Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
1
CSC 486 Systems Security for Senior Management
Instructor: Office: Telephone:
Office Hours:
E-Mail:
Course Description: Develops the knowledge necessary for senior security management to analyze and
judge the reported systems for validity and reliability to ensure such systems will operate at a proposed
trust level. Topical review and discussion on current trends in CNSS 4012 standard. Includes grant final
approval to operate, grant review accreditation, verify compliance, ensure establishment of security
controls, ensure program managers define security in acquisitions, assign responsibilities, define criticality
and sensitivity, allocate resources, multiple and joint accreditation, assess network security. Prerequisite:
CSC382 or Consent of the Chair.
Course Objectives: This course focuses on teaching and training students to be able to practice the
standard of CNS 4012. After completing the course, students would be able to:
Discuss and explain the procedure of grant final approval to operate.
Discuss and explain the procedure of grant review accreditation.
Verify compliance.
Ensure establishment of security control.
Ensure program managers define security in acquisitions.
Assign responsibilities.
Define criticality and sensitivity.
Allocate resources.
Multiple and joint accreditation.
Assess network security.
Minimum Competencies: Students meeting minimum competencies should expect to receive a grade
between 74% and 77%. Minimum competencies for this course are as follows:
Discuss and explain the procedure of grant final approval to operate.
Discuss and explain the procedure of grant review accreditation.
Verify compliance.
Ensure establishment of security control.
Ensure program managers define security in acquisitions.
Assign responsibilities.
Define criticality and sensitivity.
Allocate resources.
Multiple and joint accreditation.
Assess network security.
Course Topics: This course will cover most of the information assurance concepts including:
Grant final approval to operate. (3 hours)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
2
Grant review accreditation. (6 hours)
Verify compliance. (6 hours)
Ensure establishment of security control. (6 hours)
Ensure program managers define security in acquisitions. (3 hours)
Assign responsibilities. (3 hours)
Define criticality and sensitivity. (1 hours)
Allocate resources. (1 hours)
Multiple and joint accreditation. (1 hours)
Assess network security. (3 hours)
Laboratory. (12 hours)
Mapping to CNSSI 4012 can be found here.
Textbooks:
(Krutz) The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, 2nd edition, Ronald L.
Krutz and Russell Dean Vines, Wiley, 2004.
(Whitman) Principle of Information Security, 2nd edition, Michael E. Whitman & Herbert J.
Mattord, Thomson, 2005.
(Pfleeger) Security in Computing, 3rd
edition (or the newest), C. P. Pfleeger, S. L. Pfleeger,
Prentice Hall, 2003
Supplemental Materials (SM):
SM-1: NIST SP 800-37: Guide for Security Certification and Accreditation of Federal Information
Systems
SM-2: NCSC-TG-029: Introduction to Certification and Accreditation
SM-3: NIST SP 800-12: An Introduction to Computer Security: This NIST handbook
SM-4: NIST SP 800-30: Risk Management Guide for Information Technology Systems
SM-5: NSTISSI-1000 National Information Assurance Certification and Accreditation Process
(NIACAP)
SM-6: NASA Consolidation of Active Directory (NCAD) Compliance Waiver Form
SM-7: NASA Mission Focus Review 137 Non-ODIN Waiver Form
SM-8: NASA Mission Focus Review 137 Non-ODIN Waiver Form
SM-9: DOE-Cyber Security Process Requirements Manual
SM-10: A Model for Information Assurance: An Integrated Approach
SM-11: NIST SP 800-61-rev1 Computer Security Incident Handling Guide
SM-12: Army Regulation 25-2 Information Assurance
SM-13: IETF RFC 3227 Guidelines for Evidence Collection and Archiving
SM-14: Federal Records Act
SM-15: Electronic Records Management Guideline
SM-16: Federal Managers Financial Integrity Act of 1982
SM-17: Federal Property and Administration Service Act
SM-18: OMB-GPEA Implementation of the Government Paper Elimination Act
SM-19: National Archives Act 1986
SM-20: General Federal Records Act
SM-21: Public Law 108-383 National Archives and Records Administration Efficiency Act of
2004
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
3
SM-22: The Freedom of Information Act
SM-23: Electronic Freedom of Information Act Amendments of 1996
SM-24: Public Law 107-347
SM-25: Administrative Communications System - US Department of Education
SM-26: GAO-AIMD-12-19-6 Federal Information System Controls Audit Manual
SM-27: Delegation of Authority - signature authorization
SM-28: Guidebook on Delegation of Authority
SM-29: GAO-GGD-96-154 Federal Law Enforcement - Investigative Authority and Personnel at
13 Agencies
SM-30: NIST SP 800-57-Part1 Recommendation for Key Management - Part 1: General (Revised)
SM-31: NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems
SM-32: NIST SP 800-88_rev1 Guide for Media Sanitization
SM-33: NSA/CSS Storage Device Declassification Manual
SM-34: Automated Security Support Tools - The Key to Successful FISMA Implementation
SM-35: NIST CSL Bulletin - Disposition of Sensitive Automated Information
SM-36: NIST SP 800-16 Information Technology Security Training Requirements - A Role and
Performance Based Model
SM-37: Security Standard Operating Procedure NO. 04 - Naval Command, Control, and Ocean
Surveillance Center
SM-38: NIST SP 800-53-rev2-final Recommended Security Controls for Federal Information
Systems
SM-39: NSTISSP NO 11 National Information Assurance Acquisition Policy - Fact Sheet
SM-40: CJCSI 3312-01A Joint Military Intelligence Requirements Certification
SM-41: ESFOR 2004 An Empirical Evaluation of Automated Theorem Proves in Software
Certification
SM-42: NIST SP 800-36 Guide to Selecting Information Technology Security Products
SM-43: NIST SP 800-23 Guidelines to Federal Organizations on Security Assurance and
Acquisition-Use of Tested-Evaluated Products
SM-44: NISTIR-6985 COTS Security Protection Profile - Operating Systems (CSPP-OS)
SM-45: NIST SP 800-70-DRAFT Security Configuration Checklists Program for IT Products
SM-46: NIST SP 800-64-2 Security Considerations in the Information System Development Life
Cycle
SM-47: NIST SP 800-35 Guide to Information Technology Security Services
SM-48: NISTIR 4909 Software Quality Assurance - Documentation and Reviews
SM-49: NAVSO P-5239-04 Information Systems Security Manager (ISSM) Guidebook
SM-50: USAID-General Notice-Policy-Improper Disclosure of Information
SM-51: State of Texas-Department of Information Resources-Information Resources Manager
(IRM) Overview
SM-52: USAID-Information Technology Security Roles and Responsibilities
SM-53: Roles and Responsibilities Policy-for Security and Access of UCSC Electronic
Information Resources
SM-54: DISA-DOD Application Security and Development-Security Technical Implementation
Guide
SM-55: DOD-Final Report of the Defense Science Board-Task Force on Globalization and
Security-Dec-1999
SM-56: Memorandum of Agreement (MOA)
SM-57: Memorandum of Agreement between the Secretary of the Interior and the State of Idaho
SM-58: Definition of Memorandum of Understanding (MOU)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
4
SM-59: Memorandum of Understanding
SM-60: Memorandum of Understanding Concerning Cooperation Between the US Securities and
Exchange Commission and the US Department of Labor
SM-61: NIST SP 800-13 Telecommunications Security Guidelines for Telecommunications
Management Network
SM-62: TEMPEST
SM-63: NSA-TEMPEST-A Signal Problem
SM-64: NSTISSM TEMPEST 2-95
SM-65: Information Leakage from Optical Emanations
Tentative Course Outline: Regular class schedule
Week Topics
Text chapters (see
4012 map for the details)
Supplemental
Materials
Tests /
Programs
1
1. Grant Final Approval To Operate
1.1 Responsibilities
1.1.1 Aspects of Security 1.1.2 Accreditation
1.2 Approval
1.2.1 Approval to Operate 1.2.2 Interim Approval to Operate
1.2.3 Recertification
1.2.4 System Security Authorization Agreement 1.2.5 Waive Policy to Continue Operation
Krutz: Ch1, Ch11, Ch14, Appendix D
Whitman: Ch1, Ch10
SM-1, SM-2, SM-3, SM-4, SM-5, SM-6,
SM-7, SM-8
2
2. Grant Review Accreditation
2.1. Threat 2.1.1. Attack
2.1.2. Environmental/Natural threats
2.1.3. Human Threats 2.1.4. Theft
2.1.5. Threat
2.1.6. Threat Analysis 2.1.7. Threat Assessment
2.2. Countermeasures
2.2.1. Education, Training, and Awareness as Countermeasures
2.2.2. Procedural Countermeasures
2.2.3. Technical Countermeasures
Krutz: Ch1, Ch2, Ch6,
Ch12, Appendix D
Whitman: Ch2, Ch4,
Ch5, Ch11
SM-9, SM-10 HW-1
3
2.1. Vulnerability 2.1.1. Vulnerability
2.1.2. Vulnerability Analysis
2.1.3. Network Vulnerabilities 2.1.4. Technical Vulnerabilities
2.2. Risk Management
2.2.1. Cost/Benefit Analysis of Information Assurance 2.2.2. Documentation
2.2.3. Risk
2.2.4. Risk Assessment 2.2.5. Risk Management
2.2.6. Residual Risk
2.2.7. Risk Acceptance Process 2.2.8. Systems Security Authorization Agreement
(SSAA)
Krutz:Ch2, Ch4, Ch10
Whitman: Ch2, Ch4, Ch10
Pfleeger: Ch1, Ch7, Ch8
SM-4, SM-5
4 Laboratory HW-2
5 3. Verify Compliance
3.1. Laws Related To Information Assurance (IA) And
Security
Krutz: Ch1, Ch2, Ch3,
Ch6, Ch9, Ch11,
SM-11, SM-12, SM-13, SM-14,
SM-15, SM-16,
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
5
3.1.1. Copyright Protection and Licensing
3.1.2. Criminal Prosecution 3.1.3. Due Diligence
3.1.4. Evidence Collection and Preservation
3.1.5. Due Diligence 3.1.6. Laws Related To Information Assurance and
Security
3.1.7. Legal and Liability Issues 3.1.8. Ethics
3.2. Policy Direction
3.2.1. Access Control Policies 3.2.2. Administrative Security Policies And Procedures
3.2.3. Audit Trails and Logging Policies
3.2.4. Documentation Policies 3.2.5. Evidence Collection and Preservation Policies
3.2.6. Information Security Policy
3.2.7. National Information Assurance (IA) Certification & Accreditation (C&A) Process
Policy
3.2.8. Personnel Security Policies & Guidance
Appendix B
Whitman: Ch2, Ch3,
Ch4, Ch10, Ch11,
Ch12
Pfleeger: Ch1, Ch3,
Ch4, Ch8, Ch9
SM-17, SM-18,
SM-19, SM-20, SM-21, SM-22,
SM-23, SM-24,
SM-25, SM-26
6
3.3. Security Requirements
3.3.1. Access Authorization
3.3.2. Auditable Events 3.3.3. Authentication
3.3.4. Background Investigations
3.3.5. Countermeasures 3.3.6. Delegation of Authority
3.3.7. Education, Training, and Awareness
3.3.8. Electronic Records Management 3.3.9. Electronic-Mail Security
3.3.10. Information Classification
3.3.11. Investigative Authorities
3.3.12. Key Management Infrastructure
3.3.13. Information Marking
3.3.14. Non-repudiation 3.3.15. Public Key Infrastructure (PKI)
Krutz: Ch1, Ch2, Ch3, Ch4, Ch6, Ch9,
Appendix B
Whitman: Ch4, Ch5,
Ch7, Ch8, Ch11
Pfleeger: Ch1, Ch2,
Ch7
SM-3, SM-10, SM-
15, SM-25, SM-27, SM-28, SM-29,
SM-30, SM-31,
SM-32, SM-33
HW-3
7 Laboratory
8
4. Ensure Establishment Of Security Controls
4.1. Administration
4.1.1. Accountability for Classified/Sensitive Data 4.1.2. Automated Security Tools
4.1.3. Backups
4.1.4. Change Control/Configuration Management 4.1.5. Declassification/Downgrade of Media
4.1.6. Destruction/Purging/Sanitization of
Classified/Sensitive Information 4.2. Access
4.2.1. Access Controls 4.2.2. Access Privileges
4.2.3. Discretionary Access Controls
4.2.4. Mandatory Access Controls 4.2.5. Biometrics/Biometric Policies
4.2.6. Separation of Duties
4.2.7. Need-To-Know Controls 4.3. Incident Handling And Response
4.3.1. Emergency Destruction Procedures
4.3.2. Organizational/Agency Information Assurance Emergency Response Teams
Krutz: Ch1, Ch2, Ch3, Ch6, Appendix B
Whitman: Ch2, Ch4,
Ch5, Ch7, Ch11, Ch12
Pfleeger: Ch3, Ch4,
Ch5, Ch8
SM-3, SM-11, SM-12, SM-25, SM-26,
SM-32, SM-33, SM-34, SM-35,
SM-36, SM-37
HW-4
9
4.4. Continuity Of Operations Planning
4.4.1. Business Recovery
4.4.2. Contingency/Continuity of Operations Planning 4.4.3. Disaster Recovery
Krutz: Ch3, Ch8 SM-11, SM-12,
SM-38
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
6
4.4.4. Disaster Recovery Plan
4.4.5. Incident response policies 4.4.6. Law enforcement interfaces/policies
4.4.7. Reconstitution
4.4.8. Restoration
Whitman: Ch5
Pfleeger: Ch8
10 Laboratory HW-5
11
5. Ensure Program Managers Define Security In Acquisitions 5.1. Acquisition
5.1.1. Certification Test & Evaluation (CT&E) 5.1.2. Certification Tools
5.1.3. Product Assurance
5.1.4. Contracting For Security Services 5.1.5. Disposition of Classified Material
5.1.6. Facilities Planning
5.1.7. System Disposition/Reutilization 5.2. Life Cycle Management
5.2.1. Life Cycle System Security Planning
5.2.2. System Security Architecture
Krutz: Ch6, Ch10,
Appendix D
Whitman: Ch5
SM-3, SM-25, SM-
32, SM-33, SM-35, SM-39, SM-40,
SM-41, SM-42,
SM-43, SM-44, SM-45, SM-46,
SM-47, SM-48
12
6. Assign Responsibilities 6.1. Certification and Accreditation (C&A)
6.2. Information Ownership
6.3. System Certifiers and Accreditors 6.4. Risk Analysts
6.5. Information System Security Manager (ISSM)
6.6. Information System Security Officer (ISSO)
Krutz: Ch1, Ch11,
Appendix B, Appendix
D
Whitman: Ch1, Ch10
SM-1, SM-2, SM-3,
SM-5, SM-49 HW-6
13 Laboratory
14
7. Define Criticality And Sensitivity
7.1. Aggregation
7.2. Disclosure of Classified/Sensitive Information 8. Allocate Resources
8.1. Resource Roles and Responsibilities
8.2. Budget/Resource Allocation 8.3. Business Aspects of Information Security
9. Multiple And Joint Accreditation
9.1. Memoranda of Understanding/Agreement (MOU/MOA)
Krutz: Ch2, Ch6, Ch8, Ch12, Appendix D
Whitman: Ch2
Pfleeger: Ch5
SM-36, SM-50, SM-51, SM-52,
SM-53, SM-54,
SM-55, SM-56, SM-57, SM-58,
SM-59, SM-60
15
10. Assess Network Security
10.1. Connectivity 10.2. Emissions Security (EMSEC) and TEMPEST
10.3. Wireless Technology
Krutz: Ch3, Ch9
Whitman: Ch9
Pfleeger: Ch7
SM-3, SM-61, SM-
62, SM-63, SM-64,
SM-65
HW-7
Important Dates:
Exam 1:
Exam 2:
Final Exam:
THE FOLLOWING INFORMATION APPLIES TO ALL STUDENTS IN THE SCHOOL
OF SCIENCE:
In addition to the minimum grade requirements established by Hampton University, all majors within the
School of Science must pass all required courses offered within the School of Science with a grade of “C”
or better in order to satisfy degree requirements. The minimum grade requirement is in effect for all science
courses taken during Fall 2001 and beyond.
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
7
COURSE ASSIGNMENT AND CALENDAR:
Homework Assignments: There are two types of homework assignments: problems and projects. Both
of them will be issued and specified with their due date in Blackboard. Problems will be used to evaluate
the understanding of course materials and projects will be used to evaluate the complexity of algorithm
studied in class. All of the projects must be implemented by Java in Unix/Linux environments. Late work
will not be accepted and will be counted as zero.
Final Exam: The exam will be given on the date scheduled by the registrar. The exam will be
comprehensive. There are no exemptions from the exam.
Attendance: The attendance policy of Hampton University will be observed. You are expected to attend
all classes and to arrive on time. Your attendance and participation will be 10% of the final grade. More
than 7 absences will constitute a failing grade, regardless to other considerations.
Writing-Across-The-Curriculum: Hampton University adopts the policy in all courses of “writing
across the curricula”. In this course, the objectives will be achieved by homework assignments, program
comments, and various tests.
The Ethics Paper: Details about the ethics paper will be provided at least one month prior to the
due date. The ethics paper will be graded based on the criteria listed in “Hampton University
Scoring Rubric”.
Grades: The final grade of this course will be determined by the combined weight of following
components:
Examine (2) 20 %
Homework (7) 40 %
Laboratory (4) 15%
Attendance & participation 10 %
Ethics Paper 5 %
Final exam 10 %
--------------- ------
Total 100%
Course grades will follow the scale of the university grading system:
A+ 98-100
A 94-97
A- 90-93
B+ 88-89
B 84-87
B- 80-83
C+ 78-79
C 74-77
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
8
C- 70-73
D+ 68-69
D 64-67
D- 60-63
F Below 60
Make-Up Policy: No make-up tests will be given without pervious arrangements, a written medical
excuse, or an emergency approved by appropriate university official.
Policy on Electronic Devices: Any electronic device (i.e. cell phone, PDA, pagers, etc.) will be turned
off during class. During any test or final, these devices will not be allowed at the test.
Policy on Academic Dishonesty: Please see page 29 of the Student Handbook.
Midterm Evaluation: If “F” is assigned in the midterm evaluation to a student, F will also be this
student’s final grade. Students should withdraw this course before the appropriate date if he/she fails the
midterm evaluation.
Cheating: A student caught cheating on an examination or plagiarizing a paper which forms a part of a
course grade shall be given an "F" in the course and will be subject to dismissal from the University, A
student is considered to be cheating if, in the opinion of the person administering an examination (written
or oral), the student gives, seeks, or receives aid during the process of the examination; the student buys,
sells, steals, or otherwise possesses or transmits an examination without authorization; or, the student
substitutes for another or permits substitution for himself/ herself during an examination. All cases of
cheating shall be reported by the instructor to the chair of the department in which the cheating occurred, to
the school dean/division director and to the Provost.
No penalty shall be imposed until the student has been informed of the charge and of the evidence upon
which it is based and has been given an opportunity to present his/her defense. If the faculty member and
the student cannot agree on the facts pertaining to the charge, or if the student wishes to appeal a penalty,
the issue may be taken to the department chair. Each party will present his/her case to the chair who shall
then call a meeting of all involved parties. If the issue is not resolved at the departmental level, the dean
shall conduct a hearing. If the issue is not resolved at the school level either party may appeal the decision
at the school level to the Provost who shall convene the appropriate individuals and conduct a hearing in
order to resolve the issue.
Plagiarism: Plagiarism is defined as "taking and using as one's own the writing or ideas of another." All
materials used to meet assigned written requirements of a course, from any source, must be given proper credit
by citing the source. A student caught plagiarizing a paper which forms a part of a course grade shall be given
an "F" in the course and will be subject to dismissal from the University.
PENALTIES FOR ACADEMIC DISHONESTY
Cases of academic dishonesty are initially investigated and reported by members of the instructional faculty
to the chairperson of the department in which the cheating occurred, to the school dean, division director
and to the Provost. Also, penalties for minor violations of academic dishonesty are to be recommended at
the discretion of the instructor. The penalties for academic dishonesty on examinations and major course
requirements may include one of the following:
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
9
1. A grade of "F" on the examination or project.
2. A grade of "F" on the examination or project and dismissal from the course.
3. A grade of “F” on the examination or project, dismissal from the course and from the University.
When dismissal from the University is the recommended penalty, the chairman of the department submits
the details of the case to the Provost who schedules a hearing.
ADMINISTRATIVE ACTION
The Provost has the authority to dismiss or expel any student who fails to meet scholarship requirements or
to abide by academic regulations.
Dress Code:
This code is based on the theory that learning to select attire appropriate to specific occasions and activities
is a critical factor in the total educational process. Understanding and employing the Hampton University
Dress Code will improve the quality of one’s life, contribute to optimum morale, and embellish the overall
campus image. It also plays a major role in instilling a sense of integrity and an appreciation for values and
ethics as students are propelled towards successful careers.
Students will be denied admission to various functions if their manner of dress is inappropriate. On this
premise students at Hampton University are expected to dress neatly at all times. The following are
examples of appropriate dress for various occasions:
1. Classroom, Cafeteria, Student Union and University Offices – causal attire that is neat and modest.
2. Formal programs in Ogden Hall, the Convocation Center, the Student Center Ballroom, the Little
Theater and the Memorial Chapel – event appropriate attire as required by the event
announcement.
3. Interviews – Business attire.
4. Social/Recreational activities, Residence hall lounges (during visitation hours) – casual attire that
is neat and modest.
5. Balls, Galas, and Cabarets – formal, semi-formal and after five attire, respectively.
Examples of inappropriate dress and/or appearance include but not limited to:
1. Do-rags, stocking caps, skullcaps and bandannas are prohibited at all times on the campus of
Hampton University (except in the privacy of the student’s living quarters).
2. Head coverings and hoods for men in any building.
3. Baseball caps and hoods for women in any building.
a. This policy item does not apply to headgear considered as a part of religious or cultural
dress.
4. Midriffs or halters, mesh, netted shirts, tube tops or cutoff tee shirts in classrooms, cafeteria,
Student Union and offices;
5. Bare feet;
6. Short shirts;
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
10
7. Shorts, all types of jeans at programs dictating professional or formal attire, such as Musical Arts,
Fall Convocation, Founder’s Day, and Commencement;
8. Clothing with derogatory, offensive and/or lewd message either in words or pictures;
9. Men’s undershirts of any color worn outside of the private living quarters of the residence halls.
However, sports jerseys may be worn over a conventional tee-shirt.
Procedure for Cultural or Religious Coverings
1. Students seeking approval to wear headgear as an expression or religious or cultural dress may
make a written request for a review through the Office of the Chaplain.
2. The Chaplain will forward his recommendation the Dean of Students for final approval.
3. Students that are approved will then have their new ID card picture taken by University Police
with the headgear being worn.
All administrative, faculty and support staff members will be expected to monitor student behavior
applicable to this dress code and report any such disregard or violations to the Offices of the Dean or Men,
or Dean of Women for the attention of the Dean of Students.
CODE OF CONDUCT
Joining the Hampton Family is an honor and requires each individual to uphold the policies, regulations, and
guidelines established for students, faculty, administration, professional and other employees, and the laws of
the Commonwealth of Virginia. Each member is required to adhere to and conform to the instructions and
guidance of the leadership of his/her respective area. Therefore, the following are expected of each member
of the Hampton Family:
1. To respect himself or herself.
2. To respect the dignity, feelings, worth, and values of others.
3. To respect the rights and property of others and to discourage vandalism and theft.
4. To prohibit discrimination, while striving to learn from differences in people, ideas, and opinions.
5. To practice personal, professional, and academic integrity, and to discourage all forms of dishonesty,
plagiarism, deceit, and disloyalty to the Code of Conduct.
6. To foster a personal professional work ethic within the Hampton University Family.
7. To foster an open, fair, and caring environment.
8. To be fully responsible for upholding the Hampton University Code.
Students with disabilities which require accommodations should (1) register with the Office of
Testing Services and 504 Compliance to provide documentation and (2) bring the necessary
information indicating the need for accommodation and what type of accommodation is needed. This
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
11
should be done during the first week of classes or as soon as the student receives the information. If
the instructor is not notified in a timely manner, retroactive accommodations may not be provided.
DISCLAIMER
This syllabus is intended to give the student guidance in what may be covered during
the semester and will be followed as closely as possible. However, the professor
reserves the right to modify, supplement and make changes as course needs arise.
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
12
Hampton University Scoring Rubric
The Hampton University Advisory Council of the Writing Program has approved and recommended the use of
the scoring rubric as a guide for evaluating student-writing performance across the curriculum.
6
A paper in this category:
States purpose (e.g., position or thesis) insightfully, clearly and effectively
Provide thorough, significant development with substantial depth and persuasively marshals support
for position
Demonstrates a focused, coherent, and logical pattern of organization
Displays a high level of audience awareness
Use disciplinary facts critically and effectively
Has support control of diction, sentence structure, and syntactic variety, but may have a few minor
flaws in grammar, usage, punctuation, or spelling
Documents sources consistently and correctly using a style appropriate to the discipline
5
A paper in this category:
States purpose (e.g., position or thesis) clearly and effectively
Provide development with some depth and complexity of thought and supports position convincingly
Demonstrates effect pattern of organization
Displays a clear sense of audience awareness
Use disciplinary facts effectively
Has good control of diction, sentence structure, and syntactic variety, but may have a few minor errors
in grammar, usage, punctuation, or spelling
Documents sources correctly using a style appropriate to the discipline
4
A paper in this category:
States purpose (e.g., position or thesis) adequately
Provides competent development with little evidence of complexity of thought
Demonstrates an adequate pattern of organization
Displays some degree of audience awareness
Uses disciplinary facts adequately
Has adequate control of diction, sentence structure, and syntactic variety, but may have some error in
grammar, usage, punctuation, or spelling
Documents sources adequately using a style appropriate to the discipline
3
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
13
A paper in this category:
States purpose (e.g., position or thesis) but with varying degree of clarity
Provides some development for most ideas
Demonstrates some pattern of organization, but with some lapses from the pattern
Displays uneven audience awareness
Uses some disciplinary facts
Has some control of diction, sentence structure, and syntactic variety, but may have frequent error in
grammar, usage punctuation, or spelling
Documents sources using a style appropriate to the discipline, but may have errors.
2
A paper in this category:
States purpose (e.g., position or thesis) unclearly
Provides inadequate development of thesis
Demonstrates inconsistent pattern of organization
Displays very little audience awareness
Uses disciplinary facts ineffectively
Has little control of diction, sentence structure, and syntactic variety, and may have a pattern of errors
in grammar, usage, punctuation, or spelling
Acknowledges sources but does not document them using a style appropriate to the discipline
1
A paper in this category:
Fails to state purpose (e.g., position or thesis)
Fails to develop most ideas
Lacks a pattern of organization
Displays no audience awareness
Use few or no disciplinary facts
Lakes control of diction, sentence structure, and syntactic variety, with a pattern of errors in grammar,
usage, punctuation, or spelling
Fails to document or acknowledge sources
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
14
Mapping to NSTISSI 4012 Standard
Course Review Sheet for CNSS No. 4012 Standard
CSC586 Krutz Whitman Pfleeger Supplemental
FUNCTION ONE -
GRANT FINAL ATO
Granting final approval
to operate an IS or
network in a specified
security mode
A
.
RESPONSIBILITIES
1 Aspects of Security
Explain the importance
of SSM role in
Information Assurance
(IA)
Topic 1.1.1 Ch1, Pg. 26 (Roles and
Responsibilities), Pg.
30 (RM Roles)
Ch1, Pg. 28-38
Security
Professionals and
Organization)
2 Accreditation
Discuss accreditation Topic 1.1.2 Ch11, Pg. 560 (Federal
Information
Processing Standard
(FIPS) 102), Pg. 572
(What is Certification
and Accreditation?),
Appendix D, Pg. 977
(Implementation Phase
- Security
Accreditation)
Ch10, Pg. 453
(Certification
Versus
Accreditation)
NIST SP 800-37:
Guide for Security
Certification and
Accreditation of
Federal Information
Systems
NCSC-TG-029:
Introduction to
Certification and
Accreditation
Discuss the certification
process leading to
successful accreditation
Topic 1.1.2 Ch11, Pg. 560 (Federal
Information
Processing Standard
(FIPS) 102), Pg. 561
(DoD Information
Technology Security
Certification and
Accreditation Process
(DITSCAP)), Pg. 565
(The National
Information Assurance
Certification and
Accreditation Process
(NIACAP)), Pg. 567
(Defense Information
Assurance
Certification and
Accreditation Process
(DIACAP)),
Ch10, Pg. 453-
463 (Information
System
Certification and
Accreditation)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
15
Explain the importance
of accreditation
Topic 1.1.2 Ch11, Pg. 560 (Federal
Information
Processing Standard
(FIPS) 102), Pg. 572
(What is Certification
and Accreditation),
Appendix D, Pg. 977
(Implementation Phase
- Security
Accreditation)
Ch10, Pg. 453-
454 (Information
System
Certification and
Accreditation)
Explain types of
accreditation
Topic 1.1.2 Ch11, Pg. 566
(NIACAP
Accreditation Types)
Facilitate the
certification process
leading to successful
accreditation
Topic 1.1.2 Ch11, Pg. 560 (Federal
Information
Processing Standard
(FIPS) 102), Pg. 561
(DoD Information
Technology Security
Certification and
Accreditation Process
(DITSCAP)), Pg. 565
(The National
Information Assurance
Certification and
Accreditation Process
(NIACAP)), Pg. 567
(Defense Information
Assurance
Certification and
Accreditation Process
(DIACAP)),
Ch10, Pg. 453-
463 (Information
System
Certification and
Accreditation)
Discuss the significance
of NSTISSP No. 6
Topic 1.1.2 Ch11, Pg. 565-566
(NIACAP and
NSTISSP #6)
B
.
APPROVAL
1 Approval to Operate
(ATO)
Explain ATO Topic 1.2.1 Ch14, Pg. 647
(Authorization to
Operate (ATO)), Pg.
656-657 (DIACAP
Accreditation Phases)
NIST SP 800-37:
Guide for Security
Certification and
Accreditation of
Federal Information
Systems Discuss purpose and
contents of ATO
Topic 1.2.1 Ch14, Pg. 647
(Accreditation
Decision), Pg. 656-657
(DIACAP
Accreditation Phases)
Explain the importance
of risk assessment to
support granting an ATO
Topic 1.2.1 Ch14, Pg. 646 (Final
Risk Assessment), Pg.
647 (Accreditation
Decision)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
16
2 Interim Approval to
Operate
Describe IATO Topic 1.2.2 Ch14, Pg. 647 (Interim
Authorization to
Operate (IATO)), Pg.
656-657 (DIACAP
Accreditation Phases)
Explain the purpose and
contents of IATO
Topic 1.2.2 Ch14, Pg. 647
(Accreditation
Decision), Pg. 656-657
(DIACAP
Accreditation Phases)
Explain the importance
of risk assessment to
support granting an
IATO
Topic 1.2.2 Ch14, Pg. 646 (Final
Risk Assessment), Pg.
647 (Accreditation
Decision)
NIST SP 800-12: An
Introduction to
Computer Security:
This NIST handbook
NIST SP 800-30: Risk
Management Guide for
Information
Technology Systems
Facilitate
implementation of risk
mitigation strategies
necessary to obtain IATO
Topic 1.2.2 Appendix D, Pg. 988-
989 (Risk Mitigation),
Appendix E, Pg. 1061
(Risk Mitigation)
3 Recertification
Describe recertification Topic 1.2.3 Ch11, Pg. 572 (What
is Certification and
Accreditation?)
NCSC-TG-029:
Introduction to
Certification and
Accreditation
Direct the recertification
effort
Topic 1.2.3
Explain the importance
of the recertification
process
Topic 1.2.3
Identify characteristics
of information systems
that need recertification
Topic 1.2.3
Initiate the
recertification effort
Topic 1.2.3
4 Systems Security
Authorization
Agreement (SSAA)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
17
Discuss the Systems
Security Authorization
Agreement (SSAA)
Topic 1.2.4 Ch11, Pg. 563 (The
System Security
Authorization
Agreement (SSAA)
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Process
(NIACAP)
NSTISSI-1000
National Information
Assurance Certification
and Accreditation
Process (NIACAP)
Explain the importance
of the SSAA
Topic 1.2.4 Ch11, Pg. 563 (The
System Security
Authorization
Agreement (SSAA)
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Process
(NIACAP)
5 Waive Policy to
Continue Operation
Discuss justification for
waiver
Topic 1.2.5 NCSC-TG-029:
Introduction to
Certification and
Accreditation
NASA Consolidation
of Active Directory
(NCAD) Compliance
Waiver Form
NASA Mission Focus
Review 137 Non-
ODIN Waiver Form
Discuss risk mitigation
strategies necessary to
obtain waiver
Topic 1.2.5 Appendix D, Pg. 988-
989 (Risk Mitigation),
Appendix E, Pg. 1061
(Risk Mitigation)
NCSC-TG-029:
Introduction to
Certification and
Accreditation
NIST SP 800-12: An
Introduction to
Computer Security:
This NIST handbook
NIST SP 800-30: Risk
Management Guide for
Information
Technology Systems
NASA Consolidation
of Active Directory
(NCAD) Compliance
Waiver Form
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
18
NASA Mission Focus
Review 137 Non-
ODIN Waiver Form
Ensure risk assessment
supports granting waiver
Topic 1.2.5 NCSC-TG-029:
Introduction to
Certification and
Accreditation
NASA Consolidation
of Active Directory
(NCAD) Compliance
Waiver Form
NASA Mission Focus
Review 137 Non-
ODIN Waiver Form
FUNCTION TWO -
GRANT REVIEW
ACCREDITATION
Reviewing the
accreditation
documentation to
confirm that the residual
risk is within acceptable
limits for each network
and/or IS.
A
.
THREATS
1 Attacks
Discuss threats/attacks
to systems
Topic 2.1.1 Ch1, Pg. 28 (Terms
and Definitions), Ch2,
Pg. 61-68 (Access
Control Attack), Ch6,
Pg. 373 (Threats and
Vulnerabilities), Ch12,
Pg. 593-596 (Initial
Risk Estimation),
Appendix D, Pg. 954-
956 (Types and
Classes of Attack),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 40-63
(Threats), Pg. 63-
73 (Attacks)
Ch1, Pg. 5-6
(Threats,
Vulnerabilities
, and Controls)
Explain the importance
of threats/attacks on
systems
Topic 2.1.1 Ch2, Pg. 61-68
(Access Control
Attack), Ch6, Pg. 373
(Threats and
Vulnerabilities), Ch12,
Pg. 593-596 (Initial
Risk Estimation),
Appendix D, Pg. 954-
956 (Types and
Classes of Attack),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 40-63
(Threats), Pg. 63-
73 (Attacks)
Ch1, Pg. 5-6
(Threats,
Vulnerabilities
, and Controls)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
19
2 Environmental/Natural
Threats
Discuss
environmental/natural
threats
Topic 2.1.2 Ch12, Pg. 594 (Threat-
Source Identification),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 59-60
(Forces of
Nature)
Ch8, Pg. 538-
541 (Natural
Disasters)
3 Human Threats
Explain the importance
of intentional and
unintentional human
threats
Topic 2.1.3 Ch6, Pg. 374 (Illegal
Computer Operations
and Intentional
Attacks), Ch12, Pg.
594-596 (Human
Threat-Sources),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 42-43
(Acts of Human
Error or Failure)
Ch8, Pg. 541-
543 (Human
Vandals)
4 Theft
Explain the importance
of theft
Topic 2.1.4 Ch6, Pg. 374 (Illegal
Computer Operations
and Intentional
Attacks)
Ch2, Pg. 54
(Deliberate Acts
of Theft)
Ch8, Pg. 541-
543 (Theft)
5 Threat
Explain threat Topic 2.1.5 Ch1, Pg. 28 (Terms
and Definitions), Ch6,
Pg. 373 (Threats and
Vulnerabilities), Ch12,
Pg. 593-596 (Initial
Risk Estimation),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 40-63
(Threats)
Ch1, Pg. 5-6
(Threats,
Vulnerabilities
, and Controls)
Explain the importance
of organizational threats
Topic 2.1.5 Ch1, Pg. 28 (Terms
and Definitions), Ch6,
Pg. 373 (Threats and
Vulnerabilities), Ch12,
Pg. 593-596 (Initial
Risk Estimation),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 40-63
(Threats)
Ch1, Pg. 5-6
(Threats,
Vulnerabilities
, and Controls)
DOE-Cyber Security
Process Requirements
Manual
6 Threat Analysis
Explain the importance
of threat analysis
Topic 2.1.6 Ch2, Pg. 68-69
(Penetration Testing),
Ch12, Pg. 593 (Initial
Risk Estimation), Pg.
597 (Threat
Likelihood of
Occurrence), Pg. 597-
600 (Analyzing for
Vulnerabilities),
Appendix D, Pg. 984
(Control Analysis)
Ch7, Pg. 425-
428 (Security
Threat
Analysis)
7 Threat Assessment
Explain the importance
of threat assessment
Topic 2.1.6 Ch12, Pg. 593 (Initial
Risk Estimation)
Ch4, Pg. 133-134
(Identify and
Prioritize
Threats)
Ch7, Pg. 425-
428 (Security
Threat
Analysis)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
20
B
.
COUNTERMEASURE
S
1 Education, Training, and
Awareness as
Countermeasures
Explain the importance
of educational training,
and awareness as
countermeasures
Topic 2.2.1 Ch1, Pg. 42-45
(Security Awareness)
Ch5, Pg. 206-209
(Security
Education,
Training, and
Awareness
Program)
A Model for
Information Assurance:
An Integrated
Approach
Ensure educational
training, and awareness
countermeasures are
implemented
Topic 2.2.1 Ch1, Pg. 42-45
(Security Awareness)
Ch5, Pg. 206-209
(Security
Education,
Training, and
Awareness
Program)
A Model for
Information Assurance:
An Integrated
Approach
2 Procedural
Countermeasures
Explain the importance
of
procedural/administrative
countermeasures
Topic 2.2.2 Ch6, Pg. 354-356
(Administrative
Controls)
Ch11, Pg. 492-
498
(Employment
Policies and
Practices)
Ch8, Pg. 529-
538
(Organization
Security
Policy)
Ensure
procedural/administrative
countermeasures are
implemented
Topic 2.2.2 Ch6, Pg. 354-356
(Administrative
Controls)
Ch11, Pg. 492-
498
(Employment
Policies and
Practices)
Ch1, Pg. 25
(Policies and
Procedures)
3 Technical
Countermeasures
Explain the importance
of automated
countermeasures/deterren
ts
Topic 2.2.3 Ch1, Pg. 22-
25 (Methods
of Defense)
A Model for
Information Assurance:
An Integrated
Approach
Explain the importance
of technical
countermeasures/deterren
ts
Topic 2.2.3 Ch1, Pg. 22-
25 (Methods
of Defense)
A Model for
Information Assurance:
An Integrated
Approach
Ensure
technical/automated
countermeasures/deterren
ts are implemented
Topic 2.2.3 Ch1, Pg. 22-
25 (Methods
of Defense)
A Model for
Information Assurance:
An Integrated
Approach
C
.
VULNERABILITY
1 Vulnerability
Explain vulnerability Topic 2.3.1 Ch1, Pg. 28 (Terms
and Definitions), Ch6,
Pg. 375-376
(Vulnerabilities and
Attacks), Ch12, Pg.
593 (Initial Risk
Estimation)
Ch2, Pg. 63
(Attacks)
Ch1, Pg. 12-
19
(Vulnerabilitie
s)
2 Vulnerability Analysis
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
21
Explain the importance
of vulnerability analysis
Topic 2.3.2 Ch12, Pg. 593 (Initial
Risk Estimation), Pg.
597 (Analyzing for
Vulnerabilities),
Appendix D, Pg. 984
(Vulnerability
Identification)
Ch4, Pg. 138-139
(Vulnerability
Identification),
Ch8, Pg. 509-
513 (Step 2:
Determine
Vulnerabilities
)
3 Network Vulnerabilities
Explain the importance
of network vulnerabilities
Topic 2.2.3 Ch3, Pg. 190-193
(Network Attacks and
Abuses), Pg. 194-201
(Probing and
Scanning)
Ch7, Pg. 387-
390 (What
Makes a
Network
Vulnerability),
Pg. 426
(Network
Vulnerabilities
)
4 Technical
Vulnerabilities
Explain the importance
of technical
vulnerabilities
Topic 2.3.4 Ch6, Pg. 375-376
(Vulnerabilities and
Attacks), Appendix B,
Pg. 937 (Technical
Vulnerability), Ch12,
Pg. 597 (Analyzing for
Vulnerabilities),
Appendix D, Pg. 984
(Vulnerability
Identification)
Ch1, Pg. 12-
19
(Vulnerabilitie
s)
D
.
RISK MANAGEMENT
1 Cost/Benefit Analysis of
Information Assurance
Explain the importance
of cost/benefit analysis of
information assurance
Topic 2.4.1 Ch1, Pg. 37-38 (Cost-
Benefit Analysis),
Appendix D, Pg. 997
(Cost Control and
Estimating)
Ch4, Pg. 151-154
(Cost Benefit
Analysis (CBA))
NIST SP-30 Risk
Management Guide for
Information
Technology Systems
2 Documentation
Explain the importance
of documentation role in
reducing risk
Topic 2.4.2 Ch6, Pg. 358
(Documentation
Control),, Ch12, Pg.
610-612
(Documenting
Security Controls in
the System Security
Plan), Appendix D,
Pg. 988 (Results
Documentation)
Ch4, Pg. 143-144
(Documenting
the Results of
Risk
Assessment), Pg.
163-164
(Documenting
Results)
NIST SP-30 Risk
Management Guide for
Information
Technology Systems
3 Risk
Explain risk Topic 2.4.3 Ch1, Pg. 26-27 (Risk
Management and
Assessment),
Appendix B, 929
(Risk)
Ch4, Pg 119
(Risk
Identification)
Ch1, Pg. 1.5
(Methods of
Defense)
NIST SP-30 Risk
Management Guide for
Information
Technology Systems
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
22
Discuss principles of
risk
Topic 2.4.3 Ch1, Pg. 27-28 (Risk
Management and
Assessment)
Ch4, Pg 119
(Risk
Identification)
Ch1, Pg. 1.5
(Methods of
Defense)
4 Risk Assessment
Explain the importance
of risk assessment
Topic 2.4.4 Ch1, Pg. 26-27 (Risk
Management and
Assessment),
Appendix B, Pg. 929
(Risk Assessment)
Ch4, Pg. 139-144
(Risk
Assessment)
5 Risk Management
Explain the importance
of risk management
Topic 2.4.5 Ch1, Pg. 26-27 (Risk
Management and
Assessment), Pg. 27
(Principles of Risk
Management),
Appendix B, Pg. 929
(Risk Management)
Ch4, Pg. 117-119
6 Residual Risk
Explain residual risk Topic 2.4.6 Ch1, Pg. 28-29 (Terms
and Definitions)
Ch4, Pg. 162-163
(Residual Risk)
7 Risk Acceptance
Process
Explain the importance
of the risk acceptance
process
Topic 2.4.7 Ch4, Pg. 149
(Acceptance)
8 Systems Security
Authorization
Agreement (SSAA)
Explain the importance
of the certification and
accreditation (C&A)
effort leading to
accreditation
Topic 2.4.8 Ch11, Pg. 560 (Federal
Information
Processing Standard
(FIPS) 102), Pg. 561
(DoD Information
Technology Security
Certification and
Accreditation Process
(DITSCAP)), Pg. 565
(The National
Information Assurance
Certification and
Accreditation Process
(NIACAP)), Pg. 567
(Defense Information
Assurance
Certification and
Accreditation Process
(DIACAP)),
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Processes
(NIACAP)
NSTISSI-1000
National Information
Assurance Certification
and Accreditation
Process (NIACAP)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
23
Discuss the contents of
SSAA
Topic 2.4.8 Ch11, Pg. 563-564
(The System Security
Authorization
Agreement (SSAA))
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Processes
(NIACAP)
NSTISSI-1000
National Information
Assurance Certification
and Accreditation
Process (NIACAP)
Discuss the purpose of
SSAA
Topic 2.4.8 Ch11, Pg. 563-564
(The System Security
Authorization
Agreement (SSAA))
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Processes
(NIACAP)
Ensure the certifier
understands the mission
and it is reflected in
SSAA the C&A effort
leading to SSAA
Topic 2.4.8 Ch11, Pg. 563-564
(The System Security
Authorization
Agreement (SSAA))
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Processes
(NIACAP)
Facilitate effort leading
to SSAA
Topic 2.4.8 Ch11, Pg. 563-564
(The System Security
Authorization
Agreement (SSAA))
Ch10, Pg. 457-
459 (NSTISS
Instruction-1000:
National
Information
Assurance
Certification and
Accreditation
Processes
(NIACAP)
FUNCTION THREE -
VERIFY
COMPLIANCE
Verifying that each
information system
complies with the
information assurance
(IA) requirements
A
.
LAWS RELATED TO
INFORMATION
ASSURANCE (IA)
AND SECURITY
1 Copyright Protection
and Licensing
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
24
Explain the importance
of copyright protection
Topic 3.1.1 Ch9, Pg. 480
(Copyright)
Ch2, Pg. 43-44
(Comprise to
Intellectual
Property), Ch3,
Pg. 96-97 (U.S.
Copyright Law)
Ch9, Pg. 556-
561
(Copyrights)
Explain the importance
of licensing
Topic 3.1.1 Ch9, Pg. 577
(Licenses)
2 Criminal Prosecution
Explain the importance
of criminal prosecution
Topic 3.1.2 Ch9, Pg. 586-
587 (Why
Computer
Crime is Hard
to Prosecute)
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
Army Regulation 25-2
Information Assurance
3 Due Diligence
Explain the importance
of due diligence
Topic 3.1.3 Ch6, Pg. 357 (Due
Care and Due
Diligence), Ch9, Pg.
502-503 (Liability)
Ch3, Pg. 89
(Organizational
Liability and the
Need for
Counsel)
4 Evidence Collection
and Preservation
Explain the importance
of evidence collection
Topic 3.1.4 Ch9, Pg. 496-497
(Evidence)
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
IETF RFC 3227
Guidelines for
Evidence Collection
and Arch
Explain the importance
of evidence preservation
Topic 3.1.4 Ch9, Pg. 498
(Preserved)
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
IETF RFC 3227
Guidelines for
Evidence Collection
and Arch
5 Due Diligence
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
25
Explain fraud, waste, and
abuse
Topic 3.1.5 Ch6, Pg. 374 (Illegal
Computer Operations
and Intentional
Attacks), Ch9, Pg. 474
(Fraud), Ch3, Pg. 190
(Network Attacks and
Abuses), Ch9, Pg. 490
(1986 (amended in
1996( U.S. Computer
Fraud and Abuse Act.)
Ch9, Pg. 587-
588 (U.S.
Computer
Fraud and
Abuse Act)
6 Laws Related To
Information Assurance
and Security
Explain the importance
of implications of
Electronic Records
Management and Federal
Records Act
Topic 3.1.6 Federal Records Act
Electronic Records
Management Guideline
Explain the importance
of implications of
Federal Managers
Financial Integrity Act of
1982
Topic 3.1.6 Federal Managers
Financial Integrity Act
of 1982
Explain the importance
of implications of
Federal Property and
Administration Service
Act
Topic 3.1.6 Federal Property and
Administration Service
Act
Explain the importance
of implications of USA
Patriot Act, GPEA, and
Paperwork Reduction
Acts
Topic 3.1.6 Ch9, Pg. 494-495
(2001 USA Provide
Appropriate Tools
Required to Intercept
and Obstruct
Terrorism (PATRIOT)
Act.), Ch9, Pg. 491
(Paperwork Reduction
Acts of 1980, 1985)
Ch3, Pg. 90-95
(Relevant U.S.
Laws)
Ch9, Pg. 588
(USA Patriot
Act)
OMB-GPEA
Implementation of the
Government Paper
Elimination Act
Explain the importance
of implications of legal
issues which can affect
Information Assurance
(IA)
Topic 3.1.6 Ch9, Pg. 489-495
(Computer Security,
Privacy, and Crime
Laws)
Ch3, Pg. 90-97
(Relevant U.S.
Laws), Pg. 97-99
(International
Laws and Legal
Bodies)
Ch9, Pg. 587-
589
(Examples of
Statutes), Pg.
589-590
(International
Dimension)
Explain the importance
of implications of
National Archives and
Records Act
Topic 3.1.6 National Archives Act
1986
General Federal
Records Act
Public Law 108-383
National Archives and
Records
Administration
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
26
Efficiency Act of 2004
Explain the importance
of implications of the
Computer Fraud and
Abuse Act, P.L. 99474,
18 U.S. Code 1030
Topic 3.1.6 Ch9, Pg. 490 (1986
(amended in 1996(
U.S. Computer Fraud
and Abuse Act.)
Ch3, Pg. 90-95
(Relevant U.S.
Laws)
Ch9, Pg. 587-
588 (U.S.
Computer
Fraud and
Abuse Act)
Explain the importance
of implications of the
Freedom of Information
Act and Electronic
Freedom of Information
Act
Topic 3.1.6 Ch9, Pg. 588
(U.S. Freedom
of Information
Act)
The Freedom of
Information Act
Electronic Freedom of
Information Act
Amendments of 1996
Explain the importance
of Public Law 107-347,
E-Government Act 0f
2002, Title III, Federal
Information Security
Management Act
(FISMA), 17 Dec 2002
Topic 3.1.6 Ch9, Pg. 495 (2002 E-
Government Act. Title
III, the Federal
Information Security
Management Act
(FISMA)).
Explain the importance
of implications of the
legal responsibilities of
senior systems managers.
Topic 3.1.6 Ch9, Pg. 496-502
(Investigation)
Explain the importance
of implications of the
Privacy Act
Topic 3.1.6 Ch9, Pg. 489 (1974
U.S. Federal Privacy
Act. (amended in
1980)), Pg. 490 (1986
U.S. Electronic
Communication
Privacy Act.)
Ch3, Pg. 90-95
(Relevant U.S.
Laws)
Ch9, Pg. 88
(U.S. Privacy
Act)
Discuss implications of
Public Law 107-347
regarding certification
and accreditation
Topic 3.1.6 Public Law 107-347
7 Legal and Liability
Issues
Explain the importance
of legal and liability
issues as they apply to
system and mission
Topic 3.1.7 Ch9, Pg. 502-504
(Liability)
Ch3, Pg. 89
(Organizational
Liability and the
Need for
Counsel), Ch5,
Pg. 180
(Limitations of
Liability)
8 Ethics
Discuss ethics Topic 3.1.8 Ch9, Pg. 504-509
(Ethics)
Ch3, Pg. 99-105
(Ethics and
Information
Security)
Ch9, Pg. 605-
610 (Ethical
Issues in
Computer
Security)
B POLICY DIRECTION
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
27
.
Access Control Policies
1 Explain the importance
of access control policies
Topic 3.2.1 Ch2, Pg. 56
(Controls), Pg. 57
(Models for
Controlling Access),
Ch6, Pg. 364-365
(Physical Access
Controls)
Ch4, Pg. 141-142
(Access Control)
Ch4, Pg. 194-
204 (Control
of Access to
General
Objects)
2 Administrative Security
Policies And
Procedures
Explain the importance
of administrative security
policies/procedures
Topic 3.2.2 Ch2, Pg. 56
(Controls), Ch6, Pg.
354-355
(Administrative
Controls)
Ch3, Pg. 171-
172
(Administrativ
e Controls)
3 Audit Trails and
Logging Policies
Explain the importance
of audit trail policy
Topic 3.2.3 Ch6, Pg. 369-372
(Auditing)
Ch12, Pg. 517-
518 (Auditing)
Ch3, Pg. 170
(Access Log)
Administrative
Communications
System - US
Department of
Education
GAO-AIMD-12-19-6
Federal Information
System Controls Audit
Manual
Explain the importance
of logging policies
Topic 3.2.3 Ch6, Pg. 369-372
(Auditing)
Ch12, Pg. 517-
518 (Auditing)
Ch3, Pg. 170
(Access Log)
4 Documentation Policies
Explain the importance
of documentation
policies
Topic 3.2.4 Ch6, Pg. 358
(Documentation
Control), Ch12, Pg.
610-612
(Documenting
Security Controls in
the System Security
Plan), Ch15, Pg. 671
(Documentation and
Reporting)
Ch4, Pg. 143-144
(Documenting
the Results of
Risk
Assessment), Pg.
163-164
(Documenting
Results)
5 Evidence Collection
and Preservation
Policies
Explain the importance
of evidence
collection/preservation
policies A8 ANNEX A to
CNSSI No. 4012
Topic 3.2.5 Ch9, Pg. 496-498
(Investigation)
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
IETF RFC 3227
Guidelines for
Evidence Collection
and Archiving
6 Information Security
Policy
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
28
Define information
security policy
Topic 3.2.6 Ch1, Pg. 20-25
(Security Policy
Implementation)
Ch5, Pg. 172-175
(Information
Security Policy,
Standards, and
Practices)
Ch1, Pg. 25
(Policies and
Procedures),
Ch8, Pg. 529-
531
(Organization
al Security
Policy)
Explain the importance
of information security
policy
Topic 3.2.6 Ch1, Pg. 20-25
(Security Policy
Implementation)
Ch5, Pg. 172-175
(Information
Security Policy,
Standards, and
Practices)
Ch1, Pg. 25
(Policies and
Procedures),
Ch8, Pg. 529-
531
(Organization
al Security
Policy)
7 National Information
Assurance (IA)
Certification &
Accreditation (C&A)
Process Policy
Explain the importance
of the National
Information Assurance
(IA) Certification &
Accreditation (C&A)
Policy
Topic 3.2.7 Ch11, Pg. 565-566
(NIACAP and
NSTISSP #6)
Ch10, Pg. 453-
465 (Information
Systems Security
Certification and
Accreditation)
8 Personnel Security
Policies & Guidance
Explain the importance
of personnel security
guidance
Topic 3.2.8 Ch1, Pg. 20-25
(Security Policy
Implementation), Pg.
25-26 (Roles and
Responsibilities),
Appendix B, Pg. 924
(Personnel Security)
Ch11, Pg. 470-
502 (Positioning
& Staffing the
Security
Function)
C
.
SECURITY
REQUIREMENTS
1 Access Authorization
Explain the importance
of access authorization
Topic 3.3.1 Ch2, Pg. 55-56
(Rationale)
Ch5, Pg. 179
(Authorized
Access and
Usage of
Equipment)
2 Auditable Events
Explain auditable events Topic 3.3.2 Ch6, Pg. 369-372
(Auditing)
3 Authentication
Explain authentication Topic 3.3.3 Ch2, Pg. 69
(Identification and
Authentication),
Appendix B, Pg. 885
(Authentication)
Ch7, Pg. 338
(Authentication)
Ch2, Pg. 59
(symmetric
and
Asymmetric
Encryption
Systems)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
29
4 Background
Investigations
Explain the importance
of background
investigations
Topic 3.3.4 Ch6, Pg. 354
(Administrative
Controls)
Ch11, Pg. 493-
494 (Background
Checks)
5 Countermeasures
Explain the importance
of countermeasures
Topic 3.3.5 Appendix B, Pg. 894
(Countermeasure/Safe
guard)
Ch1, Pg. 22-
25 (Methods
of Defense)
A Model for
Information Assurance:
An Integrated
Approach
6 Delegation of Authority
Discuss the importance
of delegation of authority
Topic 3.3.6 Ch11, Pg. 471-
492 (Positioning
& Staffing the
Security
Function)
Delegation of
Authority - signature
authorization
Guidebook on
Delegation of
Authority
Ensure that individuals
are assigned to perform
IA functions
Topic 3.3.6 Ch1, Pg. 25-26 (Roles
and Responsibilities),
Pg. 30 (RM Roles)
Ch11, Pg. 471-
492 (Positioning
& Staffing the
Security
Function)
NIST SP 800-12 An
Introduction To
Computer Security-The
NIST Handbook
Delegation of
Authority - signature
authorization
Guidebook on
Delegation of
Authority
7 Education, Training, and
Awareness
Explain the importance
of education, training,
and awareness as
countermeasures
Topic 3.3.7 Ch1, Pg. 42-45
(Security Awareness)
Ch5, Pg. 206-209
(Security
Education,
Training, and
Awareness
Program)
A Model for
Information Assurance:
An Integrated
Approach
Ensure educational,
training, and awareness
countermeasures are
implemented
Topic 3.3.7 Ch1, Pg. 42-45
(Security Awareness)
Ch5, Pg. 206-209
(Security
Education,
Training, and
Awareness
Program)
8 Electronic Records
Management
Discuss electronic
records management
Topic 3.3.8 Electronic Records
Management Guideline
Explain the importance
of electronic records
management
Topic 3.3.8
9 Electronic-Mail Security
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
30
Discuss electronic-mail
security
Topic 3.3.9 Ch6, Pg. 382-386
(Operational E-Mail
Security), Ch9, Pg.
488 (Electronic
Monitoring)
Ch8, Pg. 383-384
(Securing E-mail
with S/MIME,
PEM, and PGP)
Ch7, Pg. 473-
479 (Secure
E-mail)
Explain the importance
of electronic-mail
security
Topic 3.3.9 Ch6, Pg. 382-386
(Operational E-Mail
Security), Ch9, Pg.
488 (Electronic
Monitoring)
Ch8, Pg. 383-384
(Securing E-mail
with S/MIME,
PEM, and PGP)
Ch7, Pg. 473-
479 (Secure
E-mail)
1
0
Information
Classification
Discuss information
classification
Topic
3.3.10
Ch1, Pg. 11-20
(Information
Classification Process)
Ch4, Pg. 129-130
(Data
Classification
and
Management)
Explain the importance
of information
classification
Topic
3.3.10
Ch1, Pg. 11-20
(Information
Classification Process)
Ch4, Pg. 129-130
(Data
Classification
and
Management)
1
1
Investigative Authorities
Discuss investigative
authorities
Topic
3.3.11
GAO-GGD-96-154
Federal Law
Enforcement -
Investigative Authority
and Personnel at 13
Agencies Explain the importance
of investigative
authorities
Topic
3.3.11
1
2
Key Management
Infrastructure
Discuss key management
infrastructure
Topic
3.3.12
Ch4, Pg 271-273 (Key
Management)
NIST SP 800-57-Part1
Recommendation for
Key Management -
Part 1: General
(Revised)
1
3
Information Marking
Discuss information
marking
Topic
3.3.13
Ch6, Pg. 363-364
(Marking)
NIST SP 800-18 Guide
for Developing
Security Plans for
Federal Information
Systems
Administrative
Communications
System - US
Department of
Education
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
31
NSA/CSS Storage
Device
Declassification
Manual
NIST SP 800-88_rev1
Guide for Media
Sanitization
1
4
Non-repudiation
Discuss non-repudiation Topic
3.3.14
Ch3, Pg. 102 (OSI
Security Services and
Mechanisms),
Appendix B, Pg. 920
(Nonrepudiation)
Ch8, Pg. 377
(Digital
Signature)
Ch7, Pg. 474
(Requirements
and Solutions)
Explain the importance
and role of non-
repudiation
Topic
3.3.14
Ch3, Pg. 102 (OSI
Security Services and
Mechanisms),
Appendix B, Pg. 920
(Nonrepudiation)
Ch8, Pg. 377
(Digital
Signature)
Ch7, Pg. 474
(Requirements
and Solutions)
1
5
Public Key Infrastructure
(PKI)
Explain the importance
and role of PKI
Topic
3.3.15
Ch4, Pg. 267 (Public-
Key Infrastructure
(PKI))
Ch8, Pg. 375-377
(Public-Key
Infrastructure
(PKI))
Ch7, Pg. 436-
438 (PKI and
Certificates)
FUNCTION FOUR
ENSURE
ESTABLISHMENT OF
SECURITY
CONTROLS
Ensuring the
establishment,
administration, and
coordination of security
for systems that agency,
service, or command
personnel or contractors
operate
A
.
ADMINISTRATION
1 Accountability for
Classified/Sensitive Data
Explain the importance
of accountability for
sensitive data
Topic 4.1.1 Ch2, Pg. 7
(Accountability), Pg.
88 (Some Access
Control Issues)
Ch12, Pg. 517-
518 (Accounting
and Auditing
Management)
Ch3, Pg. 170
(Access Log)
Administrative
Communications
System - US
Department of
Education
GAO-AIMD-12-19-6
Federal Information
System Controls Audit
Manual
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
32
Discuss classification and
declassification of
information
Topic 4.1.1 Ch1, Pg. 11-20
(Information
Classification Process)
NSA/CSS Storage
Device
Declassification
Manual
2 Automated Security
Tools
Explain the importance
of automated security
tools
Topic 4.1.2 Automated Security
Support Tools - The
Key to Successful
FISMA
Implementation
3 Backups
Discuss backups Topic 4.1.3 Ch6, Pg. 378-382
(Backup Concepts)
Ch5, Pg. 225-227
(Data Storage
and
Management)
Ch8, Pg. 546
(Backup)
Explain the importance
of backups
Topic 4.1.3 Ch6, Pg. 378-382
(Backup Concepts)
Ch5, Pg. 225-227
(Data Storage
and
Management)
Ch8, Pg. 546
(Backup)
4 Change
Control/Configuration
Management
Discuss change control Topic 4.1.4 Ch6, Pg. 351-354
(Configuration
Management and
Change Control)
Ch2, Pg. 77
(Neglecting
Change Control),
Ch12, Pg. 514-
517
(Configuration
and Change
Management)
Ch3, Pg. 163-
165
(Configuration
Management)
Discuss configuration
management
Topic 4.1.4 Ch6, Pg. 351-354
(Configuration
Management and
Change Control)
Ch12, Pg. 514-
517
(Configuration
and Change
Management)
Ch3, Pg. 163-
165
(Configuration
Management)
Explain the importance
of configuration
management
Topic 4.1.4 Ch6, Pg. 351-354
(Configuration
Management and
Change Control)
Ch12, Pg. 514-
517
(Configuration
and Change
Management)
Ch3, Pg. 163-
165
(Configuration
Management)
5 Declassification/Downgr
ade of Media
Explain the importance
of downgrade of media
Topic 4.1.5 Administrative
Communications
System - US
Department of
Education
NIST SP 800-88_rev1
Guide for Media
Sanitization
NSA/CSS Storage
Device
Discuss the importance
of downgrade of
information
Topic 4.1.5
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
33
Declassification
Manual
6 Destruction/Purging/Sani
tization of
Classified/Sensitive
Information
Explain the importance
of
destruction/purging/saniti
zation procedures for
classified/sensitive
information
Topic 4.1.6 Ch6, Pg. 362-363
(Media Security
Controls) Appendix D,
Pg. 977 (Disposition
Phase)
Administrative
Communications
System - US
Department of
Education
NIST SP 800-88_rev1
Guide for Media
Sanitization
NSA/CSS Storage
Device
Declassification
Manual
NIST CSL Bulletin -
Disposition of
Sensitive Automated
Information
NIST SP 800-12 An
Introduction To
Computer Security-The
NIST Handbook
B
.
ACCESS
1 Access Controls
Define
manual/automated access
controls
Topic 4.2.1 Ch2, Pg. 55-61
(Access Control)
Ch4, Pg. 141-142
(Access Control)
Ch4, Pg. 194-
204 (Control
of Access to
General
Objects)
Explain the importance
of manual/automated
access controls
Topic 4.2.1 Ch2, Pg. 55-61
(Access Control)
Ch4, Pg. 141-142
(Access Control)
Ch4, Pg. 194-
204 (Control
of Access to
General
Objects)
2 Access Privileges
Explain the importance
of access privileges
Topic 4.2.2 Ch2, Pg. 56
(Controls), Pg. 57-58
(Models for
Controlling Access),
Ch6, Pg. 355-356
(Least Privilege), Pg.
361 (Privileged-Entity
Ch4, Pg. 141-142
(Access Control)
Ch4, Pg. 194-
204 (Control
of Access to
General
Objects)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
34
Controls)
3 Discretionary Access
Controls
Ch2, Pg. 58
(Discretionary Access
Control)
Ch4, Pg. 141-142
(Access Control)
Discuss discretionary
access controls
Topic 4.2.3 Ch2, Pg. 58
(Discretionary Access
Control)
Ch4, Pg. 141-142
(Access Control)
Explain the importance
of discretionary access
controls
Topic 4.2.3 Ch2, Pg. 58
(Discretionary Access
Control)
Ch4, Pg. 141-142
(Access Control)
4 Mandatory Access
Controls
Define mandatory access
controls
Topic 4.2.4 Ch2, Pg. 57-58
(Models for
Controlling Access)
Ch4, Pg. 141-142
(Access Control)
Explain the importance
of mandatory access
controls A10 ANNEX A
to CNSSI No. 4012
Topic 4.2.4 Ch2, Pg. 57-58
(Models for
Controlling Access)
Ch4, Pg. 141-142
(Access Control)
5 Biometrics/Biometric
Policies
Explain biometric
policies
Topic 4.2.5 Ch2, Pg. 72-74
(Biometrics)
Ch7, Pg. 342
(Acceptability of
Biometrics)
6 Separation of Duties
Define the need to ensure
separation of duties
where necessary
Topic 4.2.6 Ch2, Pg. 56-57
(Controls), Ch6, Pg.
346-348 (Separation of
Duties)
Ch11, Pg. 500-
501 (Internal
Control
Strategies)
Ch3, Pg. 172
(Separation of
Duties), Ch5,
Pg. 237
(Separation of
Duty)
Explain the importance
of the need to ensure
separation of duties
where necessary
Topic 4.2.6 Ch2, Pg. 56-57
(Controls), Ch6, Pg.
346-348 (Separation of
Duties)
Ch11, Pg. 500-
501 (Internal
Control
Strategies)
Ch3, Pg. 172
(Separation of
Duties), Ch5,
Pg. 237
(Separation of
Duty)
7 Need-To-Know Controls
Define need to know
controls
Topic 4.2.7 Ch2, Pg. 57-58
(Models for
Controlling Access),
Ch6, Pg. 355 (Need to
Know), Appendix B,
Pg. 919 (Need to
Know)
Ch4, Pg. 131
(Security
Clearance)
Ch5, Pg. 232
(Military
Security
Policy)
NIST SP 800-16
Information
Technology Security
Training Requirements
- A Role and
Performance Based
Model
Explain the importance
of need to know controls
Topic 4.2.7 Ch2, Pg. 57-58
(Models for
Controlling Access),
Ch6, Pg. 355 (Need to
Know), Appendix B,
Pg. 919 (Need to
Ch4, Pg. 131
(Security
Clearance)
Ch5, Pg. 232
(Military
Security
Policy)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
35
Know)
C
.
INCIDENT
HANDLING AND
RESPONSE
1 Emergency Destruction
Procedures
Explain the importance
of emergency destruction
procedures
Topic 4.3.1 Ch6, Pg. 363
(Destruction)
Security Standard
Operating Procedure
NO. 04 - Naval
Command, Control,
and Ocean Surveillance
Center
2 Organizational/Agency
Information Assurance
Emergency Response
Teams
Explain the role of
organizational/agency
information assurance
emergency response
teams
Topic 4.3.2 Ch3, Pg. 187-188
(Computer Incident
Response Team)
Army Regulation 25-2
Information Assurance
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
D
.
CONTINUITY OF
OPERATIONS
PLANNING
1 Business Recovery
Define business recovery Topic 4.4.1 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch5, Pg. 209-237
(Continuity
Strategies)
Army Regulation 25-2
Information Assurance
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
Explain the importance
of business recovery
Topic 4.4.1 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch5, Pg. 209-237
(Continuity
Strategies)
2 Contingency/Continuity
of Operations Planning
Explain the importance
of contingency/continuity
of operations planning
Topic 4.4.2 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch5, Pg. 209-237
(Continuity
Strategies)
Army Regulation 25-2
Information Assurance
NIST SP 800-61-rev1
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
36
Ensure the establishment
and testing of
contingency/continuity of
operations plans
Topic 4.4.2 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch5, Pg. 209-237
(Continuity
Strategies)
Computer Security
Incident Handling
Guide
NIST SP 800-53-rev2-
final Recommended
Security Controls for
Federal Information
Systems
3 Disaster Recovery
Explain the importance
of disaster recovery
Topic 4.4.3 Ch8, Pg. 446-463
(Disaster Recovery
Planning (DRP))
Ch5, Pg. 209-237
(Continuity
Strategies)
4 Disaster Recovery Plan
Explain the importance
of recovery plan
Topic 4.4.4 Ch8, Pg. 446-463
(Disaster Recovery
Planning (DRP))
Ch5, Pg. 209-237
(Continuity
Strategies)
Ensure the establishment
and testing of recovery
plans
Topic 4.4.4 Ch8, Pg. 446-463
(Disaster Recovery
Planning (DRP))
Ch5, Pg. 209-237
(Continuity
Strategies)
5 Incident response
policies
Explain the importance
of incident response
policy
Topic 4.4.5 Ch3, Pg. 187-188
(Computer Incident
Response Team)
Ch5, Pg. 209-237
(Continuity
Strategies)
Ch8, Pg. 503-
504 (Incident
Response
Plans)
6 Law enforcement
interfaces/policies
Discuss law enforcement
interfaces
Topic 4.4.6 Ch5, Pg. 235-237
(Law
Enforcement
Involvement)
Discuss law enforcement
policies
Topic 4.4.6 Ch5, Pg. 235-237
(Law
Enforcement
Involvement)
Explain the importance
of law enforcement
interfaces
Topic 4.4.6 Ch5, Pg. 235-237
(Law
Enforcement
Involvement)
7 Reconstitution
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
37
Define principles of
system reconstitution
Topic 4.4.7 GAO-08-1001
Information Security-
Actions Needed to
Better Protect Los
Alamos National
Laboratory's
Unclassified Computer
Network
NIST SP 800-53-rev2-
final Recommended
Security Controls for
Federal Information
Systems
Explain the importance
of principles of system
reconstitution
Topic 4.4.7
8 Restoration
Explain the importance
of restoration to
continuity of operation
A11 ANNEX A to
CNSSI No. 4012
Topic 4.4.8 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch5, Pg. 209-237
(Continuity
Strategies)
Army Regulation 25-2
Information Assurance
NIST SP 800-61-rev1
Computer Security
Incident Handling
Guide
NIST SP 800-53-rev2-
final Recommended
Security Controls for
Federal Information
Systems
FUNCTION FIVE
ENSURE PROGRAM
MANAGERS DEFINE
SECURITY IN
ACQUISITIONS
Ensuring that the
Program
Manager/Official defines
the system security
requirements for
acquisitions
A. ACQUISITION
1 Certification Test &
Evaluation (CT&E)
Define CT&E as part of
acquisition process
Topic 5.1.1 NSTISSP NO 11
National Information
Assurance Acquisition
Policy - Fact Sheet Discuss the importance
of CT&E as part of
acquisition process
Topic 5.1.1
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
38
2 Certification Tools
Discuss
significance/results of
certification tools
Topic 5.1.2 CJCSI 3312-01A Joint
Military Intelligence
Requirements
Certification
ESFOR 2004 An
Empirical Evaluation
of Automated Theorem
Proves in Software
Certification
3 Product Assurance
Explain the importance
of product assurance role
in acquiring systems, i.e.,
NSTISSP No. 11, Jan 00
Topic 5.1.3 NSTISSP NO 11
National Information
Assurance Acquisition
Policy - Fact Sheet
NIST SP 800-36 Guide
to Selecting
Information
Technology Security
Products
NIST SP 800-23
Guidelines to Federal
Organizations on
Security Assurance and
Acquisition-Use of
Tested-Evaluated
Products
Explain the importance
of protection profiles
Topic 5.1.3 NISTIR-6985 COTS
Security Protection
Profile - Operating
Systems (CSPP-OS)
NIST SP 800-36 Guide
to Selecting
Information
Technology Security
Products
Explain the importance
of security targets
Topic 5.1.3 NIST SP 800-70-
DRAFT Security
Configuration
Checklists Program for
IT Products
NISTIR-6985 COTS
Security Protection
Profile - Operating
Systems (CSPP-OS)
NIST SP 800-36 Guide
to Selecting
Information
Technology Security
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
39
Products
4 Contracting For Security
Services
Discuss types of
contracts for security
services
Topic 5.1.4 NIST SP 800-64-2
Security
Considerations in the
Information System
Development Life
Cycle
NIST SP 800-35 Guide
to Information
Technology Security
Services
Define where contracting
for security services is
appropriate
Topic 5.1.4
Explain threats from
contracting for security
services
Topic 5.1.4
5 Disposition of Classified
Material
Discuss disposition of
classified materials
Topic 5.1.5 Ch6, Pg. 362-363
(Overwriting)
(Degaussing)
(Destruction)
NIST CSL Bulletin -
Disposition of
Sensitive Automated
Information
Administrative
Communications
System - US
Department of
Education
NIST SP 800-88_rev1
Guide for Media
Sanitization
NSA/CSS Storage
Device
Declassification
Manual
NIST SP 800-12 An
Introduction To
Computer Security-The
NIST Handbook
Explain the importance
of the correct disposition
of classified material
Topic 5.1.5 Ch6, Pg. 362-363
(Overwriting)
(Degaussing)
(Destruction)
Explain the importance
of remanence
Topic 5.1.5 Ch6, Pg. 357 (Data
Remanence)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
40
6 Facilities Planning
Discuss facilities
planning
Topic 5.1.6 Ch10, Pg. 520-522
(Facility Requirements
Planning)
NIST SP 800-16
Information
Technology Security
Training Requirements
- A Role and
Performance Based
Model
Explain the importance
of facilities planning
Topic 5.1.6 Ch10, Pg. 520-522
(Facility Requirements
Planning)
7 System
Disposition/Reutilization
Explain the importance
of vulnerabilities from
improper
disposition/reutilization
Topic 5.1.7 Ch6, Pg. 362-363
(Overwriting)
(Degaussing)
(Destruction)
NIST CSL Bulletin -
Disposition of
Sensitive Automated
Information
Administrative
Communications
System - US
Department of
Education
NIST SP 800-88_rev1
Guide for Media
Sanitization
NSA/CSS Storage
Device
Declassification
Manual
NIST SP 800-12 An
Introduction To
Computer Security-The
NIST Handbook
B. LIFE CYCLE
MANAGEMENT
1 Life Cycle System
Security Planning
Discuss life cycle
security planning
Topic 5.2.1 Appendix D, Pg. 974-
980 (Implementing
Information Assurance
in the System Life
Cycle)
NISTIR 4909 Software
Quality Assurance -
Documentation and
Reviews
Explain the importance
of life cycle system
security planning
Topic 5.2.1 Appendix D, Pg. 974-
980 (Implementing
Information Assurance
in the System Life
Cycle)
2 System Security
Architecture
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
41
Discuss system security
architecture
Topic 5.2.2 Ch5, Pg. 198-199
(IETF Security
Architecture),
Pg. 201-206
(Design of
Security
Architecture)
Explain how system
security architecture
supports continuity of
operations CONOPS
A12 ANNEX A to
CNSSI No. 4012
Topic 5.2.2 Ch5, Pg. 198-199
(IETF Security
Architecture),
Pg. 201-206
(Design of
Security
Architecture)
FUNCTION SIX
ASSIGN
RESPONSIBILITIES
Assigning Information
Assurance (IA)
responsibilities to the
individuals reporting
directly to the SSM
1 Certification and
Accreditation (C&A)
Discuss responsibilities
associated with
accreditation
Topic 6.1 Ch11, Pg. 573-577
(C&A Roles and
Responsibilities)
Ch1, Pg. 28-38
Security
Professionals and
Organization)
NCSC-TG-029
Introduction to
Certification and
Accreditation
NSTISSI-1000
National Information
Assurance Certification
and Accreditation
Process (NIACAP)
NIST SP 800-37-final
Guide for the Security
Certification and
Accreditation of
Federal Information
Systems
Discuss roles associated
with certification
Topic 6.1 Ch11, Pg. 573-577
(C&A Roles and
Responsibilities)
Ch1, Pg. 28-38
Security
Professionals and
Organization)
Explain importance of
certification and
accreditation (C&A)
Topic 6.1 Ch11, Pg. 560-561
(Federal Information
Processing Standard
(FIPS) 102), Ch11, Pg.
572-573 (What is
Certification and
Accreditation?)
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
42
Facilitate the C&A
process
Topic 6.1 Ch11, Pg. 560 (Federal
Information
Processing Standard
(FIPS) 102), Pg. 561
(DoD Information
Technology Security
Certification and
Accreditation Process
(DITSCAP)), Pg. 565
(The National
Information Assurance
Certification and
Accreditation Process
(NIACAP)), Pg. 567
(Defense Information
Assurance
Certification and
Accreditation Process
(DIACAP)),
2 Information Ownership
Explain the importance
of establishing
information ownership
Topic 6.2 Ch1, Pg. 24 (Roles and
Responsibilities),
Ch11, Pg. 573-577
(C&A Roles and
Responsibilities),
Appendix D, Pg. 981
(Roles of Key
Personnel in the Risk
Management Process)
Ch1, Pg. 29-30
(Data
Ownership)
3 System Certifiers and
Accreditors
Discuss risk as it applies
to certification and
accreditation
Topic 6.3 Ch1, Pg. 30-38
(Overview of Risk
Analysis), Ch12, Pg.
593-603 (Initial Risk
Estimation), Appendix
B, Pg. 929 (Risk)
Ch10, Pg. 453-
463 (Information
System Security
Certification and
Accreditation)
NIST SP 800-37-final
Guide for the Security
Certification and
Accreditation of
Federal Information
Systems
NSTISSI-1000
National Information
Assurance Certification
and Accreditation
Process (NIACAP)
4 Risk Analysts
Discuss risk analyst’s
reports
Topic 6.4 Ch1, Pg. 30-38
(Overview of Risk
Analysis)
Discuss systems certifiers
and accreditors in risk
mitigation
Topic 6.4 Appendix D, Pg. 988
(Risk Mitigation),
Appendix E, Pg. 1061
(Risk Mitigation)
NIST SP 800-30: Risk
Management Guide for
Information
Technology Systems
5 Information System
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
43
Security Manager
(ISSM)
Define the role of
Information Assurance
Manager (ISSM)
Topic 6.5 NAVSO P-5239-04
Information Systems
Security Manager
(ISSM) Guidebook
6 Information System
Security Officer (ISSO)
Define the role of System
Security Officer (ISSO)
Topic 6.6 Ch1, Pg. 30 (RM
Roles), Ch11, Pg. 576
(Information Systems
Security Officer
(ISSO)), Appendix B,
Pg. 910 (Information
System Security
Officer (ISSO))
NIST SP-30 Risk
Management Guide for
Information
Technology Systems
FUNCTION SEVEN
DEFINE
CRITICALITY AND
SENSITIVITY
Defining the criticality
and
classification/sensitivity
levels of each IS and
approving the
classification level
required for the
applications implemented
on them
1 Aggregation
Explain the importance
of the vulnerabilities
associated with
aggregation
Topic 7.1 Ch2, Pg. 61-68
(Access Control
Attack), Ch6, Pg. 373
(Threats and
Vulnerabilities), Ch12,
Pg. 593-596 (Initial
Risk Estimation),
Appendix D, Pg. 954-
956 (Types and
Classes of Attack),
Appendix D, Pg. 983
(Threat Identification)
Ch2, Pg. 40-63
(Threats), Pg. 63-
73 (Attacks)
Ch1, Pg. 5-6
(Threats,
Vulnerabilities
, and Controls)
2 Disclosure of
Classified/Sensitive
Information
Explain the liabilities
associated with
disclosure of
classified/sensitive
information
Topic 7.2 USAID-General
Notice-Policy-
Improper Disclosure of
Information
FUNCTION EIGHT
ALLOCATE
RESOURCES
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
44
Allocate resources to
achieve an acceptable
level of security and to
remedy security
deficiencies
1 Resource Roles and
Responsibilities
Discuss the respective
roles and responsibilities
of resource management
staff
Topic 8.1 State of Texas-
Department of
Information Resources-
Information Resources
Manager (IRM)
Overview
NIST SP 800-36 Guide
to Selecting
Information
Technology Security
Products
USAID-Information
Technology Security
Roles and
Responsibilities
Roles and
Responsibilities
Policy-for Security and
Access of UCSC
Electronic Information
Resources
Assign/appoint key
resource managers A13
ANNEX A to CNSSI No.
4012
Topic 8.1
2 Budget/Resource
Allocation
Evaluate the information
assurance budget
Topic 8.2 DISA-DOD
Application Security
and Development-
Security Technical
Implementation Guide
DOD-Final Report of
the Defense Science
Board-Task Force on
Globalization and
Security-Dec-1999
Explain the importance
of the information
assurance budget
Topic 8.2
Defend the budget for
information assurance
Topic 8.2
3 Business Aspects of
Information Security
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
45
Discuss business aspects
of information security
Topic 8.3 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch2, Pg. 39-40
(Business Needs
First), Ch5, Pg.
209-237
(Continuity
Strategies)
Discuss protection of
commercial proprietary
information
Topic 8.3 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch2, Pg. 39-40
(Business Needs
First), Ch5, Pg.
209-237
(Continuity
Strategies)
Explain the importance
of business aspects of
information security
Topic 8.3 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch2, Pg. 39-40
(Business Needs
First), Ch5, Pg.
209-237
(Continuity
Strategies)
Explain the importance
of protecting commercial
proprietary information
Topic 8.3 Ch8, Pg. 435-446
(Business Continuity
Planning)
Ch2, Pg. 39-40
(Business Needs
First), Ch5, Pg.
209-237
(Continuity
Strategies)
FUNCTION NINE
MULTIPLE AND
JOINT
ACCREDITATION
Resolve issues regarding
those systems requiring
multiple or joint
accreditation. This may
require documentation of
conditions or agreements
in Memoranda of
Agreement (MOA); and
1 Memoranda of
Understanding/Agreemen
t (MOU/MOA)
Explain the importance
of MOU/MOA
Topic 9.1 Memorandum of
Agreement (MOA)
Memorandum of
Agreement between the
Secretary of the
Interior and the State of
Idaho
Definition of
Memorandum of
Understanding (MOU)
Memorandum of
Understanding
Memorandum of
Facilitate development
and execution of
MOU/MOA
Topic 9.1
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
46
Understanding
Concerning
Cooperation Between
the US Securities and
Exchange Commission
and the US Department
of Labor
FUNCTION TEN
ASSESS NETWORK
SECURITY
Ensure that when
classified/sensitive
information is exchanged
between IS or networks
(internal or external), the
content of this
communication is
protected from
unauthorized
observation,
manipulation, or denial
1 Connectivity
Discuss connected
organizations
Topic 10.1 NIST SP 800-12 An
Introduction To
Computer Security-The
NIST Handbook
NIST SP 800-13
Telecommunications
Security Guidelines for
Telecommunications
Management Network Discuss connectivity
involved in
communications
Topic 10.1 Ch3, Pg. 97
(Availability)
Explain the importance
of connectivity involved
in communications
Topic 10.1 Ch3, Pg. 97
(Availability)
2 Emissions Security
(EMSEC) and
TEMPEST
Quality Enhancement Plan (QEP): From These Roots … A Foundation for Life: Mathematics and Financial Literacy
47
Define TEMPEST
requirements
Topic 10.2 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
TEMPEST
NSA-TEMPEST-A
Signal Problem
NSTISSM TEMPEST
2-95
Information Leakage
from Optical
Emanations
Discuss threats from
Emissions Security
(EMSEC)
Topic 10.2 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
Discuss threats from
TEMPEST failures
Topic 10.2 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
Explain the importance
of the threats from
Emissions Security
(EMSEC)
Topic 10.2 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
Explain the importance
of the threats from
TEMPEST failures.
Topic 10.2 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
3 Wireless Technology
Discuss electronic
emanations
Topic 10.3 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
Discuss threats from
electronic emanations
Topic 10.3 Ch9, Pg. 474
(Emanation
Eavesdropping)
Ch9, Pg. 425
(Interception of
Data)
Explain the importance
of wireless technology
Topic 10.3 Ch3, Pg. 164-173
(Wireless
Technologies)
Ch7, Pg. 370
(Wireless)
Explain the risks
associated with portable
wireless systems, viz.,
PDAs, etc.
Topic 10.3 Ch3, Pg. 182 (PDA
Security Issues)
Explain the importance
of vulnerabilities
associated with
connected systems
wireless technology
Topic 10.3 Ch3, Pg. 175-182
(Wireless
Vulnerability)
Ch7, Pg. 400-
402 (Wireless)