CSC 382 Introduction to Information Assurance (Online)

Transcription

1 CSC 382 Introduction to Information Assurance (Online) Online Comments This is an online course. The following information is very important. CSC 382 is the capstone course for CSC/CIS majors receiving CNSS It is also the prerequisite for students starting the CNSS 4012 course sequence. An awareness of the is the goal. You will be responsible for a number of readings and Cyber Security Training modules (see The workload is reasonable but continuous. I will not accept any late submissions and you are expected to follow instructions. If you have questions, contact me at once (see contact information below). If you have trouble with BlackBoard or using the Hampton University intranet system, contact me immediately. Course Description An introduction to the various technical and administrative aspects of Information Security and Assurance. This course provides the foundation for understanding the key issues associated with protecting information assets, determining the levels of protection and response to security incidents, and designing a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. The purpose of the course is to provide the student with an overview of the field of Information Security and Assurance. Students will be exposed to the spectrum of Security activities, methods, methodologies, and procedures. Coverage will include inspection and protection of information assets, detection of and reaction to threats to information assets, and examination of pre- and post-incident procedures, technical and managerial responses and an overview of the Information Security Planning and Staffing functions. INSTRUCTOR: Mr. Robert A. Willis Jr. Office: ST 120 Telephone: Office Hours: MWF 9:00 11:00 TR 11:00 1:00 Contact: robert.willis@hamptonu.edu Skype: rwjr1944 1

2 Twitter: rwjr1944 Course Objectives: After completing the course, students will be able to: Identify and prioritize information assets. Identify and prioritize threats to information assets. Define an information security strategy and architecture. Plan for and respond to intruders in an information system Describe legal and public relations implications of security and privacy issues. Present a disaster recovery plan for recovery of information assets after an incident. Minimum Competencies: Students meeting minimum competencies should expect to receive a grade between 74% and 77%. Minimum competencies for this course are as follows: Identify and prioritize information assets. Identify and prioritize threats to information assets. Define an information security strategy and architecture. Plan for and respond to intruders in an information system Describe legal and public relations implications of security and privacy issues. Course Topics: This course will cover most of the information assurance concepts including: Introduction to Information Security (3 hours) The Need for Security (3 hours) Legal, Ethical, and Professional Issues in Information Security (3 hours) Risk Management (3 hours) Planning for Security (3 hours) Technology: Firewalls, VPNs, IDS, and Access Control (3 hours) Cryptography (3 hours) Physical Security (3 hours) Implementing Security (3 hours) Security and Personnel (3 hours) Information Security Maintenance (3 hours) Supplement Materials (contents from the optional textbooks) (3 hours) Laboratory (9 hours) Mapping to CNSSI 4011 can be found here. Textbooks: 2

3 (required) Principle of Information Security, 3rd edition, Michael E. & Herbert J. Mattord, Thomson, (on reserve for required readings) The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, 2nd edition, Ronald L. and Russell Dean Vines, Wiley, (on reserve for required readings) Security in Computing, 3 rd edition, C. P. Pfleeger, S. L. Pfleeger, Prentice Hall, Supplemental Materials (SM): Materials not available via the Internet are posted on BlackBoard (SM-1) Maconachy, Schou, Ragsdale and Welch, A Model for Information Assurance: An Integrated Approach, Proceedings of the 2001 IEEE Workshop on IAS, USMA, West Point, NY 5-6 June (required reading) (SM-2) NSTISSAM TEMPEST/1 & 2-95, December 1995 (some required readings) (SM-3) Operations Security (OPSEC), Joint Publication , 29 June, 2006 (some required readings). (SM-4) HUMINT, (some required reading) (SM-5) Technical Surveillance Countermeasures Program, Department of Defense, Number , Feb. 22, 2006 (some required reading) (SM-6) NASA COMSEC Procedures and Guidelines, NPG A, Effective Date: March 2, 2000, Expiration Date: March 2, 2002 (some required reading) (SM-7) Automated Information Systems (AIS) Security, Department of Veterans Affairs, VHA Directive 6210, Transmittal Sheet, March 7, 2000 (some required reading) (SM-8) Automated Information Systems Security Policy, U.S. Customs Service, Office of Information and Technology (some required reading) (SM-9) Security Standard Operating Procedure No. 4, SSOP NO.4, NAVAL COMMAND, CONTROL, AND OCEAN SURVEILLANCE CENTER (some required reading) (SM-10) Personnel Security Standard, Virginia's Community College, (some required reading) (SM-11) Personnel Security, University of Mary Washington, (some required reading) (SM-12) Standard Practice Procedures for Security Service, George Mason University, (some required reading) (SM-13) Security Mechanism, RBC bank, html (some required reading) 3

4 (SM-14) Software Security Policy, Purdue University, (some required reading) (SM-15) Audit Trials, HP, (some required reading) (SM-16) Audit Logging Security Standards, IRS, (some required reading) (SM-17) Defending Medical Information Systems Against Malicious Software, Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC), (some required reading) (SM-18) Declassification and Downgrading, Army Regulation 280-5, Chapter 3, (some required reading) (SM-19) Using Context- and Content-Based Trust Policies on the Semantic Web, Christian Bizer & Radoslaw Oldakowski, In Proceeding of WWW2004, May 17-22, 2004, New York, NY, USA, www4.wiwiss.fu-berlin.de/bizer/swtsguide/p747-bizer.pdf (some required reading) (SM-20) Input Signal Rage Guidance, (some required reading) (SM-21) Design of an intelligent data base for the IFR, Transactions of the American Nuclear Society ; Vol/Issue: 65; American Nuclear Society annual meeting; 7-12 Jun 1992; Boston, MA (United States); DOE Project, (some required reading) (SM-22) An Introduction to Computer Security - The NIST Handbook, (some required reading) Tentative Course Outline: Please note that this is an online course and that the schedule will be followed. You are expected to follow the schedule. Week Topics Text chapters Tests / Assignments 1 1. Introduction to Information Security 1.1. The History of Information Security 1.2. What is Security / Information Security? 1.3. Critical Characteristics of Information Security? Ch1 & Ch11, 12 & SM-1 HW1 4

5 1.4. NSTISSC Security Model 1.5. Information Assurance Model (Maconachy, Schou, Ragsdale (MSR) Cube) (Supplemental Materials SM-1) 1.6. Components of an Information System 1.7. Securing Components 1.8. Balancing Information Security and Access 1.9. Approaches to Information Security Implementation The Systems Development Life Cycle The Security Systems Development Life Cycle Systems Life Cycle Processes, Certification, and Accreditation ( Ch11, Ch12) Security Professionals and the Organization Communities of Interest Information Security: Is it an Art or a Science? Information Security Terminology 2 2. The Need for Security 2.1. Business Needs First 2.2. Threats 2.3. Attacks 2.4. OPSEC Process (Operations Security) ( Ch6 & Supplemental Material SM- Ch2 & Ch6 & SM-3, SM-4, SM-13, SM-14 HW2 5

6 3) 2.5. OPSEC Surveys / OPSEC Planning (Operations Security) ( Ch6 & Supplemental Material) 2.6. Unclassified Indicators (Operations Security) ( Ch6 & Supplemental Material SM-3) 2.7. HUMINT ( Ch6, Supplemental Materials SM-4) 2.8. Media Processes - Attribution, Destruction, Classification, Sanitization, Transportation, Inventory ( Ch6) 2.9. Security Software Development ( Ch2, Supplemental Materials SM-13, SM- 14) 3 3. Legal, Ethical, and Professional Issues in Information Security 3.1. Law and Ethics in Information Security 3.2. Types of Law 3.3. Relevant U.S. Laws 3.4. International Laws and Legal Bodies 3.5. Policy versus Laws 3.6. Ethics and Information Security 3.7. Codes of Ethics and Professional Organizations 3.8. evidence collection and preservation ( Chapter 9) Ch3 & Ch9 HW3 4 Laboratory 1 Review TBA Exam 1 - TBA 6

7 5 4. Risk Management 4.1. An Overview of Risk Management Ch4 & Ch Risk Identification 4.3. Risk Assessment 4.4. Risk Control Strategies 4.5. Selecting a Risk Control Strategy 4.6. Risk Management Discussion Points 4.7. Documenting Results 4.8. Recommended Practices in Controlling Risk 4.9. National Threats, Vulnerabilities, Countermeasures, Risk Management, and other facets of NSTISS ( Ch1) 6 5. Planning for Security 5.1. Information Security Policy, Standards, and Practices 5.2. Telecommunication Systems, Telecommunications Policies and Security, Contracts and Reference, Vulnerabilities, Threats, Countermeasures ( Ch3) 5.3. Security Policies Implementation ( Ch1) 5.4. The Information Security Blueprint 5.5. Security Education, Training, and Awareness Program 5.6. Continuity Strategies 5.7. AIS Security Policy (Supplemental Ch5 & Ch1, Ch3 & SM-6, SM-7, SM-8, SM-9 HW4 7

8 Materials SM-7 & SM-8) 5.8. Security Standard Operating Procedure (Supplemental Materials SM-9) 5.9. COMSEC (Supplemental Materials SM-6) 7 6. Security Technology 6.1. Physical Design 6.2. Computer Security - Access Control, Audit, Identification and Authentication, operating system security, trusted operating system, and Object Reuse (Pfleeger Ch3, Ch4, Ch5) 6.3. Firewalls 6.4. Protecting Remote Connection 6.5. Introduction Detection Systems 6.6. Honey Pots, Honey Nets, and Padded Cell Systems 6.7. Scanning and Analysis Tools 6.8. Access Control Devices 6.9. Technical Surveillance Countermeasures (Supplemental Materials SM-5) Ch6, Ch7 & Pfleeger Ch3, Ch4, Ch5 & SM-5 HW Cryptography 7.1. A Short History of Cryptology Ch8 Exam 2 TBA 7.2. Principles of Cryptography 7.3. Cryptography Tools 7.4. Protocols for Secure Communications 7.5. Attacks on Cryptosystems 8

9 9 8. Physical Security 8.1. Physical Access Control 8.2. Fire Security and Safety 8.3. Failure of Supporting Utilities and Structural Collapse 8.4. Interception of Data 8.5. Mobile and Portable Systems 8.6. Special Consideration for Physical Security Threats Ch9 HW7 Laboratory Implementing Information Security 9.1. Project Management for Information Security 9.2. Technical Topics of Implementation 9.3. Nontechnical Aspects of Implementation 9.4. Operations Security ( Ch6) 9.5. Security Architectures and Design Ch10 & Ch5, Ch6 HW Security and Personnel The Security Function Within an Organization's Structure Positioning and Staffing the Security Function Credentials of Information Security Professionals Employment Policies and Practices Security Considerations for Nonemployees Separation of Duties and Collusion ( Ch1, Ch6) Ch11 & Ch1, Ch6 & SM-10, SM-11, SM-12 HW9 9

10 10.7. Privacy and the Security of Personnel Data Information Classification Roles ( Ch1) Personnel Security Standard (Supplemental Materials SM-10, SM-11, SM-12) 12 Laboratory 3 Ch12 HW10, 11. Information Security Maintenance Managing for Change Security Management Models The Maintenance Model Digital Forensics TEMPEST Security (Supplemental Materials SM-2) Introduction Definition RED/BLACK Installation Recommendation Guidance for TEMPEST Integrity Secure Voice Systems Sensitive Compartment Information SM-2 Important Dates: TBA The following information applies to all students in the School of Science: 10

11 In addition to the minimum grade requirements established by Hampton University, all majors within the School of Science must pass all required courses offered within the School of Science with a grade of C or better in order to satisfy degree requirements. The minimum grade requirement is in effect for all science courses taken during Fall 2001 and beyond. Course Assignment and Calendar: Homework Assignments: There are two types of homework assignments: problems and projects. Both of them will be issued and specified with their due date in Blackboard. Problems will be used to evaluate the understanding of course and projects will be used to evaluate the complexity of algorithm studied in class. All of the projects must be implemented by Java in Unix/Linux environments (when appropriate). Late submissions will not be accepted and will be counted as zero. Final Exam The exam will be given on the date scheduled by the registrar. The exam will be comprehensive. There are no exemptions from the exam. TBA Attendance Hampton University s attendance policy will be observed, which means that you are expected to attend all classes as scheduled. You are responsible for any assignments, deliveries, and class discussions at all times. I will take attendance at the beginning of each class period. If you are not present for the roll call, attendance points will be deducted from your grade. I will not tolerate habitual tardiness; it is disruptive and unfair to your fellow students. Writing-Across-The-Curriculum Hampton University adopts the policy in all courses of writing across the curricula. In this course, the objectives will be achieved by homework assignments, program comments, and various tests. The Ethics Paper: Details about the ethics paper will be provided at least one month prior to the due date. The ethics paper will be graded based on the criteria listed in Hampton University Scoring Rubric. Grades The final grade of this course will be determined by the combined weight of following components: 11

12 Examinations (2) 20 % Homework (10) 40 % Laboratory (3) 15% Ethics Paper 5 % Final exam (Comprehensive) 20 % Course grades will follow the scale of the university grading system: A A A B B B C C C D D D

13 F Below 60 Make-Up Policy: No make-up tests will be given without pervious arrangements, a written medical excuse, or an emergency approved by appropriate university official. Policy on Academic Dishonesty: Please see page 29 of the Student Handbook. Cheating: A student caught cheating on an examination or plagiarizing a paper which forms a part of a course grade shall be given an "F" in the course and will be subject to dismissal from the University, A student is considered to be cheating if, in the opinion of the person administering an examination (written or oral), the student gives, seeks, or receives aid during the process of the examination; the student buys, sells, steals, or otherwise possesses or transmits an examination without authorization; or, the student substitutes for another or permits substitution for himself/ herself during an examination. All cases of cheating shall be reported by the instructor to the chair of the department in which the cheating occurred, to the school dean/division director and to the Provost. No penalty shall be imposed until the student has been informed of the charge and of the evidence upon which it is based and has been given an opportunity to present his/her defense. If the faculty member and the student cannot agree on the facts pertaining to the charge, or if the student wishes to appeal a penalty, the issue may be taken to the department chair. Each party will present his/her case to the chair who shall then call a meeting of all involved parties. If the issue is not resolved at the departmental level, the dean shall conduct a hearing. If the issue is not resolved at the school level either party may appeal the decision at the school level to the Provost who shall convene the appropriate individuals and conduct a hearing in order to resolve the issue. Plagiarism: Plagiarism is defined as "taking and using as one's own the writing or ideas of another." All used to meet assigned written requirements of a course, from any source, must be given proper credit by citing the source. A student caught plagiarizing a paper which forms a part of a course grade shall be given an "F" in the course and will be subject to dismissal from the University. PENALTIES FOR ACADEMIC DISHONESTY Cases of academic dishonesty are initially investigated and reported by members of the instructional faculty to the chairperson of the department in which the cheating occurred, to the school dean, division director and to the Provost. Also, penalties for minor violations of academic dishonesty are to be recommended at the discretion of the instructor. The penalties for academic dishonesty on examinations and major course requirements may include one of the following: 1. A grade of "F" on the examination or project. 2. A grade of "F" on the examination or project and dismissal from the course. 13

14 3. A grade of F on the examination or project, dismissal from the course and from the University. When dismissal from the University is the recommended penalty, the chairman of the department submits the details of the case to the Provost who schedules a hearing. ADMINISTRATIVE ACTION The Provost has the authority to dismiss or expel any student who fails to meet scholarship requirements or to abide by academic regulations. Dress Code: This code is based on the theory that learning to select attire appropriate to specific occasions and activities is a critical factor in the total educational process. Understanding and employing the Hampton University Dress Code will improve the quality of one s life, contribute to optimum morale, and embellish the overall campus image. It also plays a major role in instilling a sense of integrity and an appreciation for values and ethics as students are propelled towards successful careers. Students will be denied admission to various functions if their manner of dress is inappropriate. On this premise students at Hampton University are expected to dress neatly at all times. The following are examples of appropriate dress for various occasions: 1. Classroom, Cafeteria, Student Union and University Offices casual attire that is neat and modest. 2. Formal programs in Ogden Hall, the Convocation Center, the Student Center Ballroom, the Little Theater and the Memorial Chapel event appropriate attire as required by the event announcement. 3. Interviews Business attire. 4. Social/Recreational activities, Residence hall lounges (during visitation hours) casual attire that is neat and modest. 5. Balls, Galas, and Cabarets formal, semi-formal and after five attire, respectively. Examples of inappropriate dress and/or appearance include but not limited to: 1. Do-rags, stocking caps, skullcaps and bandannas are prohibited at all times on the campus of Hampton University (except in the privacy of the student s living quarters). 2. Head coverings and hoods for men in any building. 3. Baseball caps and hoods for women in any building. a. This policy item does not apply to headgear considered as a part of religious or cultural dress. 4. Midriffs or halters, mesh, netted shirts, tube tops or cutoff tee shirts in classrooms, cafeteria, Student Union and offices; 14

15 5. Bare feet; 6. Short shirts; 7. Shorts, all types of jeans at programs dictating professional or formal attire, such as Musical Arts, Fall Convocation, Founder s Day, and Commencement; 8. Clothing with derogatory, offensive and/or lewd message either in words or pictures; 9. Men s undershirts of any color worn outside of the private living quarters of the residence halls. However, sports jerseys may be worn over a conventional tee-shirt. Procedure for Cultural or Religious Coverings 1. Students seeking approval to wear headgear as an expression or religious or cultural dress may make a written request for a review through the Office of the Chaplain. 2. The Chaplain will forward his recommendation the Dean of Students for final approval. 3. Students that are approved will then have their new ID card picture taken by University Police with the headgear being worn. All administrative, faculty and support staff members will be expected to monitor student behavior applicable to this dress code and report any such disregard or violations to the Offices of the Dean or Men, or Dean of Women for the attention of the Dean of Students. CODE OF CONDUCT Joining the Hampton Family is an honor and requires each individual to uphold the policies, regulations, and guidelines established for students, faculty, administration, professional and other employees, and the laws of the Commonwealth of Virginia. Each member is required to adhere to and conform to the instructions and guidance of the leadership of his/her respective area. Therefore, the following are expected of each member of the Hampton Family: 1. To respect himself or herself. 2. To respect the dignity, feelings, worth, and values of others. 3. To respect the rights and property of others and to discourage vandalism and theft. 4. To prohibit discrimination, while striving to learn from differences in people, ideas, and opinions. 5. To practice personal, professional, and academic integrity, and to discourage all forms of dishonesty, plagiarism, deceit, and disloyalty to the Code of Conduct. 6. To foster a personal professional work ethic within the Hampton University Family. 7. To foster an open, fair, and caring environment. 15

16 8. To be fully responsible for upholding the Hampton University Code. Students with disabilities which require accommodations should (1) register with the Office of Testing Services and 504 Compliance to provide documentation and (2) bring the necessary information indicating the need for accommodation and what type of accommodation is needed. This should be done during the first week of classes or as soon as the student receives the information. If the instructor is not notified in a timely manner, retroactive accommodations may not be provided. DISCLAIMER This syllabus is intended to give the student guidance in what may be covered during the semester and will be followed as closely as possible. However, the professor reserves the right to modify, supplement and make changes as course needs arise. 16

17 Hampton University Scoring Rubric The Hampton University Advisory Council of the Writing Program has approved and recommended the use of the scoring rubric as a guide for evaluating student-writing performance across the curriculum. 6 A paper in this category: States purpose (e.g., position or thesis) insightfully, clearly and effectively Provide thorough, significant development with substantial depth and persuasively marshals support for position Demonstrates a focused, coherent, and logical pattern of organization Displays a high level of audience awareness Use disciplinary facts critically and effectively Has support control of diction, sentence structure, and syntactic variety, but may have a few minor flaws in grammar, usage, punctuation, or spelling Documents sources consistently and correctly using a style appropriate to the discipline 5 A paper in this category: States purpose (e.g., position or thesis) clearly and effectively Provide development with some depth and complexity of thought and supports position convincingly Demonstrates effect pattern of organization Displays a clear sense of audience awareness Use disciplinary facts effectively Has good control of diction, sentence structure, and syntactic variety, but may have a few minor errors in grammar, usage, punctuation, or spelling Documents sources correctly using a style appropriate to the discipline 4 A paper in this category: States purpose (e.g., position or thesis) adequately Provides competent development with little evidence of complexity of thought Demonstrates an adequate pattern of organization Displays some degree of audience awareness Uses disciplinary facts adequately 17

18 Has adequate control of diction, sentence structure, and syntactic variety, but may have some error in grammar, usage, punctuation, or spelling Documents sources adequately using a style appropriate to the discipline 3 A paper in this category: States purpose (e.g., position or thesis) but with varying degree of clarity Provides some development for most ideas Demonstrates some pattern of organization, but with some lapses from the pattern Displays uneven audience awareness Uses some disciplinary facts Has some control of diction, sentence structure, and syntactic variety, but may have frequent error in grammar, usage punctuation, or spelling Documents sources using a style appropriate to the discipline, but may have errors. 2 A paper in this category: States purpose (e.g., position or thesis) unclearly Provides inadequate development of thesis Demonstrates inconsistent pattern of organization Displays very little audience awareness Uses disciplinary facts ineffectively Has little control of diction, sentence structure, and syntactic variety, and may have a pattern of errors in grammar, usage, punctuation, or spelling Acknowledges sources but does not document them using a style appropriate to the discipline 1 A paper in this category: Fails to state purpose (e.g., position or thesis) Fails to develop most ideas Lacks a pattern of organization Displays no audience awareness Use few or no disciplinary facts Lakes control of diction, sentence structure, and syntactic variety, with a pattern of errors in grammar, usage, punctuation, or spelling 18

19 Fails to document or acknowledge sources 19

20 Mapping to NSTISSI 4011 Standard C. Security Basics (Awareness Level) Instructional/Behavioral Content a Using the Comprehensive Model of Information Systems Security, introduce a comprehensive model of information systems security that addresses: * The student will list and describe the elements of AIS security. * The student will summarize security disciplines used in protecting government automated information systems. Topic Pg. 8-9 Topic Pg b critical characteristics of information information states, and security measures. * Student will give examples of determinants of critical information. Topic Pg Topical Content a INFOSEC Overview: Chapter 2: The Need for Security * threats Topic 2.2, Chapter 2: Threats Pg * vulnerabilities Topic 2.2, 2.3, 4.9, Chapter 2: Attacks Pg / Chapter1: Information Security and Risk Management Pg

21 * critical information characteristics Chapter 1: Introduction + confidentiality Topic , Chapter 1: Confidentiality Pg integrity Topic , Chapter 1: Integrity Pg availability Topic , Chapter 1: Availability Pg. 10 * information states + transmission Topic , Chapter 1: NSTISSC Security Model Pg storage Topic , Chapter 1: NSTISSC Security Model Pg processing Topic , Chapter 1: NSTISSC Security Model Pg. 13 * security countermeasures + technology Topic Chapter 6 & 7: Security Technology Pg policy, procedures and practices Topic , 5.1,5.3,5.4, Chapter 1: Information Security Policy, Standards, and Practices Pg education, training and awareness Topic , 5.6, Chapter 5: Security Education, Training, and Awareness Program Pg b Operations Security (OPSEC): * OPSEC process Topic 2.4, Chapter 6: Operations Security Pg / OPSEC (Supplemental SM-3) + Supplemental * INFOSEC and OPSEC interdependency Topic 2.4, Chapter 6: Operations Security Pg / OPSEC (Supplemental SM-3) + Supplemental 21

22 * unclassified indicators Topic 2.4, Chapter 6: Operations Security Pg / OPSEC (Supplemental SM-3) * OPSEC surveys/opsec planning Topic 2.4, Chapter 6: Operations Security Pg / OPSEC (Supplemental SM-3) + Supplemental + Supplemental c Information Security: * policy Topic 5.1, Chapter 5: Information Security Policy, Standards, and Practices Pg. 174 * roles and responsibilities Topic 10.2, Chapter 11: Positioning & Staffing the Security Function Pg * application dependent guidance Input Signal Rage Guidance ( SM-20); Design of an intelligent data base for the IFR ( SM-21) Supplemental d INFOSEC * cryptography + strength (e.g., complexity, secrecy, characteristics of the key) + encryption (e.g., point-to-point, network, link) + key management (to include electronic key) Topic 7.2 Chapter 8: Cryptographic algorithims Topic 7.2 Chapter 8: Cryptographic algorithims Topic 7.2 Chapter 8: Cryptographic algorithims * transmission security Topic Chapter 1: NSTISSC Security Model Pg. 14 / Information Assurance Model (Maconachy, Schou, Ragsdale (MSR) Cube)(Supplemental SM-1) + Supplemental * emanations security Topic 12.1, 12.3, TEMPEST Security ( SM-2) Supplemental 22

23 * physical, personnel and administrative security * computer security Topic , Chapter 9: Physical security Pg Chapter 11: Security and Personnel Pg identification and authentication Topic 1.5, 6.2, 6.8, Pfleeger Chapter 2, 3, 5 / Chapter 7: Security Technology Pg. 338 / Information Assurance Model (Maconachy, Schou, Ragsdale (MSR) Cube)(Supplemental SM-1) Pfleger access control Topic 6.2, 6.8, Pfleeger Chapter 2, 3, 5: Security Features of Trusted Operating Systems Pg / Chapter 7: Security Technology Pg audit Topic 6.2, 11.1, Pfleeger Chapter 2, 3, 5: Security Features of Trusted Operating Systems Pg / Chapter 12: Information Security Maintenance Pg object reuse Topic 6.2, Chapter 5: Security Features of Trusted Operating Systems Pg. 270 Pfleeger + Pfleeger + Pfleeger D. NSTISS Basics (Awareness Level) Instructional/Behavioral Content a Describe components (with examples to include: national policy, threats and vulnerabilities, countermeasures, risk management, of organizational units, facets of NSTISS) 23

24 * Outline national NSTISS Policies. Topic 5.1, 5.3, Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Security Policy Implementation Pg * Cite examples of threats and vulnerabilities of an AIS. * Give examples of Agency implementation of NSTISS policy, practices and procedures. Topic , 4.9, Chapter 2: Threats and Attacks Pg / Chapter 1: Information Security and Risk Management Pg. 28 Topic , Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Security Policy Implementation Topical Content a National Policy and Guidance: * AIS security Topic 5.1, 5.3, Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Security Policy Implementation Pg * communications security Topic 5.2, Chapter 3: Telecommunications and Network Security Pg * protection of information Topic , , Chapter 1: NSTISSC Security Model Pg. 13, Chapter 5: Planning for Security Pg / Information Assurance Model (Maconachy, Schou, Ragsdale (MSR) Cube)(Supplemental SM-1) + + * employee accountability for agency information Topic 10.4 chapter 11: Privacy and the security of Personnel Data. Pg b Threats to and Vulnerabilities of Systems: * definition of terms (e.g., threats, vulnerabilities, risk) Topic 1.16 Chapter 1: Information Security Terminology. Pg

25 * major categories of threats (e.g., fraud, Hostile Intelligence Service (HOIS), malicious logic, hackers, environmental and technological hazards, disgruntled employees, careless employees, HUMINT, and monitoring) Topic 2.2 Chapter 2: Threats Pg * threat impact areas Topic 2.2 Chapter 2: Threats Pg c Legal Elements: * fraud, waste and abuse Topic Chapter 3: Legal, Ethical, and Professional Issues Pg * criminal prosecution Topic Chapter 3: Legal, Ethical, and Professional Issues Pg * evidence collection and preservation Topic 3.8, Chapter 9: Legal, Regulations, Compliance, and Inverstigation Pg * investigative authorities Topic Chapter 3: Legal, Ethical, and Professional Issues Pg d Countermeasures: * cover and deception Topic 6.6, Chapter 7: Security Technology Pg * HUMINT Topic 2.7, Chapter 6: Operational Security Pg / HUMINT ( SM-4) * monitoring (e.g., data, line) Topic 6.5, 6.7, 6.8, Chapter 6: Security Technology Pg * technical surveillance countermeasures Topic 6.9, Technical Surveillance Countermeasures ( SM-5) * education, training, and awareness Topic 5.5, Chapter 5: Security Education, Training, and Awareness Pg

26 * assessments (e.g., surveys, inspections) Topic , Chapter 6 & 7: Security Technology Pg , e Concepts of Risk Management: * threat and vulnerability assessment Topic 4.3, 4.9, Chapter 4: Risk Assessment Pg / Chapter 1: Risk Management and Assessment Pg * cost/benefit analysis of controls Topic , Chapter 4: Risk Management Pg * implementation of cost-effective controls * consequences (e.g., corrective action, risk assessment) * monitoring the efficiency and effectiveness of controls (e.g., unauthorized or inadvertent disclosure of information) Topic , Chapter 4: Risk Management Pg Topic , Chapter 4: Risk Management Pg Topic , Chapter 4: Risk Management Pg f Concepts of System Life Cycle Management: * requirements definition (e.g., architecture) Topic ,10.3, Chapter 1: Introduction to Information Security Pg ; Chapter 11: Security and Presonnel Pg / Chapter 11: Understanding Certification and Accredittion Pg ; Chapter 12: Initiation of System Authorization Process Pg * development Topic ,10.3, Chapter 1: Introduction to Information Security Pg , Chapter 11: Security and Presonnel Pg / Chapter 11: Understanding Certification and Accredittion Pg , Chapter 12: Initiation of System Authorization Process Pg

27 * demonstration and validation (testing) Topic ,10.3, Chapter 1: Introduction to Information Security Pg , Chapter 11: Security and Presonnel Pg / Chapter 11: Understanding Certification and Accredittion Pg , Chapter 12: Initiation of System Authorization Process Pg * implementation Topic ,10.3, Chapter 1: Introduction to Information Security Pg ; Chapter 11: Security and Presonnel Pg / Chapter 11: Understanding Certification and Accredittion Pg ; Chapter 12: Initiation of System Authorization Process Pg * security (e.g., certification and accreditation) Topic ,10.3, Chapter 1: Introduction to Information Security Pg ; Chapter 11: Security and Presonnel Pg / Chapter 11: Understanding Certification and Accredittion Pg ; Chapter 12: Initiation of System Authorization Process Pg * operations and maintenance (e.g., configuration management) Topic ,10.3, Chapter 1: Introduction to Information Security Pg ; Chapter 11: Security and Presonnel Pg / Chapter 11: Understanding Certification and Accredittion Pg ; Chapter 12: Initiation of System Authorization Process Pg g Concepts of Trust: 27

28 * policy Topic 6.2, 9.4, Pfleeger Chapter 5: Designing Trusted Operating Systems Pg / Chapter 6: Operations Security Pg / Using Context- and Content-Based Trust Policies on the Semantic Web ( SM-19) Pfleeger + + * mechanism Topic 6.2, 9.4, Pfleeger Chapter 5: Designing Trusted Operating Systems Pg / Chapter 6: Operations Security Pg / Using Context- and Content-Based Trust Policies on the Semantic Web ( SM-19) Pfleeger + + * assurance Topic 2.9, 6.2, 9.5, Chapter 2: Secure Software Development, Pg ; Chapter 5: Security Architecture and Design Pg / Pfleeger Chapter 5: Designing Trusted Operating Systems Pg Pfleeger h Modes of Operation: * dedicated Topic 9.4, Chapter 6: Operations Security Pg * system-high Topic 9.4, Chapter 6: Operations Security Pg * compartmented/partitioned Topic 9.4, Chapter 6: Operations Security Pg * multilevel Topic 9.4, Chapter 6: Operations Security Pg i Roles of Various Organizational Personnel * senior management Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg

29 * program or functional managers Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * system manager and system staff Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * telecommunications office and staff Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * security office Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * COMSEC custodian Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * INFOSEC Officer Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * information resources management staff Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * audit office Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg

30 * OPSEC managers Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg * end users Topic , 10.8 Chapter 11: Security and Personnel Pg / Chapter 1: Information Classification Roles Pg j Facets of NSTISS: * protection of areas Topic Chapter 9: Physical Security Pg * protection of equipment Topic Chapter 9: Physical Security Pg * protection of passwords Topic 6.8 Chapter 7: Security Technology Pg * protection of files and data Topic Chapter 7: Security Technology Pg * protection against malicious logic Topic 2.9 Chapter 2: The Need For Security Pg * backup of data and files Topic 9.4 Chapter 6: Operation Security Pg * protection of magnetic storage media Topic 2.8 Chapter 6: Operation Security Pg * protection of voice communications Topic 5.2 Chapter 3: Telecommunications and Network Security Pg. 95 * protection of data communications Topic 5.2 Chapter 3: Telecommunications and Network Security Pg. 95 * protection of keying material Topic 7.2 Chapter 8: Cryptography Pg / NASA COMSEC Procedures and Guidelines ( SM-6) + * application of cryptographic systems Topic 7.3 Chapter 8: Cryptography, Pg

31 * transmission security countermeasures (e.g., callsigns, frequency, and pattern forewarning protection) Topic 5.2 Chapter 3: Telecommunications and Network Security Pg * reporting security violations Topic 3.7, 11.3, Chapter 3: Legal and Professional Issues in Information Security ; Chapter 12: Information Security Maintenance Pg E. System Operating Environment (Awareness Level) Instructional/Behavioral Content a Outline Agency specific AIS and telecommunications systems. * Summarize Agency AIS and telecommunications systems in operation. Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + b Describe Agency "control points" for purchase and maintenance of Agency AIS and telecommunications systems 31

32 * Give examples of current Agency AIS/telecommunications systems and configurations. Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + c Review Agency AIS and telecommunications security policies * List Agency-level contact points for AIS and telecommunications systems and maintenance. Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + * Cite appropriate policy and guidance. Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + Topical Content c Agency Specific Security Policies: 32

33 * guidance Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + * roles and responsibilities Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + * points of contact Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + d Agency specific AIS and telecommunications policies * points of contact Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8)

34 * references Topic , 5,7, Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg / AIS Security (Policy) ( SM-7, SM-8) + + F. NSTISS Planning and Management (Performance Level) Instructional/Behavioral Content a Discuss practical performance measures employed in designing security measures and programs * Builds a security plan that encompasses NSTISS components in designing protection/security for an instructor-supplied description of an AIS telecommunications system. Topic 5.4, Chapter 5: The Information Security Bluepint, Pg b Introduce generic security planning guidelines/documents Topic , Whtiman Chapter 5: Information Security Policy, Standards, and Practices Pg / Chapter 1: Policies, Standards, Guidelines, and Procedure Pg ; Chapter 3: Telecommunications and Network Security Pg Topical Content 34

35 a Security Planning * directives and procedures for NSTISS policy Topic 1.4, 5.3, Chapter 1: NSTISSC Security Model Pg / Chapter 1: Security Policy Implementation Pg * NSTISS program budget Topic 1.4, 5.3, Chapter 1: NSTISSC Security Model Pg / Chapter 1: Security Policy Implementation Pg * NSTISS program evaluation Topic 1.4, 5.3, Chapter 1: NSTISSC Security Model Pg / Chapter 1: Security Policy Implementation Pg * NSTISS training (content and audience definition) Topic 1.4, 5.3, Chapter 1: NSTISSC Security Model Pg / Chapter 1: Security Policy Implementation Pg b Risk Management * information identification Topic , Chapter 4: Risk Management Pg * roles and responsibilities of all the players in the risk analysis process * risk analysis and/or vulnerability assessment components Topic , Chapter 4: Risk Management Pg Topic , Chapter 4: Risk Management Pg * risk analysis results evaluation Topic , Chapter 4: Risk Management Pg * corrective actions Topic , Chapter 4: Risk Management Pg * acceptance of risk (accreditation) Topic , Chapter 4: Risk Management Pg c Systems Life Cycle Management 35

36 * management control process (ensure that appropriate administrative, physical,and technical safeguards are incorporated into all new applications and into significant modifications to existing applications) Topic 1.1, 9.4, Chapter 1: Introduction to Information Security Pg / Chapter 6: Operations Security Pg * evaluation of sensitivity of the application based upon risk analysis - determination of security specifications * design review and systems test performance (ensure required safeguards are operationally adequate) * systems certification and accreditation process Topic 1.11, , Chapter 1: Introduction to Information Security Pg ; Chapter 4: Risk Management Pg Topic 1.11, Chapter 1: Introduction to Information Security Pg Topic 1.12, Chapter 11: Understanding Ceertification and Accrediation Pg ; Chapter 12: Initiation of the System Authorization Process Pg * acquisition Topic 1.11, 11.4, Chapter 1: Introduction to Information Security Pg ; Chapter 12: Information Security Maintenance Pg. 550 d Contingency Planning/Disaster Recovery * contingency plan components Topic 5.6, Chapter 5: Planning for Security, Pg. 210 * agency response procedures and continuity of operations * team member responsibilities in responding to an emergency situation * guidelines for determining critical and essential workload Topic 5.6 Chapter 5: Planning for Security, Pg Topic 5.6 Chapter 5: Planning for Security, Pg Topic 5.4, 5.6, Chapter 5: Planning for Security, Pg , * determination of backup Topic 5.6 Chapter 5: Planning for Security, Pg. 36

37 requirements * development of procedures for offsite processing * development of plans for recovery actions after a disruptive event Topic 5.6 Chapter 5: Planning for Security, Pg Topic 5.6 Chapter 5: Planning for Security, Pg * emergency destruction procedures Topic 5.8, Security Standard Operating Procedure No.4 ( SM-9) G. NSTISS Policies and Procedures (Performance Level) Instructional/Behavioral Content a List and describe: specific technological, policy, and educational solutions for NSTISS. * Playing the role of either a system penetrator or system protector, the student will discover points of exploitation and apply appropriate and countermeasures in an instructor-supplied description of an Agency AIS/telecommunications system. Topic , Chapter 5: Planning for Security Pg / Chapters 3: Telecommunications and Network Security Pg b List and describe: elements of vulnerability threat that exist in an AIS/ telecommunications system corresponding protection measures. Topic , 5.2, Chapter 2: The Need for Security Pg / Chapters 3: Telecommunication and Network Security Pg

38 Topical Content a Physical Security Measures: * building construction Topic chapter 9: Physical Security Pg * alarms Topic chapter 9: Physical Security Pg * information systems centers Topic chapter 9: Physical Security Pg * communications centers Topic chapter 9: Physical Security Pg * shielding Topic chapter 9: Physical Security Pg * cabling Topic chapter 9: Physical Security Pg * filtered power Topic chapter 9: Physical Security Pg * physical access control systems (key cards, locks and alarms) * stand-alone systems and peripherals * environmental controls (humidity and air conditioning) Topic chapter 9: Physical Security Pg Topic chapter 9: Physical Security Pg Topic chapter 9: Physical Security Pg * fire safety controls Topic chapter 9: Physical Security Pg * storage area controls Topic chapter 9: Physical Security Pg * power controls (regulator, uninterrupted power service (UPS), and emergency poweroff switch) Topic chapter 9: Physical Security Pg

39 * protected distributed systems Topic chapter 9: Physical Security Pg b Personnel Security Practices and Procedures: * position sensitivity Topic 10.4, 10.9, Chapter 11: Security and Personnel, Pg / Personnel Security Standard (Supplemental Materials SM-10, SM- 11, SM-12) * employee clearances Topic 10.4, 10.9, Chapter 11: Security and Personnel, Pg / Personnel Security Standard (Supplemental Materials SM-10, SM- 11, SM-12) + + * access authorization/verification (need-to-know) * security training and awareness (initial and refresher) * systems maintenance personnel - contractors Topic 5.5, 10.6, 10.9, Chapter 5, Planning for Security Pg / Chapter 1: Information Security and Risk Management Pg / Personnel Security Standard (Supplemental Materials SM-10, SM- 11, SM-12) Topic 5.5, 10.6, 10.9, Chapter 5, Planning for Security Pg / Chapter 1: Information Security and Risk Management Pg / Personnel Security Standard (Supplemental Materials SM-10, SM- 11, SM-12) Topic 10.2, 10.9, Chapter 11: Security and Personnel Pg / Personnel Security Standard (Supplemental Materials SM-10, SM- 11, SM-12) c Software Security: * configuration management Topic 1.10, 5.4, 9.4, 11.1, Chapter 1: The System Development Life Cycle Pg ; Chapter 5: The Information Security Blueprint Pg ; Chapter 12: Managing for Change Pg. 514 / Chapter 6: Operations Security Pg