Service
(HOIS), malicious logic, hackers,
environmental and technological
hazards, disgruntled employees,
careless employees, HUMINT, and
monitoring)
Topic 2.2 Chapter 2: Threats Pg. 40-63 Whitman
* threat impact areas Topic 2.2 Chapter 2: Threats Pg. 40-63 Whitman
c Legal Elements:
* fraud, waste and abuse Topic 3.1-3.5 Chapter 3: Legal, Ethical, and
Professional Issues Pg. 87-99
Whitman
* criminal prosecution Topic 3.1-3.5 Chapter 3: Legal, Ethical, and
Professional Issues Pg. 87-99
Whitman
* evidence collection and
preservation
Topic 3.8, Chapter 9: Legal, Regulations,
Compliance, and Inverstigation Pg. 497-498
Krutz
* investigative authorities Topic 3.1-3.5 Chapter 3: Legal, Ethical, and
Professional Issues Pg. 87-99
Whitman
d Countermeasures:
* cover and deception Topic 6.6, Chapter 7: Security Technology Pg.
320-321
Whitman
* HUMINT Topic 2.7, Krutz Chapter 6: Operational E-mail
Security Pg. 382-386 / HUMINT (supplemental
materials SM-4)
Krutz +
supplemental
materials
* monitoring (e.g., data, line) Topic 6.5, 6.7, 6.8, Chapter 6: Security
Technology Pg. 289-300
Whitman
* technical surveillance
countermeasures
Topic 6.9, Technical Surveillance
Countermeasures (supplemental materials SM-5)
supplemental
materials
* education, training, and awareness Topic 5.5, Chapter 5: Security Education,
Training, and Awareness Pg. 206-209
Whitman
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
26
* assessments (e.g., surveys,
inspections)
Topic 6.1-6.8, Chapter 6 & 7: Security
Technology Pg. 243-279, 287-342
Whitman
e Concepts of Risk Management:
* threat and vulnerability assessment Topic 4.3, 4.9, Whitman Chapter 4: Risk
Assessment Pg. 139-144 / Krutz Chapter 1: Risk
Management and Assessment Pg. 26-30
Whitman +
Krutz
* cost/benefit analysis of controls Topic 4.4-4.5, Chapter 4: Risk Management Pg.
145-154
Whitman
* implementation of cost-effective
controls
Topic 4.4-4.5, Chapter 4: Risk Management Pg.
145-154
Whitman
* consequences (e.g., corrective
action, risk assessment)
Topic 4.4-4.5, Chapter 4: Risk Management Pg.
145-154
Whitman
* monitoring the efficiency and
effectiveness of controls (e.g.,
unauthorized or inadvertent
disclosure of information)
Topic 4.4-4.5, Chapter 4: Risk Management Pg.
145-154
Whitman
f Concepts of System Life Cycle
Management:
* requirements definition (e.g.,
architecture)
Topic 1.10-1.12,10.3, Whitman Chapter 1:
Introduction to Information Security Pg. 20-28;
Whitman Chapter 11: Security and Presonnel
Pg. 479-491 / Krutz Chapter 11: Understanding
Certification and Accredittion Pg. 559-578;
Krutz Chapter 12: Initiation of System
Authorization Process Pg. 585-610
Whitman +
Krutz
* development Topic 1.10-1.12,10.3, Whitman Chapter 1:
Introduction to Information Security Pg. 20-28,
Whitman Chapter 11: Security and Presonnel
Pg. 479-491 / Krutz Chapter 11: Understanding
Certification and Accredittion Pg. 559-578,
Krutz Chapter 12: Initiation of System
Authorization Process Pg. 585-610
Whitman +
Krutz
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
27
* demonstration and validation
(testing)
Topic 1.10-1.12,10.3, Whitman Chapter 1:
Introduction to Information Security Pg. 20-28,
Whitman Chapter 11: Security and Presonnel
Pg. 479-491 / Krutz Chapter 11: Understanding
Certification and Accredittion Pg. 559-578,
Krutz Chapter 12: Initiation of System
Authorization Process Pg. 585-610
Whitman +
Krutz
* implementation Topic 1.10-1.12,10.3, Whitman Chapter 1:
Introduction to Information Security Pg. 20-28;
Whitman Chapter 11: Security and Presonnel
Pg. 479-491 / Krutz Chapter 11: Understanding
Certification and Accredittion Pg. 559-578;
Krutz Chapter 12: Initiation of System
Authorization Process Pg. 585-610
Whitman +
Krutz
* security (e.g., certification and
accreditation)
Topic 1.10-1.12,10.3, Whitman Chapter 1:
Introduction to Information Security Pg. 20-28;
Whitman Chapter 11: Security and Presonnel
Pg. 479-491 / Krutz Chapter 11: Understanding
Certification and Accredittion Pg. 559-578;
Krutz Chapter 12: Initiation of System
Authorization Process Pg. 585-610
Whitman +
Krutz
* operations and maintenance (e.g.,
configuration management)
Topic 1.10-1.12,10.3, Whitman Chapter 1:
Introduction to Information Security Pg. 20-28;
Whitman Chapter 11: Security and Presonnel
Pg. 479-491 / Krutz Chapter 11: Understanding
Certification and Accredittion Pg. 559-578;
Krutz Chapter 12: Initiation of System
Authorization Process Pg. 585-610
Whitman +
Krutz
g Concepts of Trust:
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
28
* policy Topic 6.2, 9.4, Pfleeger Chapter 5: Designing
Trusted Operating Systems Pg. 229-232 / Krutz
Chapter 6: Operations Security Pg. 346-349 /
Using Context- and Content-Based Trust Policies
on the Semantic Web (supplemental materials
SM-19)
Pfleeger +
Krutz +
supplemental
materials
* mechanism Topic 6.2, 9.4, Pfleeger Chapter 5: Designing
Trusted Operating Systems Pg. 229-232 / Krutz
Chapter 6: Operations Security Pg. 346-349 /
Using Context- and Content-Based Trust Policies
on the Semantic Web (supplemental materials
SM-19)
Pfleeger +
Krutz +
supplemental
materials
* assurance Topic 2.9, 6.2, 9.5, Krutz Chapter 2: Secure
Software Development, Pg. 73-74; Krutz Chapter
5: Security Architecture and Design Pg. 314-316
/ Pfleeger Chapter 5: Designing Trusted
Operating Systems Pg. 229-232
Krutz +
Pfleeger
h Modes of Operation:
* dedicated Topic 9.4, Chapter 6: Operations Security Pg.
349-350
Krutz
* system-high Topic 9.4, Chapter 6: Operations Security Pg.
349-350
Krutz
* compartmented/partitioned Topic 9.4, Chapter 6: Operations Security Pg.
349-350
Krutz
* multilevel Topic 9.4, Chapter 6: Operations Security Pg.
349-350
Krutz
i Roles of Various Organizational
Personnel
* senior management Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
29
* program or functional managers Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* system manager and system staff Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* telecommunications office and staff Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* security office Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* COMSEC custodian Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* INFOSEC Officer Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* information resources management
staff
Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* audit office Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
30
* OPSEC managers Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
* end users Topic 10.1-10.4, 10.8 Whitman Chapter 11:
Security and Personnel Pg. 471-479 / Krutz
Chapter 1: Information Classification Roles Pg.
16-20
Whitman +
Krutz
j Facets of NSTISS:
* protection of areas Topic 8.1-8.6 Chapter 9: Physical Security Pg.
399-429
Whitman
* protection of equipment Topic 8.1-8.6 Chapter 9: Physical Security Pg.
399-429
Whitman
* protection of passwords Topic 6.8 Chapter 7: Security Technology Pg.
338-339
Whitman
* protection of files and data Topic 6.5-6.8 Chapter 7: Security Technology
Pg. 287-342
Whitman
* protection against malicious logic Topic 2.9 Chapter 2: The Need For Security Pg.
73-80
Whitman
* backup of data and files Topic 9.4 Chapter 6: Operation Security Pg.
378-382
Krutz
* protection of magnetic storage
media
Topic 2.8 Chapter 6: Operation Security Pg.
362-364
Krutz
* protection of voice communications Topic 5.2 Chapter 3: Telecommunications and
Network Security Pg. 95
Krutz
* protection of data communications Topic 5.2 Chapter 3: Telecommunications and
Network Security Pg. 95
Krutz
* protection of keying material Topic 7.2 Chapter 8: Cryptography Pg. 364-375
/ NASA COMSEC Procedures and Guidelines
(supplemental materials SM-6)
Whitman +
supplemental
materials
* application of cryptographic
systems
Topic 7.3 Chapter 8: Cryptography, Pg. 375-382 Whitman
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
31
* transmission security
countermeasures (e.g., callsigns,
frequency, and pattern forewarning
protection)
Topic 5.2 Chapter 3: Telecommunications and
Network Security Pg. 95-221
Krutz
* reporting security violations Topic 3.7, 11.3, Chapter 3: Legal and
Professional Issues in Information Security 108-
111; Chapter 12: Information Security
Maintenance Pg. 524-525
Whitman
E. System Operating Environment
(Awareness Level)
Instructional/Behavioral
Content
a Outline Agency specific AIS and
telecommunications systems.
* Summarize Agency AIS and
telecommunications systems in
operation.
Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
b Describe Agency "control
points" for purchase and
maintenance of Agency AIS and
telecommunications systems
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
32
* Give examples of current Agency
AIS/telecommunications systems
and configurations.
Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
c Review Agency AIS and
telecommunications security
policies
* List Agency-level contact points for
AIS and telecommunications
systems and maintenance.
Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
* Cite appropriate policy and
guidance.
Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
Topical Content
c Agency Specific Security
Policies:
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
33
* guidance Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
* roles and responsibilities Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
* points of contact Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
d Agency specific AIS and
telecommunications policies
* points of contact Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
34
* references Topic 5.1-5.3, 5,7, Whtiman Chapter 5:
Information Security Policy, Standards, and
Practices Pg. 172-186 / Krutz Chapter 1:
Policies, Standards, Guidelines, and Procedure
Pg. 20-26; Krutz Chapter 3:
Telecommunications and Network Security Pg.
95-98 / AIS Security (Policy) (supplemental
materials SM-7, SM-8)
Whitman +
Krutz +
supplemental
materials
F. NSTISS Planning and
Management (Performance
Level)
Instructional/Behavioral
Content
a Discuss practical performance
measures employed in designing
security measures and
programs
* Builds a security plan that
encompasses NSTISS components
in designing protection/security for
an instructor-supplied description
of an AIS telecommunications
system.
Topic 5.4, Chapter 5: The Information Security
Bluepint, Pg. 186-201
Whitman
b Introduce generic security
planning guidelines/documents
Topic 5.1-5.4, Whtiman Chapter 5: Information
Security Policy, Standards, and Practices Pg.
172-201 / Krutz Chapter 1: Policies, Standards,
Guidelines, and Procedure Pg. 20-26; Krutz
Chapter 3: Telecommunications and Network
Security Pg. 95-98
Whitman +
Krutz
Topical Content
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
35
a Security Planning
* directives and procedures for
NSTISS policy
Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC
Security Model Pg. 13-14 / Krutz Chapter 1:
Security Policy Implementation Pg. 20-26
Whitman +
Krutz
* NSTISS program budget Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC
Security Model Pg. 13-14 / Krutz Chapter 1:
Security Policy Implementation Pg. 20-26
Whitman +
Krutz
* NSTISS program evaluation Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC
Security Model Pg. 13-14 / Krutz Chapter 1:
Security Policy Implementation Pg. 20-26
Whitman +
Krutz
* NSTISS training (content and
audience definition)
Topic 1.4, 5.3, Whitman Chapter 1: NSTISSC
Security Model Pg. 13-14 / Krutz Chapter 1:
Security Policy Implementation Pg. 20-26
Whitman +
Krutz
b Risk Management
* information identification Topic 4.1-4.2, Chapter 4: Risk Management Pg.
115-138
Whitman
* roles and responsibilities of all the
players in the risk analysis process
Topic 4.1-4.2, Chapter 4: Risk Management Pg.
115-138
Whitman
* risk analysis and/or vulnerability
assessment components
Topic 4.1-4.2, Chapter 4: Risk Management Pg.
115-138
Whitman
* risk analysis results evaluation Topic 4.1-4.2, Chapter 4: Risk Management Pg.
115-138
Whitman
* corrective actions Topic 4.1-4.2, Chapter 4: Risk Management Pg.
115-138
Whitman
* acceptance of risk (accreditation) Topic 4.1-4.2, Chapter 4: Risk Management Pg.
115-138
Whitman
c Systems Life Cycle Management
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
36
* management control process
(ensure that appropriate
administrative, physical,and
technical safeguards are
incorporated into all new
applications and into significant
modifications to existing
applications)
Topic 1.1, 9.4, Whitman Chapter 1: Introduction
to Information Security Pg. 25-28 / Krutz
Chapter 6: Operations Security Pg. 339-387
Whitman +
Krutz
* evaluation of sensitivity of the
application based upon risk
analysis - determination of security
specifications
Topic 1.11, 4.1-4.2, Chapter 1: Introduction to
Information Security Pg. 25-28; Chapter 4: Risk
Management Pg. 115-138
Whitman
* design review and systems test
performance (ensure required
safeguards are operationally
adequate)
Topic 1.11, Chapter 1: Introduction to
Information Security Pg. 25-28
Whitman
* systems certification and
accreditation process
Topic 1.12, Chapter 11: Understanding
Ceertification and Accrediation Pg. 559-578;
Chapter 12: Initiation of the System
Authorization Process Pg. 586-610
Krutz
* acquisition Topic 1.11, 11.4, Chapter 1: Introduction to
Information Security Pg. 25-28; Chapter 12:
Information Security Maintenance Pg. 550
Whitman
d Contingency Planning/Disaster
Recovery
* contingency plan components Topic 5.6, Chapter 5: Planning for Security, Pg.
210
Whitman
* agency response procedures and
continuity of operations
Topic 5.6 Chapter 5: Planning for Security, Pg.
215-230
Whitman
* team member responsibilities in
responding to an emergency
situation
Topic 5.6 Chapter 5: Planning for Security, Pg.
215-230
Whitman
* guidelines for determining critical
and essential workload
Topic 5.4, 5.6, Chapter 5: Planning for Security,
Pg. 186-201, 209-233
Whitman
* determination of backup Topic 5.6 Chapter 5: Planning for Security, Pg. Whitman
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
37
requirements 225-228
* development of procedures for off-
site processing
Topic 5.6 Chapter 5: Planning for Security, Pg.
230-230
Whitman
* development of plans for recovery
actions after a disruptive event
Topic 5.6 Chapter 5: Planning for Security, Pg.
228-232
Whitman
* emergency destruction procedures Topic 5.8, Security Standard Operating
Procedure No.4 (supplemental materials SM-9)
supplemental
materials
G. NSTISS Policies and
Procedures (Performance
Level)
Instructional/Behavioral
Content
a List and describe: specific
technological, policy, and
educational solutions for
NSTISS.
* Playing the role of either a system
penetrator or system protector, the
student will discover points of
exploitation and apply appropriate
and countermeasures in an
instructor-supplied description of
an Agency AIS/telecommunications
system.
Topic 5.1-5.2, Whitman Chapter 5: Planning for
Security Pg. 172-186 / Krutz Chapters 3:
Telecommunications and Network Security Pg.
95-98
Whitman +
Krutz
b List and describe: elements of
vulnerability threat that exist in
an AIS/ telecommunications
system corresponding
protection measures.
Topic 2.2-2.3, 5.2, Whitman Chapter 2: The
Need for Security Pg. 40-73 / Krutz Chapters 3:
Telecommunication and Network Security Pg.
95-98
Whitman +
Krutz
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
38
Topical Content
a Physical Security Measures:
* building construction Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* alarms Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* information systems centers Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* communications centers Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* shielding Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* cabling Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* filtered power Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* physical access control systems
(key cards, locks and alarms)
Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* stand-alone systems and
peripherals
Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* environmental controls (humidity
and air conditioning)
Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* fire safety controls Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* storage area controls Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
* power controls (regulator,
uninterrupted power service (UPS),
and emergency poweroff switch)
Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
39
* protected distributed systems Topic 8.1-8.6 chapter 9: Physical Security Pg.
399-430
Whitman
b Personnel Security Practices
and Procedures:
* position sensitivity Topic 10.4, 10.9, Whitman Chapter 11: Security
and Personnel, Pg. 492-496 / Personnel Security
Standard (Supplemental Materials SM-10, SM-
11, SM-12)
Whitman +
supplemental
materials
* employee clearances Topic 10.4, 10.9, Whitman Chapter 11: Security
and Personnel, Pg. 492-496 / Personnel Security
Standard (Supplemental Materials SM-10, SM-
11, SM-12)
Whitman +
supplemental
materials
* access authorization/verification
(need-to-know)
Topic 5.5, 10.6, 10.9, Whitman Chapter 5,
Planning for Security Pg. 206-208 / Krutz
Chapter 1: Information Security and Risk
Management Pg. 25-26 / Personnel Security
Standard (Supplemental Materials SM-10, SM-
11, SM-12)
Whitman +
Krutz +
supplemental
materials
* security training and awareness
(initial and refresher)
Topic 5.5, 10.6, 10.9, Whitman Chapter 5,
Planning for Security Pg. 206-208 / Krutz
Chapter 1: Information Security and Risk
Management Pg. 25-26 / Personnel Security
Standard (Supplemental Materials SM-10, SM-
11, SM-12)
Whitman +
Krutz +
supplemental
materials
* systems maintenance personnel -
contractors
Topic 10.2, 10.9, Whitman Chapter 11: Security
and Personnel Pg. 471-473 / Personnel Security
Standard (Supplemental Materials SM-10, SM-
11, SM-12)
Whitman +
Krutz +
supplemental
materials
c Software Security:
* configuration management Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:
The System Development Life Cycle Pg. 20-25;
Whitman Chapter 5: The Information Security
Blueprint Pg. 186-201; Whitman Chapter 12:
Managing for Change Pg. 514 / Krutz Chapter 6:
Operations Security Pg. 351-358
Whitman +
Krutz
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
40
* programming standards and
controls
Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:
The System Development Life Cycle Pg. 20-25;
Whitman Chapter 5: The Information Security
Blueprint Pg. 186-201; Whitman Chapter 12:
Managing for Change Pg. 514 / Krutz Chapter 6:
Operations Security Pg. 351-358
Whitman +
Krutz
* documentation Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:
The System Development Life Cycle Pg. 20-25;
Whitman Chapter 5: The Information Security
Blueprint Pg. 186-201; Whitman Chapter 12:
Managing for Change Pg. 514 / Krutz Chapter 6:
Operations Security Pg. 351-358
Whitman +
Krutz
* change controls Topic 1.10, 5.4, 9.4, 11.1, Whitman Chapter 1:
The System Development Life Cycle Pg. 20-25;
Whitman Chapter 5: The Information Security
Blueprint Pg. 186-201; Whitman Chapter 12:
Managing for Change Pg. 514 / Krutz Chapter 6:
Operations Security Pg. 351-358
Whitman +
Krutz
* software security mechanisms to
protect information
Topic 2.9, Security Mechanism / Security
Software Policy (supplemental materials SM-13,
SM-14)
supplemental
materials
* segregation of duties Topic 10.6, Krutz Chapter 1: Information
Security and Risk Management Pg. 25-26;
Chapter 6: Operations Security Pg. 346-347
Krutz
* concept of least privilege Topic 9.4, Chapter 6: Operations Security Pg.
355-356
Krutz
* application security features Topic 1.6, 1.7, 2.9, Chapter 1: Introduction to
Information Security Pg. 14-16; Chapter 2:
Secure Software Development Pg. 73-74
Whitman
* audit trails and logging Topic 11.2 Whitman Chapter 12: Information
Security Maintenance Pg. 517-518 / Audit Trails
(supplemental materials SM-15, SM-16)
Whitman +
supplemental
materials
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
41
* operating systems security features Topic 6.2, Pfleeger Chapter 5: Designing
Trusted Operating Systems, Pg. 229-230
Pfleeger
* need-to-know controls Topic 9.4, Chapter 6: Operations Security Pg.
360-361
Krutz
* malicious logic protection Topic 2.9, Whitman Chapter 2: Secure Software
Development, Pg. 75-80 / Defending Medical
Information Systems Against Malicious Software
(supplemental materials SM-17)
Whitman +
supplemental
materials
* assurance Topic 2.9, 9.5, Chapter 2: Secure Software
Development, Pg. 73-74; Chapter 5: Security
Architecture and Design Pg. 314-316
Whitman
e Administrative Security
Procedural Controls:
* external marking of media Topic 2.8, Chapter 6: Operations Security Pg.
362-364
Krutz
* destruction of media Topic 2.8, Chapter 6: Operations Security Pg.
363
Krutz
* sanitization of media - construction,
changing, issuing and deleting
passwords
Topic 2.8, Chapter 6: Operations Security Pg.
362
Krutz
* transportation of media Topic 2.8, Chapter 6: Operations Security Pg.
362-364
Krutz
* reporting of computer misuse or
abuse
Topic 3.7, 11.3, Chapter 3: Legal and
Professional Issues in Information Security 108-
111; Chapter 12: Information Security
Maintenance Pg. 524-525
Whitman
* preparation of security plans Topic 5.4, Whitman Chapter 5: Planning for
Security, Pg. 186-201
Whitman
* emergency destruction Topic 2.8, 5.8, Whitman Chapter 6: Operations
Security Pg. 363 / Security Standard Operating
Procedure No.4 (supplemental materials SM-9)
Krutz +
supplemental
materials
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
42
* media downgrade and
declassification
Topic 2.8, Chapter 6: Operations Security Pg.
362-364 / Declassification and Downgrading,
AR 380-5 Chapter III (supplemental materials
SM-18)
Krutz +
supplemental
materials
* attribution Topic 2.8, Chapter 6: Operations Security Pg.
362-364 / An Introduction to Computre Security -
The NIST Handbook (supplemental Materials
SM-22)
Krutz +
supplemental
materials
* repudiation Topic 2.8, Chapter 6: Operations Security Pg.
362-364 / An Introduction to Computre Security -
The NIST Handbook (supplemental Materials
SM-22)
Krutz +
supplemental
materials
f Auditing and Monitoring:
* effectiveness of security programs Topic 9.4, 11.2 Krutz Chapter 6: Operations
Security Pg. 365-372 / Whitman Chapter 12:
Information Security Maintenance Pg. 519-544
Whitman +
Krutz
* conducting security reviews Topic 9.4, 11.2 Krutz Chapter 6: Operations
Security Pg. 365-372 / Whitman Chapter 12:
Information Security Maintenance Pg. 519-544
Whitman +
Krutz
* verification, validation, testing, and
evaluation processes
Topic 1.11, 9.4, Whitman Chapter 1:
Introduction to Information Security pg 23-25 /
Krutz Chapter 6: Operations Security Pg. 365-
372
Whitman +
Krutz
* monitoring systems for accuracy
and abnormalities
Topic 9.4, 11.2 Krutz Chapter 6: Operations
Security Pg. 365-372 / Whitman Chapter 12:
Information Security Maintenance Pg. 519-544
Whitman +
Krutz
* investigation of security breaches Topic 1.10, 5.6, Chapter 1: Introduction to
Information Security Pg. 21; Chapter 6: Planing
for Security Pg. 209-235
Whitman
* review of audit trails and logs Topic 11.2 Whitman Chapter 12: Information
Security Maintenance Pg. 517-518 / Audit Trails
(supplemental materials SM-15, SM-16)
Whitman +
supplemental
materials
* review of software design standards Topic 2.9 Chapter 2: Secure Software Whitman
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
43
Development pg 73-74
* review of accountability controls Topic 11.2, Chapter 12: Information Security
Maintenance Pg. 519-544
Whitman
* privacy Topic 3.3, 10.7, Chapter 3: Relevant U.S. Law
Pg. 91; Chapter 11: Security and Personnel Pg.
502
Whitman
g Cryptosecurity:
* encryption/decryption method,
procedure, algorithm
Topic 7.2 Chapter 8: Principles of Cryptography
Pg. 346-348
Whitman
* cryptovariable or key Topic 7.2 Chapter 8: Principles of Cryptography
Pg.361-366
Whitman
* electronic key management system Topic 7.2 Chapter 8: Principles of Cryptography
Pg. 366
Whitman
h Key Management:
* identify and inventory COMSEC
material
Topic 5.9, COMSEC (supplemental materials
SM-6)
supplemental
materials
* report COMSEC incidents Topic 5.9, COMSEC (supplemental materials
SM-6)
supplemental
materials
* destruction procedures for
COMSEC material
Topic 5.9, COMSEC (supplemental materials
SM-6)
supplemental
materials
* key management protocols
(bundling, electronic key, over-the-
air rekeying)
Topic 5.9, COMSEC (supplemental materials
SM-6)
supplemental
materials
j TEMPEST Security:
* shielding Topic 12.4 NSTISSAM TEMPEST (supplemental
materials SM-2)
supplemental
materials
* grounding Topic 12.4 NSTISSAM TEMPEST (supplemental
materials SM-2)
supplemental
materials
* attenuation Topic 12.3-12.4 NSTISSAM TEMPEST
(supplemental materials SM-2)
supplemental
materials
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
44
* banding Topic 12.4 NSTISSAM TEMPEST (supplemental
materials SM-2)
supplemental
materials
* filtered power Topic 12.4 NSTISSAM TEMPEST (supplemental
materials SM-2)
supplemental
materials
* cabling Topic 12.4 NSTISSAM TEMPEST (supplemental
materials SM-2)
supplemental
materials
* zone of control/zoning Topic 12.3-12.4 NSTISSAM TEMPEST
(supplemental materials SM-2)
supplemental
materials
* TEMPEST separation Topic 12.4 NSTISSAM TEMPEST (supplemental
materials SM-2)
supplemental
materials