Idea: Audit (mechanisms, automated tools, tools, events, trails and logins)
Idea: Assessments (e.g.. Surveys. Inspections)
Idea: Physical Security
Idea: Access Control Models
Idea: System Security Test and Evaluation
Idea: Auditing Tools
Idea: Automated Security Tools
Idea: Connectivity (call back security, cabling, dial-up security, networks and security, Internet security, modems, Firewalls, encryption, etc.)
Idea: Contingency Plan Testing
Idea: Countermeasures
Idea: Integrity, confidentiality, and availability. (IC&A)
Idea: Object Reuse
Idea: Intrusion Detection and Deterrence
Idea: Internal Controls And Security
Idea: Intrusion Deterrents
Idea: Network Firewalls
Idea: Network Security
Idea: Operating Systems
Idea: Password Management
Idea: Platform-Specific Security
Idea: Software Security
Evaluate
Idea: Client/Server Security (Note: consider changing Idea to Distributed System Processing)
Idea: Common Carrier Security
Idea: Communications Center Security
Idea: Classified Materials Handling And Shipping
Idea: Access Privileges
Idea: Disaster Recovery
Idea: Countermeasures
Idea: Audit Trails And Logging
Idea: Documentation Policies
Idea: Emergency Destruction
Idea: Environmental Controls
Idea: Facility Management
Idea: Incident Response
Idea: Human Threats
Idea: Evaluation Techniques (Evaluation)
Idea: Intrusion Deterrents
Idea: Logs And Journals
Idea: Maintenance Of Configuration Documentation
Idea: Marking Of Media
Idea: Maintenance Procedures. Contract Employee
Idea: Password Management
Idea: Maintenance Procedures. Local Employee
Certification Planning
Idea: Access Control Policies
Idea: Audit Trails And Logging Policies
Idea: Certification
Idea: Disaster Recovery Planning
Idea: Documentation Policies
Idea: Continuity Planning
Idea: Separation Of Duties
Idea: Guidelines
Report
Idea: Approval To Operate
Idea: Corrective Actions
Idea: Documentation
Idea: Maintenance Of Configuration Documentation
Direct / Build a Team
Idea: Team Building
Idea: Delegation Of Authority
TASK: (BRAIN STORM) UNKNOWN GOD
Initial Question / Instructions
Folder List
Unknown God
TASK: (BRAIN STORM) (CAPTURE DATA - DELETE ME)
Initial Question / Instructions
Folder List
Report
Evaluation
Testing
Certification planning
Build/Direct a team
Unknown God
TASK: (BRAIN STORM) IDEAS NOT ALLOCATED (WAGON #1)
Initial Question / Instructions
Folder List
Important (but not relevant to System Certifier)
Ideas Not Allocated
Belongs in core
TASK: (BRAIN STORM) UNKNOWN GOD (PASS 2)
TASK: (DISCUSS) FINAL COMMENTS AND SUGGESTIONS
Initial Question / Instructions
Folder List
Suggestions for modifying the software?
Suggestions for future sessions?
Did the session meet your expectations?
APPENDIX 2
Applying This Technique To Your Organization
End User
Systems Administrator
Information Systems Security Professionals
Senior Management
Systems Certifier
Acknowledgments
Introduction
DACUM VI
How Do You Know You Are Doing The Right Thing: Your Certifier Will Tell You. Is The Certifier Trained?
Not only do we need an educated work force to be able to perform jobs, but we need an educated workforce that wants to know (and is) interested in essentially expanding its own knowledge.
Keeping the US Computer Industry Competitive: Defining the Agenda 2
Abstract
Awareness, Training and Education (AT&E) are a cost-effective methods of improving organizational information security. In times of ever-contracting budgets, it is difficult to persuade management to spend money on security and training activities that have no direct impact on the organizational bottom line. This paper describes the process used to aid in the systematic development of training to serve as the first line of defense in information security. In addition it describes how these materials are applicable to your organizational long range plans.
Introduction
As part of the DACUM V project, we examined The 'rightsizing' and 'downsizing' of the Department of Defense has placed an increasingly heavy emphasis on organizational quality. One of the basic precepts of organizational quality is 'Do the Right Job - Right'. To do this, the right job must be identified and the process to do it the right way must be identified.
In the area of information systems security this identification has been difficult since there has been little consensus about either the job or the process. This lack of consensus is attributable to a fundamental conflict - information systems security is frequently viewed as antithetical to the primary function of information systems. The senior security official (DAA) of an organization must balance his obligation to make information available to all authorized users - while maintaining confidentiality, integrity and trust during transmission, storage and processing. Organizations want ubiquitous and unobtrusive information security measures. The information systems security professional must have some way of meeting the objective while not creating a closed system. His security measures have been categorized as policy and practice, technical measures and education and training.3 His or her first and perhaps the least expensive way of meeting the organizational objective is awareness, education and training.
All individuals responsible for information systems are being pressed to improve security while reducing costs. The responsibility for this task is spread throughout the information systems hierarchy. For example, at the top, the )DAA( is responsible for long-range planning and implementation of organizational information systems. His roles, relative to information systems security, range from establishing security policy and evaluating mission impact to justifying, defending and providing resources for information security.
At the next level of the managerial hierarchy is the IRM (Information Resources Manager) who is the individual responsible for all operational aspects of information processing, from transaction processing and data entry to the Executive Information System. He/she translates policy into operational needs, recommends security safeguards and dispenses resources for the information systems security professional. In addition, he/she is responsible for securing and controlling the information resource itself. The information systems security professional, in cooperation with the accounting staff and the IRM activity, plays a critical role in the security of the organization's information assets from threats like these:
An electrical failure knocked out computers supporting the over-the-counter stock market here two weeks ago and brought trading to a virtual standstill for 1 1/2 hours..
Network World, Dec. 21, 1987 p. 15
During the Persian Gulf War, a British Royal Air Force officer left a notebook computer in his automobile as he went shopping. The notebook was stolen, along with the data in it-including a copy of preliminary Allied invasion plans.
Datamation, March 15, 1992, p. 434.
In addition to these defined managerial roles are individuals described as functional managers or systems administrators. The systems administrator is responsible for all systems operations for a single system or network. Both the managers and systems administrators rely on information systems security specialists (ISSO).
The Increasing Scope of the Problem
The information systems security problems facing organizations are constantly increasing in both scope and complexity. For example, as the frequency with which American business and its industrial base enter international markets, new opportunities will arise. Mitchell5, as quoted in Computers At Risk6 predicts:
Through open systems interconnection (OSI), businesses will rely on computer networks as much as they depend on the global telecom network. Enterprise networks will meet an emerging need: they will allow any single computer in any part of the world to be as accessible to users on any telephone. OSI networking capabilities will give every networked computer a unique and easily accessible address. Individual computer networks will join into a single cohesive system in much the same way as independent telecom networks join to form one global service.
These opportunities also represent new threats and problems for management. Although Mitchell discusses the future, our increasingly high dependence on networks and interconnected systems has already begun.
It is critical that information systems security professionals and their colleagues in accounting convey, through the IRM activity, the importance of information resources security to all employees and other individuals with access to organizational information resources. The entire information systems staff must be involved in the creation of a new organizational paradigm for information resources security-it must not be just a set of rules and procedures; it must become an integrated component of the corporate culture.
Making Information Security Part Of The Organizational Culture
To be effective, information security must become part of the organizational culture. In addition, it must be developed by using some structured model that allows management to make sound decisions based on complete information. Practitioners in almost any area frequently believe that the view of their profession from the academic white tower is clouded at best and that the government provides more interference than help. Recent cooperative activity may change some of those perceptions. Over seventy-five individuals from government, industry and academia have worked directly with a process called DACUM (Design A Curriculum) to assist all information security professionals by developing effective and efficient methods for improving the information security of all organizations.
The first step in developing a structured model was establishing a working definition of the elements of the problem. The DACUM groups used the ETCORP7 process first to create a structure for analysis and then to complete the details. The DACUM activities have provided:
ò a point of departure for organizations needing to improve their information security
ò a recognized philosophical framework for operations
ò a potential arbiter of bureaucratic lines of control; and
ò a tool for planning awareness, training and education activities appropriate for differing levels of learning.
Further, a structured model helps managers differentiate between security awareness, training and education in programs early in the campaign for excellence in security behaviors. To aid management in acting on AT&E recommendations, the DACUM groups have applied an extension known as Instructional Systems Design (ISD). This technique is an iterative analysis, design, implementation and quality control process and has proven cost effective for transferring knowledge and skills which is used throughout government and industry.
DACUM I-Establishing The Basics
DACUM sessions have resulted in a new, structured way of looking at the first line of defense. The participants cited information systems and the security associated with them as a "core competency" in business, industry and government restructuring. They accepted the Prahalad and Hamel8 reference to corporate core competencies as the "Roots of Competitiveness". Once it was agreed upon that information systems security was a core competency, it was important to develop a model for transferring knowledge about the contents of this core competency. The group defined three components: awareness, training and education (AT&E).
Awareness
Awareness is at the lowest level of the AT&E solution to information security. It is designed to impact short-term memory. It is composed of stimulation, focus, attention, decision and assimilation. A successful AT&E program will begin by meeting these five requirements.
Training
A distinction between awareness and training is that in the former, a learner is a passive recipient of information - while in the latter, a learner has a more active role in the learning process.
A primary role of awareness programs is to motivate audience to move into a training mode and actively seek more knowledge. A fundamental goal of training programs is to motivate learners to move knowledge and skills from short term memory into long-term memory. If training has been complete, these knowledges and skills become chained sequences of behavior that require very little higher-level mental processing. This chaining makes behaviors automatic, predictable and reliable.
In organizations where these functions are not part of the information systems security function, collaboration between the corporate providers of training and the corporate planners of information systems security awareness is essential to developing and delivering quality learning experiences.
Education
In an education context the employee would be encouraged to examine and evaluate, not only skills and methods of work, but fundamental operating principles and tenants upon which job skills are based. The employee is using internalized concepts and skills to perform operations such as analyses, evaluation and judgment. This allows him/her to reach higher cognitive-level decisions that lead to the accommodation of newly integrated knowledge and skill.
The figure below shows an example of computer security content that is based on the learning continuum principle. Implicit in the example is the dynamic interrelation and interdependence between and among awareness, training and education activities.
Goal: Facilitate the increased use of password protection among employees.
Awareness Activities: Reminder stickers for keyboards
Training Activity: Computer Based Instruction on the use of passwords for agency-specific machines
Educational Activity: A recognized COMPUSEC expert provides employees an opportunity to explore why passwords are used in general and evaluate the current agency protection techniques.
Figure One
A true computer security learning program incorporates concepts and elements from each level and presents the employee/learner with a totally integrated succession of experiences.9
DACUM II-Creation of New AT&E Matrix
During phase two, the DACUM group developed a series of awareness materials and began expanding the AT&E model. After the team had identified the areas that needed change, they developed a new approach that combined the best of the various computer security AT&E models.
At the training level the team then decided to create a matrix of categories based on functions rather than job descriptions. These categories were:
Manage Acquire Design and Implement Operate Use
The team realized that others may define new categories; therefore, they created a category called Other10 to provide extensibility.
To provide for the transition from Awareness to Training, the DACUM team decided to prescribe a common knowledge base that would be expected for each of the functional categories. This grouping of knowledge has been called Literacy and Information Systems Security Basics (LISSB) course. This approach facilitates the development of a common course (above the Awareness level) with much of the material drawn from the 'Green Book'11. If an employee were to have had this LISSB course, he/she could be expected to enter any of the appropriate functional courses at the next higher level.
The DACUM II participants identified the need to develop a common nomenclature and structure to resolve the differences among the various 'common bodies of knowledge'.
DACUM III-A Unified Taxonomy12 for Information Systems Security Professionals
DACUM III compiled, distilled and enhanced existing attempts by a variety of organizations to define a Common Body of Knowledge (CBK) for information systems security practitioners and professionals. The participants then defined a taxonomic structure for the contents of the CBK. After the CBK elements were placed in this taxonomy, appropriate knowledge, skills and abilities (KSAs)13 were associated with each of the CBK elements. Finally, verbs from Bloom's14 hierarchy were assigned to each KSA. This step allows for behavioral objectives to be written.
Generally, a common body of knowledge represents a relatively stable body of knowledge encompassing the axioms, lore and methods of the trade. As implemented, a CBK represents that body of knowledge that is integral to the manner in which an information security professional performs his/her job.
The CBK outlined in this report condensed over 1100 individual items into a listing of 385 behavioral descriptions. To do this the DACUM group had to establish a taxonomy. Those descriptions are partitioned into two major taxonomic categories:
ò Things You Need To Know; and
ò Things You Need To Do.
The resulting Unified Taxonomy can be used as a reference point by both curriculum developers and authors. This taxonomy codifies, for the moment, those knowledges, skills and abilities (KSA) which define the core information for all practitioners, regardless of individual areas of expertise. The Unified Taxonomy also serves as a guide to job classification, career development and professionalization activities.
The Unified Taxonomy was developed as a continuation of work done to update NIST Special Publication No. 500-172 {Computer Security Training Guidelines (CSTG)}. In that July 1993 initiative professionals identified:
ò The need for a Unified Taxonomy and
ò The existence of several taxonomies which had been developed by government, industry and academia.
Using a model developed for the Center for Information Systems Security, information systems security topic areas were divided into "Encyclopedic Knowledge" and "Process Knowledge" - where Encyclopedic Knowledge describes facts, technologies and principles; and Process Knowledge describes how encyclopedic knowledge is used.
Figure 2: CISS Model
Building on this conceptual framework, the group developed a model that is able to account for all of the behavioral descriptions. The two major categories are subdivided into six partitions as follows:
THINGS YOU NEED TO KNOW THINGS YOU NEED TO DO
Laws and Regulations Designing and Engineering
AIS to be Secure
Fundamental Security Elements Using and Operating AIS Securely
Technology-Oriented Security Elements
Organization-Specific Security Elements
Figure 3: Unified Taxonomy Model
The figure 4 depicts the relationship of the AT&E elements defined by DACUM III.
Figure 4: DACUM III Model
Once the taxonomy was developed, the next step was to assign elements from the unified CBK to the categories. This effort results in identifying KSA groups required of an information systems security professional. The resulting Unified Taxonomy would then be ready for:
ò adding specific data/points of information
ò use by:
- Job analysts
- Educators
- Authors
The steps used to produce this document were:
ò Agree upon common Knowledges, Skills and Abilities (KSAs), based on research into the existing CBK 's and professional knowledge of the participants.
ò Agree on a taxonomic model;
ò Identify appropriate verbs to agreed-upon KSAs;
NOTE: This step equates to a Desk Audit type Job Task Analysis.
ò Group the behavioral statements into an agreed-upon taxonomic model; and
ò Categorize the behavioral statements into an educational industry standard taxonomy of learning. The learning hierarchy of that model is divided into three domains: Cognitive, Psychomotor and Affective. Each domain is further separated into levels of operation/complexity. There are commonly accepted verbs that have been associated with each of these domains.
A by-product of this DACUM is the verification of a hypothesis that topics are not associated with only one area or category of thinking or behaving. Thus, the treatment of topics such as "threat" may realistically be expected to be covered in discussions in several areas (e.g., Organization-Specific Security Elements and Designing and Engineering AIS).
After employees have been made aware of their security responsibilities, they should take part in the second-level Literacy and INFOSEC Basics courses. This course or courses could be developed as an agency-independent training element, thus representing significant savings to organizations collaborating in the effort.
The third component of the DACUM III model is Function Specific training. It is intended to be specific to agency needs.
The final component of the model is for security experts. This is more of an education element rather than a training or awareness activity. Both here and in the function-specific training, one would be expected to demonstrate performance and knowledge. It is expected that future work will be done to establish the knowledge and performance criteria in each category.
The DACUM model was designed to be extensible by adding functional categories in the 'Other Areas' of the function-specific training. The authors and FISSEA expect suggestions for additions to this area and suggestions for further refinement of the literacy and information systems security training-content areas.
DACUM IV & V-Moving from Theory to Instructional Materials
During the second week of April 1994, another DACUM group convened to establish the specific AT&E materials for information systems professionals within the Department of Defense. The DACUM IV group was composed of information security subject matter experts, managers and educators. The DACUM project is part of a systems approach to defining information security education and training requirements and the design of curricula based on that analysis. The KSA analysis was predicated in the Center for Information Systems Security (CISS) observation that there are two fundamental types of personnel requiring in-depth information systems security education and training.
ò Operational Information Security professionals and
ò Technical information security professionals
The DACUM group focused on the first category as the first phase in a program designed to build a unified information security curriculum throughout the Department of Defense.
To accomplish this task, the DACUM group used the ETCORP process to reach consensus about the critical competencies for the Manager, Information Systems Security Officer and the Systems Administrator. They used the Unified taxonomy developed during DACUM III, the CISS Information Security Vision and the NSA National Information Security Strategy document. In the case of the Systems Administrator, they developed a detailed set of competencies. The following example provides insight into the process of moving from a specific competency to its related instructional material. For the sake of simplicity, we have selected one of the more obvious competencies and its related instructional material. The first step is to identify the critical competency.
ò The Systems Administrator will work closely with the Information Systems Security Officer to ensure that the Automated Information Systems (AIS) or Network is used securely.
Using the PARADIGM software, the participants assigned terminal objectives to each defined critical competency. The breakdown on this element might look like:
ò The Systems Administrator will work closely with the Information Systems Security Officer to ensure that the Automated Information Systems (AIS) or Network is used securely
- Access Control Models
- Access Control Policy
- ..
Once this step was completed, the participants were given access to the verbs that were associated with the tasks, for example:
ò The Systems Administrator will work closely with the Information Systems Security Officer to ensure that the Automated Information Systems (AIS) or Network is used securely
Upon the completion of this step, the DACUM group had already exceed the expectations of the sponsors.
The instructional designers in the group then began to create detailed instructional categories that grouped the core competencies. Sample categories might be administrative, audit and operations. Therefore, audit might contain the following competencies - accountability, alarms, assurance, audit tools and so on.
Using the verb hierarchy established by Bloom, we were able to further classify instruction into the introductory, intermediate or advanced level. The final instructional design resulted in the following example for policy and procedures for the Systems Administrator:
ò Policy and Procedure
- Explain the purpose of a system audit
- State logging policies
- Reproduce documentation required in the event of a detected intrusion into the system
- Explain electronic records management policy for monitoring notification
- Describe the need for separation of duties
- ...
From this detailed breakdown, an instructional designer should be able to prepare instructional material to meet the organization's objective.
DACUM VI-How Do You Know What You Have?
During DACUM VI the assembled experts worked on the training for the Systems Certifier. Initially there was confusion about the role of the Systems Certifier and DAA. As the logs show, there was quite a demand to redefine the relationship of the DAA and SA.
The Certifier was defined by the group definition as:
A member of a team that performs the comprehensive assessment of the technical and non-technical security features and other safeguards of an Information System, in its final configuration, made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
Not only does this document define the Knowledges, Skills and Abilities needed by individuals performing the SA task, but it defines the acutal instruction at the introduction, intermediate and advanced level
Task: (Sign In) eDACUM 65
Creation Date: Monday, June 19, 1995 10:07 AM
Print Date: June 23, 1995
Initial Question / Instructions
Please Identify yourself for the record.
Folder List
Anthony L. Pentino
Carl Cecere
Christopher Bythewood
Dennis C. Capron
Hal Tipton
John Crane
John D. Tressler
Joseph T. Lisi, Jr.
Leland (Lee) Horton
Leslie Paolucci
Lewis, Geoffrey W.
Rodney L. Stalker
Scott A. Ruthe
Stephan L. Ball
Terry Crawford
Timothy J. Mucklow
Vic Maconachy
Task: (Brain Storm) eDACUM VI expectations
Creation Date: Monday, June 19, 1995 10:10 AM
Print Date: June 23, 1995
Initial Question / Instructions
What are your expectations for eDACUM VI?
Folder List
accreditation issues
items that have accreditation implications; things which the DAA must be aware of and on which decision must be made
Certifier Awareness Module
Certifier Background Requirements
Professional Development
Duty categories of a Certifier
Certification test
the activities that a certifier
Policy
identity of the underlying policies (to include rules, regulations, laws, etc.) with which the certifier must be aware
Community-wide Standards
Definitions of a System Certifier
Training Standards
Ideas Not Allocated
Contains ideas that were not added to any other folder.
After hours activities
accreditation issues
Be able to gain accreditation from DAA
Define relationship between Certifier and DAA
Certifier Awareness Module
Identify Awareness models
Who needs to be aware of certification requirements and processes and to what degree and who will they be informed
develop awareness module on certification
this would be an expansion of what a certifier does in very simple language for the user, the DAA, the SA, the ISSO and lastly for the incoming Certifier.
Certifier Background Requirements
Identify skill requirements
Skill - Doing vs. knowing
Identify knowledge requirements
Creator Declined Definition Request.
Define background for certifier
What kind of background experience is required before being selected to train in this area.
What are the ed. req. for certifier
Professional Development
Outline a certifier career path education requirement
What educational development will a certifier be required to achieve before being certified as a professional.
Duty categories of a Certifier
Identify skill requirements
Skill - Doing vs. knowing
Specify the duties of a System Certifier
define certifier responsibility to end
user
certification test
policy
when is certification not required
Define who controls certifications
What agency/group of individuals will be the "Certifier of the certifier?"
Community-wide Standards
Develop standards for national Instructions
Ensure community-wide consensus on tasks
Establish a Joint Certification Process
If we establish the "who" of the Cert. activity if may be beneficial in this forum to define or establish the "how" of the certification activity.
Definitions of a System Certifier
Define what is meant by certification
Among different organizations certification refers to different types of processes. We need to have a standardized definition before we can develop training standards.
Defined System Certifier
Individual who can develop a certifications package that will pass muster of the DAA
Define the responsibilities of certifier
define certifier responsibility to end
user
expand the definition and the duties of
expand the definition and duties of the certification authority and the Certification test director
Training Standards
identify knowledge requirements
Creator Declined Definition Request.
Training standards for Certifier
Create baseline training standards
Develop baseline educational standards
produce system certifier min. training std
Develop minimum Training Levels
Develop standards for national Instructions
develop training standards
Develop a detail curriculum
Learn how to develop a curriculum
Creator Declined Definition Request.
That's why we are sitting here.
Provide curriculum developers with
Baseline architecture
Cross ref. KSAs to training course req.
Creator Declined Definition Request.
Bridge the gap of current training stand
standards and the need for effective and applicable training standards .
Ideas Not Allocated
meet stated management objective!!!
read the handout (eDACUM VI Day 1, initial exercises) which includes the two objectives
Identify performance standards
update draft INFOSEC "dictionary/glossary
clarity of view
clear distinction of certification functions from those of related activities such as accreditation, evaluation, assessment, etc.
Receive input from relevant experience
define certifier responsibility to DAA
identify security planning req.
Creator Declined Definition Request.
Identify purposes for Certification
Rubbish!! The point is to accomplish the task not develop theory
Course clarification and guidance
Provide meaningful clarification and guidance to the issues that are being addressed in the development of INFOSEC courses.
participants understand ST&E
Security Test and Evaluation, that which the Certifier performs on a system, component or network, on behalf of the DAA to determine the security risk
Differentiate difference. between. E, T, & A requirements
Often "awareness" is confused with "training" especially in terms of depth of learning objectives. "Education", too, has distinct learning objective .
Justifying the need for Certifier
Is the role of the certifier unique enough to be justified
discuss the DITSCAP
DOD Information Technology Security Certification & Accreditation Process
comprehensive consensus among participants
Shared agreement on the different perspectives of group
Deliver a product to the services & government
define levels/categories of certification
Understand reasons for KSAs
After hours activities
To eat Idaho Trout
You can't get good fish back home
To stay very focused on the task at hand
Simply to avoid any distractions from the effort to nail down a training standard for system certifier. Not lose perspective from our stated objectives.
Enhance ISU DACUM process(es)/program(s)
User input can/will assist ISU folks in "tuning" this entire process. They are very responsive to suggestions and/or criticism.
Not relevant to question
Task: (Brain Storm) Define system certifier
Creation Date: Monday, June 19, 1995 10:50 AM
Print Date: June 23, 1995
Initial Question / Instructions
Define a system certifier.
(DEFINE ALL IDEAS - WITH SOURCE IF APPLICABLE)
Folder List
Certification V. Accreditation
Certifier Actions
DAA Support
Definition
Maintaining Accreditation
Risk
Role In Risk Management
All duties associated with supporting DAA in the accreditation of a system
Certifier's Authorities
Technical Review Process
Duties
the duties of a certifier
Accreditation Decision
Certifier's Functions
Certifier's Responsibilities
Definition Of Certification
Documentation
System Requirements
System Security Features
Ideas Not Allocated
Contains ideas that were not added to any other folder.
System Certifier
Role in Risk Management
Definition
Certification Agent
One who acts on behalf of the Cert. Authority to assess and recommend the state of the "system" is meeting identified security requirements.
Certification v. Accreditation
Maintaining Accreditation
certifier actions
Responsible for Developing Certification Package
Person who develops certification packages for accreditation and who maintains the integrity of package as system/net matures
Responsible for evaluating a (cont'd)
system's security posture in its operational environment.
One who evaluates system's risks
risk
DAA Support
Supports Accreditation Decision
Takes into account unique systems requirements
A complete AIS certification must consider factors dealing with the AIS in its unique environment. Support DAA with accreditation package AFI 33-202
technical review process
Technical review process
The process of review and verification of documentation accuracy as it relates to security functionality.
Certifier's Authorities
Certification Authority
One who "signs off" on the Cert. Statement. Typically, a PM who is responsible for delivering a system, application, or product.
duties
Responsible for evaluating a (cont'd)
system's security posture in its operational environment.
The person responsible for (cont'd)
evaluating the security posture (profile) of a system.
system requirements
Certifier's functions
Evaluation of AIS security features
Responsible for Developing Certification Package
Person who develops certification packages for accreditation and who maintains the integrity of package as system/net matures
Documentation reviewer & verifier
A person or organization who verifies that hardware operates as specified in the architectural design documentation.
Person who follows a checklist of CERTS
person who verifies the system follows technical expectations for operation as it apples to a trusted system
Certification Agent
One who acts on behalf of the Cert. Authority to assess and recommend the state of the "system" is meeting identified security requirements.
Responsible for evaluating the (cont'd)
operational environment and determine security required to meet the risks associated w/ that environment
accreditation decision
Certifier's responsibilities
Evaluation of AIS security features
Responsible for Developing Certification Package
Person who develops certification packages for accreditation and who maintains the integrity of package as system/net matures
Definition of Certification
Comprehensive technical review of an AIS
This is my definition of 'certification.' AIS stands for Automated Information System (includes network, standalone system, etc.).
The Technical Review must provide assurance that security controls protect the information contained in the system
Accountable, knowledgeable, system reviewer
who focuses on security policy and procedures
system security features
Documentation
Ideas Not Allocated
Independent reviewer of system's security
A Technical Authority who provides(cont)
assurance to the DAA that a tested/evaluated systems incorporates security controls and countermeasures to protect the information processed/stored/ t
To the end user, a system certifier
provides a turn-key system which requires only that the end-user follows well defined procedures which insures that information processed is protected
system documentation
System Certifier
system certifier
One who tests the assurance levels of a system sufficient to certify that it meets the requirements necessary for accreditation.
System Certifier
One who decides if a given system meets all the standards for which it was designed.
system certifier
the person or office that reviews the security policy with the system, points out the differences and what is met
System Certifier
One who evaluates AIS to ensure that it does exactly what it is supposed to do, and
One who evaluates AIS to ensure that is does exactly what it is supposed to do, and nothing more.
the individual or organizational response for the comprehensive evaluation of the technical and non technical security features of an IT and other safeguards
CONT: made in support of the accreditation process to establish the extent to which a particular design and implementation meet a set of specified sec requirements
System Certifier
evaluates the tech./non technical security features of an AIS to establish the extent to which a particular design and implementation meets a set of sec. req.
source is DOD DITSCAP
DEF CONT: test
system certifier overview
Comprehensive evaluation of technical & non
non-tech security features of an AIS & other safeguards to establish the extent to which a particular design & implementation meets sec. requirements
system Certifier (DOD)
the individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an IT and other
system certification cont. safeguards made in support of the accredit process to establish the extent to which a particular design and implement meet a set of spec sec
Task: (Rank Order) First cut of SC definition.
Creation Date: Monday, June 19, 1995 11:34 AM
Print Date: June 23, 1995
Initial Question / Instructions
Read the ideas with definitions, rank the folders from most important to least, This is to obtain a first cut.... We will edit and complete later.
Criteria List
Rank Order Vote
Folder List
Certifier Actions
Certifier's Authorities
Certifier's Functions
Certifier's Responsibilities
DAA Support
Definition
Definition Of Certification
Duties
System Certifier
Technical Review Process
Voting Statistics - Rank Order Vote
Folders
AVG
STD
SUM
System Certifier
1.31
.68
155
Certifier's Function
3.31
1.35
123
Certifier's Responsibility
5.18
2.29
93
Certifier Actions
6
2.15
80
Certifier's Authority
6.06
2.43
79
Duties
6.06
1.78
79
Definition
6.5
3.08
72
DAA Support
6.68
2.93
69
Technical Review Pro
6.87
1.89
66
Definition Of Certification
7
3.1
64
Vote Totals - Rank Order Vote
Rank / Weight
Folders
1
2
3
4
5
6
7
8
9
10
System Certifier
13
1
2
0
0
0
0
0
0
0
Certifier's Function
0
7
2
3
3
1
0
0
0
0
Certifier's Responsibility
0
3
1
2
4
1
2
2
0
1
Certifier Actions
0
0
2
3
4
0
1
3
3
0
Certifier's Authority
1
0
3
0
1
4
2
1
4
0
Duties
0
0
2
2
1
4
3
3
1
0
Definition
0
1
2
4
1
1
0
0
1
6
DAA Support
1
2
0
2
0
0
1
5
3
2
Technical Review Pro
0
0
2
0
0
3
7
1
1
2
Definition Of Certification
1
2
0
0
2
2
0
1
3
5
Task: (ST) System Certifier Definition
Creation Date: Monday, June 19, 1995 12:16 PM
Print Date: June 23, 1995
Initial Question / Instructions
Edit the following statement and submit a new version or edit instructions back to the operator.
Folder List
Revision: 10
Revision: 9
Revision: 8
Revision: 7
Revision: 6
Revision: 5
Revision: 4
Revision: 3
Revision: 2
Revision: 1
Revision: 10
SYSTEM CERTIFIER -
A member of a team that performs the comprehensive assessment of the technical and non-technical security features and other safeguards of an Information System, in its final configuration, made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
3. ...can operate/is operating
4. A person or team that performs a comprehensive assessment of technical and non technical security measures of an information system.
Revision: 9
SYSTEM CERTIFIER -
A member of a team that performs the comprehensive assessment of the technical and non-technical security features of an Information System, in its final configuration, and other safeguards made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
3. I believe this answers the question.
4. The certifier also......
5. Go with this!
6. after move and other safeguards
7. good suggestion
8. Abstain
9. PULLOUT "THE" IN SECOND LINE
10. CONSIDER RESTRUCTURING AND SIMPLIFYING DEFINITION.
11. Line 4 change to read:
"...system, in its final evaluation configuration made in support of the accreditation process...."
Revision: 8
SYSTEM CERTIFIER -
A member of a team that performs the comprehensive assessment of the technical and non-technical security features of a projected Operational Information System and other safeguards made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
3. remove "projected operational". There are many systems that are operational and not certified.
4. I don't like any of it.....let's start over
5. Rewrite the definition as follows
A System Certifier performs the comprehensive assessment of the technical and non-technical security features of a projected Operational Information System in support of the accreditation process. Further, the certifier identifies the assurance levels achieved in meeting all applicable security policies, standards, and requirements upon which the DAA makes the determination as to whether or not the Operational Information System can/is operating within the bounds of acceptable risk. Lastly, the Certifier determines whether an Operational Information Systems meets the security standards for which it was designed
6. Please use "a" instead of "the" when defining a general situation..
7. pull out any unnecessary "the's.
Revision: 7
SYSTEM CERTIFIER -
A member of a team that performs the comprehensive assessment of the technical and non-technical security features of an Operational Information System and other safeguards made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
3. good!
4. OK
Revision: 6
Certification Organization (Certifier) -
The member of team that is responsible for the comprehensive assessment of the technical and non-technical security features of an Information System and other safeguards made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
3. go with it
4. What team? The REDSOX?
5. You really, really, really need to put the word OPERATIONAL in front of "Information System" in the first sentence.
6. We lost the entire view of the system from the operational view point. Placing the word 'operational' before the first instance of Information System should suffice.
7. yes
8. WE ARE DEFINING SYSTEM CERTIFIER--NOT CERTIFICATION ORGANIZATION! DROP THE OLD TITLE.
9. A CERTIFIER IS _A_ MEMBER NOT _THE_ MEMBER.
10. A MEMBER OF A TEMA THAT PERFORMS A COMPREHENSIVE...
11. It is unclear given "a" certification process that the work of a certifier is limited to identifying only the assurance levels achieved. Recommend changing line 5 "certifier" to DAA and deleting, "the assurance levels achieved in meeting" in line 6.
12. Pls. change "the member of" to "A member of a team . . . ."
13. move 1st sentence around as follows:
"A member of a team that is responsible for the comprehensive assessment of an Information System's technical and non-technical security features and other safeguards which have been denitrified in the course of the accreditation process."
14. GOOD
Revision: 5
Certification Organization (Certifier) -
A member of a team that is responsible for the comprehensive assessment of the technical and non-technical security features of an Information System and other safeguards made in support of the accreditation process. This entity ensures that the assurance levels of a particular system meet all applicable policies, standards and requirements so that the DAA can make the final determination as to whether or not an Information System can/is operating within the bounds of acceptable risk and national-level, local, and mission requirements.
3. NOTE 1 - Said standards and requirements which the system must meet in relation to its operational environment.
4. NOTE 2 - The requirements the certifier is evaluating is not the Orange Book criteria but how secure the system is in its operational environment.
5. NOTE 3 - The entity provides sufficiently detailed and comprehensive information to the DAA, so that the DAA can make the final determination as to whether or not an IS can/is operating within the bounds of acceptable risk and national-level, local, and mission requirements.
6. OK
7. delete all three notes;
8. stop the definition after "acceptable risk" (near next to last line of definition)
9. If you add the word OPERATIONAL prior to the first instance of "Information System" then there is no need for Notes 1&2.
10. A member of a team that is responsible for the comprehensive assessment of the technical and non-technical security features and other safeguards of an Information System made in support of the accreditation process. The certifier ensures that the assurance levels of a particular system meet all applicable policies, standards and requirements so that the DAA can make the final determination as to whether an Information System can/is operating within the bounds of acceptable risk and national-level, local, and mission requirements.
11. Change "entity" to read "individual" or "member"
12. Add the word "security" after applicable in second sentence.
13. change "so that the DAA can make..." to "upon which the DAA makes..." and delete the word final.
14. Line 5 Change to read:
.... This entity identifies the assurance level achieved in meeting security policies, standards, and requirements of a par6cular system, so that the DAA.....
15. I believe that all three of the NOTES can now go away. We have incorporated the flavor of each in our definition.
16. Change levels to "levels of a particular system"
17. Overall, I like the current version, but we may need a lexicographer to make sure that it is smoothed out to be very easy to follow.
18. Paragraph 2 can be reworded as such:
19. "The certifier ensures, etc., etc. " Eliminate the term "entity"
20. I would rewrite paragraph 2 as follows:
21. "The Certifier ensures that a particular system meets all the requirements for which it was designed; satisfies all assurance levels and meets all applicable policies, standards and requirements so that the DAA can make the final determination as to whether it operates within the bounds of acceptable risks and national-level, local, and mission requirements."
22. Change entity into team. Is it necessary to tag on "...and other safeguards made in support of the accreditation process."--this sounds weak and vague, unsettling.
23. Is note 3 still supposed to be there?
24. Does the team ensure that assurance levels meet standards or that countermeasures meet the applicable criteria?
25. Instead of a team member say THE team member responsible for
26. Note 1 and 2 may be combined. Note 2 is more correct than 1.
27. [1] remove (line 6], "the assurance levels of a". Assurance levels are not the only aspect that the certifier assesses.
28. Note 1. Delete. A PM develops a system and certifies that it meets a set of functional requirements. The PM has no impact to the operational environment requirements.
29. Note 2. Change "evaluating" to "assessing" for consistency with [1]
Revision: 4
Certification Organization (Certifier) -
The individual or organization responsible for the comprehensive assessment of the technical and non-technical security features of an Information System and other safeguards made in support of the accreditation process. This entity ensures that the assurance levels of a particular system meet all applicable standards and requirements.
3. NOTE 1 - Said standards and requirements which the system must meet or in relation to its operational environment.
4. NOTE 2 - The requirements the certifier is evaluating is not the Orange Book criteria but how secure the system is in its operational environment.
5. NOTE 3 - The entity provides sufficiently detailed and comprehensive information to the DAA, so that the DAA can make the final determination as to whether or not an IS can/is operating within the bounds of acceptable risk and national-level, local, and mission requirements.
6. note 1 is not a sentence.
7. add to paragraph 1...and requirements so that the DAA can make the final determination as to whether or not an IS can/is operating within the bounds of acceptable risk and national-level, local, and mission requirements.
Revision: 3
Certification Organization (Certifier) -
(1)The individual or organization responsible for the comprehensive evaluation of the technical (i.e., via Certification Test and Evaluation) and non-technical [i.e., via Security Test and Evaluation] security features of an Information System and other safeguards made in support of the accreditation process. This entity ensures that the assurance levels of a particular system meet all applicable standards and requirements and determines if the amount of residual risk warrants accreditation of the AIS.
(2) NOTE - Said standards and requirements which the system must meet or in relation to its operational environment.
(3) NOTE - The requirements the certifier is evaluating is not the Orange Book criteria but how secure the system is in its operational environment.
(4) NOTE - The entity provides sufficiently detailed and comprehensive information to the DAA, so that the DAA can make the final determination as to whether or not an AIS can/is operating within the bounds of acceptable risk.
3. Looks good
4. Keep the notes as "notes"
5. [2] Note - change 'or' to 'are' Otherwise it looks good
6. Notes help to clarify - Good to go!
7. Note 3 might be changed to mention that the evaluating criteria meets all national-level, local, and mission requirements.
8. delete the last two lines " and determines ... of the AIS". this is the DAA's job (see note 4);
9. notes 2,3 and 4 are nice, but not necessary for clarification
10. good. add (4) Note to #1
11. Change last sentence of paragraph 1 to read:
This entity ensures that the assurance levels of a particular system meet all applicable standards and requirements and reports results to the DAA who determines if the amount of residual risk warrants accreditation of the AIS.
12. This should eliminate the need for NOTE 4.
13. Add the word OPERATIONAL before Information System in paragraph. 1.
14. This should eliminate the need for notes 2 & 3.
15. (1) Change last two lines to read:
" and, based on the residual risks, may make a recommendation (i.e., not a determination) that the AIS warrants accreditation"
16. Delete Note #2...it does not add to the definition provided in (1)
17. Note #3 does not define what a certifier is.....it identifies the source of the requirements ......delete it.
18. RE: paragraph. 1: The discussion of "and other safeguards made. . ." is confusing. I think I know what is meant -- but that is not what the sentence says. I think this is a dangling phrase or some such.
19. Comment: I think the notes, esp. (4) are very helpful to the discussion in the main paragraph. Good show.
20. Omit parenthetical input. Definition should deal with what the certifier is not how certification is done. Repeat IS at end of sentence. Incorporate note 3 emphasizing how system meets operational security requirements.
21. Delete notes 2 and 3 - not necessary
22. paragraph 1 If we have to keep the parentheses, just use them once where we have them the second time to refer to both tech and non-tech
23. Also, some certifications do not require an ST&E. A "desk top audit" may be done, or other certification activity.
24. note 4 can be deleted by adding "by the DAA" to the definition in (1)
25. The DAA determines if an AIS is accreditable based upon more information than the certification - I still don't like the word accreditation on the last line of paragraph 1.
26. Residual risk as determined by the certifier may be off-set by some process or procedure of policy, operational consideration or SOP which would be identified by others involved in the process.
27. Selection No. 1 should delete all references to "an organization" since we are seeking consensus on a definition of a SYSTEM CERTIFIER. Simply stated, this translates into a definition of WHAT A PERSON does, not an organization.
28. Selection No. 4 should likewise be reworded as it pertains to the use of the term "entity." Terms such as "organization," "entity," or other non-specific words, should be avoided in the context of the definition (CERTIFIER) which we seek to define.
29. [1] Delete everything after the 1st sentence. What are assurance levels in relation to certification? The DAA, not the certifier, determines the amount of acceptable residual risk. CHANGE LINE 2 "EVALUATION" TO "ASSESSMENT" Rational: NSA does evaluations Services does assessment. SUGGEST TAKING OUT PARENTHETICALS, SINCE THEY DEAL WITH THE HOW AND NOT THE WHAT.
Revision: 2
Certification Organization (Certifier) -
(1)The individual or organization responsible for the comprehensive evaluation of the technical (i.e., via Certification Test and Evaluation) and non-technical [i.e., via Security Test and Evaluation] security features of an Automated Information System and other safeguards made in support of the accreditation process. This individual or office ensures that the assurance levels of a particular system meet all applicable standards and requirements and determines if the amount of residual risk warrants accreditation of the AIS..
(2) One who tests the assurance levels of a system sufficient to certify that it meets the requirements within an acceptable level of risk. And, decides if a given system meets all the security standards for which it was designed.
3) The certifying organization/certification authority provides sufficient information for the DAA to make a determination that the AIS can operate within the bounds of an acceptable risk.
3. Delete Paragraphs 2 and 3.
4. Couldn't have said it better myself
5. Delete paragraphs 2 & 3
6. Certification Organization (Certifier) -
(1)The individual or organization responsible for the comprehensive evaluation of the technical . and non-technical security features of an Automated Information System and other safeguards made in support of the accreditation process. This individual or office ensures that the assurance levels of a particular system meet all applicable standards and requirements.
7. Paragraph 1, last sentences - include a statement to the effect that the standards and requirements which the system must meet or in relation to its operational environment. Much as what was once suggested in the New Federal Criteria.
8. Paragraph 2, - see above. The requirements the certifier is evaluating is not the Orange Book criteria but how secure the system is in its operational environment.
9. Rewrite number 2 as follows:
One who tests the established assurance levels of a system, certifies that it meets acceptable levels of risks, and decides if the system meets all of the security standards for which it was designed.
10. (1) Change "individual or office" to read "entity"
11. (1) last sentence - Change "accreditation" to read "certification"
12. Change AIS to IS. AIS is an antiquated term that distinguished computing systems from telecommunications systems. Information System supersedes and includes both AIS and Telecommunications.
13. While the product of certification is submitted to the accreditation process, certification is a process of its own. It may be inaccurate to state that it is part of or in support of the accreditation process.
14. (1)The individual or organization responsible for the comprehensive evaluation of the technical (i.e., via Certification Test and Evaluation) and non-technical [i.e., via Security Test and Evaluation] security features of an Automated Information System and other safeguards made in support of the accreditation process, and decides if a given system meets all the security standards for which it was designed. This individual or office ensures that the assurance levels of a particular system meet all applicable standards and requirements and determines if the amount of residual risk warrants accreditation of the AIS.
15. The certifying organization/certification authority provides sufficient information for the Designated Approving Authority to make a determination that the AIS can operate within the bounds of an acceptable risk
16. Paragraph more or less says it all, containing the intentions of the others. To what level of specificity need we take this, viz., testing, reviewing, etc., in the successive paragraphs are subsets of paragraph 1?
17. Certification Organization (Certifier) -
18. (1)The individual or organization responsible for the comprehensive evaluation of the technical (i.e., via Certification Test and Evaluation) and non-technical [i.e., via Security Test and Evaluation] security features of an Automated Information System made in support of the accreditation process. This individual or office ensures that the assurance levels of a particular system meet all applicable policies, standards and requirements and determines if the level of residual risk warrants accreditation of the AIS..
19. (2) I'm not sure that paragraph. 2 contains any new and different ideas at this point. Recommend deleting it.
20. 3) The certifying organization/certification authority provides sufficiently detailed and comprehensive information to the DAA, so that the DAA can make the final determination as to whether or not an AIS can/is operating within the bounds of acceptable risk.
21. 3 is redundant delete
22. paragraph 2 should not start with word "one" there is usually a team led by a test director. The team has expertise in various area of the IT.
23. paragraph 1 term AIS is outdated, national usage is IT, only DOD is hanging on to "AIS" IT stands for Information Technology and is "The hardware, firmware, and software used to perform DOD information functions. This definition includes computers, telecommunications, outdated information systems (AIS), and automatic data processing equipment. Come on cave people, get with the program (just kidding)
24. paragraph 1 is [i.e. via ST&E] really necessary/ NO
25. I may do a connection approval, or a waiver authorization, etc.
26. [1] Delete everything after 1st sentence.
27. As now stated, recommend deleting paragraphs [2] and [3]. Certifier don't certify to standards but to requirements being met nor is assurance the only aspect of security dealt with. The certifier does not establish acceptable risk bounds. They only certify whether a requirement is implemented in the system or not.
Revision: 1
Certification Organization (Certifier) -
(1)The individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an IT and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meet a set of specified security requirements.
(2)One who tests the assurance levels of a system sufficient to certify that it meets the requirements necessary for accreditation. And, decides if a given system meets all the standards for which it was designed.
(3)the person or office that reviews the security policy with the system, points out the differences and what is met the person or office that reviews the security policy with the system, points out the differences and what is met
(4)Comprehensive evaluation of technical & non-tech security features of an AIS & other safeguards to establish the extent to which a particular design & implementation meets sec. requirements the individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an IT and other safeguards made in support of the accredit process to establish the extent to which a particular design and implement meet a set of spec sec
3. (3) delete
4. (1) Define "I T"
5. (2) remove the word "all" in second sentence
6. Certification Organization (Certifier) -
7. (1)The individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an IT and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meet a set of specified security requirements.
8. Paragraph 1 looks global enough. I suggest we use "Automated Information System" vs. IT (Information Technology. We could use the NSTISSC definition for AIS.
9. paragraph 1 looks good to me
10. Certification Organization (Certifier) -
11. The individual or organization responsible for the comprehensive evaluation of technical and non-technical security features and other safeguards of an AIS thereby establishing the extent to which a particular design and implementation meets the requirements of the individual or organization responsible for determining if the amount of residual risk warrants accreditation of the AIS.
12. Certification Organization (Certifier) -
13. (1)The individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an IT and other safeguards to establish the extent to which a particular design and implementation meet a set of specified security requirements.
14. (2)One who tests the assurance levels of a system sufficient to certify that it meets the requirements necessary for accreditation. And , decides if a given system meets all the standards for which it was designed.
15. (3)the person or office that reviews the security policy with the system, points out the differences and what is met the person or office that reviews the security policy with the system, points out the differences and what is met
16. (4)Comprehensive evaluation of technical & non-tech security features of an AIS & other safeguards to establish the extent to which a particular design & implementation meets sec. requirement s the individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an IT and other safeguards made in support of the accredit process to establish the extent to which a particular design and implement meet a set of spec sec
17. (1)The individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an information system and other safeguards made in support of the accreditation process. This individual or office ensures that the assurance levels of a particular system meet all applicable standards and requirements.
18. Certification Organization (Certifier) -
19. (1)The individual or organization responsible for the comprehensive evaluation, in the operational environment, of the technical and non technical security features of an IT and other safeguards and to establish the extent to which a particular implementation meets specified security requirements.
20. (2)One who tests a system to ensure the assurance levels are sufficient to certify that it meets the requirements necessary for accreditation in the operational environment. And, decides if a given system meets all the standards for which it was designed.
21. (3)the person or office that reviews the security policy against the actual system and identifies discrepancies.
22. (4)Comprehensive evaluation of technical & non-tech security features of an AIS & other safeguards to establish the extent to which a particular implementation meets sec. requirements and to provide supporting documentation the accredit process.
23. paragraph 2 add word "security" before standards in last line. change "meets the requirements necessary for accreditation" to add "meets the requirements within an acceptable level of risk" or words to that effect.
24. paragraph 3 needs to identify that certification is more than just policy. It includes administrative, physical, OPSEC, TEMPEST and other tech and non-tech issues.
25. paragraph 4 delete Paragraph 1 covers it.
26. paragraph 1 perhaps we should add "on behalf of the DAA"??????? also, do we need to spell out IT??
27. Keep paragraph 2
28. (1) Change IT to AIS. -AIS is a more widely used term (defined in DOD Dir. 5200.28
29. (3) & (4) Delete
30. Reason: repeats the intent of What (1) and (2) should confer
31. ADD new (3)
32. "The certifying organization/certification authority provides sufficient information for the DAA to make a determination that the AIS can operate within the bounds of an acceptable risk."
33. Certification Organization (Certifier) -
34. (1) The individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of an AIS. The purpose of this evaluation is to establish the extent to which a particular design and implementation meets a specified set of security requirements and standards.
35. (2) I would delete this paragraph. because I don't think it adds to what we have in paragraph. 1.
36. (3) I would delete this paragraph also, unless it is considerably revamped. Policies is the only new topic here, and it could be added to paragraph 1 quite easily.
37. (4) I would delete this paragraph also. Any new topics could simply be added to paragraph 1.
38. #1 needs accreditation process defined; good ; otherwise add the testing of assurance part in #2 to the #1 definition
39. #2's second sentence is a duplication of #1's "...establish the extent to which a particular design and implementation meet a set of specified security requirements"
40. #3 reviewing security policy idea can be added to the definition in #1 with aforementioned additions/changes
41. #4 is a repeat of #1
42. (1)The designated individual or organization responsible for the comprehensive evaluation of the technical and non technical security features of a Information System.
43. (2)Suggest/reviews safeguards in support of the accreditation process to establish the extent to which a particular design and implementation meet a set of specified security requirements.
44. (3)One who tests the assurance levels of a system to certify that it sufficiently meets the requirements necessary for accreditation. (remainder of original paragraph (2) is irrelevant, system design standards are not necessarily directly tied to certifications)
45. (4)The person or office that compares/contrasts the security policy with the system design and identifies deficiencies. Additionally provides alternatives to resolve deficiencies which will ultimately result in system accreditation.
46. [1] Change "evaluation" to "assessment". After "technical" add (i.e., via Certification Test and Evaluation" and after "non technical" add [i.e., via Security Test and Evaluation].
47. [2] Change "necessary for accreditation" to "necessary for certification". Also, change "standards" to "requirements".
48. [3] Change to read, "One who assesses the system against the Information System Security Policy."
49. [4] Delete. Same as [1]
Task: (YN) agree with version 4
Creation Date: Monday, June 19, 1995 02:00 PM
Print Date: June 23, 1995
Initial Question / Instructions
Can we work with this definition for future work this week and forward?
Voting Statistics - Yes / No Vote
Folders
SUM
YES
8
NO
6
ABSTAINED
2
Task: (YN) system certifier #2
Creation Date: Monday, June 19, 1995 02:38 PM
Print Date: June 23, 1995
Initial Question / Instructions
Is this statement of 'System Certifier' acceptable to you?
Voting Statistics - Yes / No Vote
Folders
SUM
YES
9
NO
5
ABSTAINED
2
Task: (YN) Y/N on #10
Creation Date: Monday, June 19, 1995 03:03 PM
Print Date: June 23, 1995
Initial Question / Instructions
Do you approve of version # 10?
Voting Statistics - Yes / No Vote
Folders
SUM
YES
12
NO
2
ABSTAINED
2
Task: (Brain Storm) Major Duties (Mon. PM System Certification)
Creation Date: Monday, June 19, 1995 04:17 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Uncatagorized
Uncatagorized
1.
1. Understand Hardware and protocols
2. Identify certification team members
Determine what functional area specialists (e.g., physical security, fire) will be a part of the team
As appropriate for the IS environment. May be DCID 1/16, or NIST pubs.
16. Develop Certification Plan
an outline that lays out work to be done in the certification process,, at least a check list to ensure that security requirements are tested
17. Develop And Conduct Certification Test
define the work (security safeguards to be tested), conduct test of effectiveness of safeguards, serve as a basis for making recommendation to the DAA
18. Documenting Certification Plans
Creator Declined Definition Request.
19. Acquire The Mission Needs Statement
The mission needs statement should explain the flow of information and overall functionality of the system.
20. Finalize Security Test Plan
before test, certifier must analyze and understand the plan which will be used and be sure its effective and does the job
21. Developing Certification Reports
22. Knows How To Access CERT, ASSIST Reports
these are repositories for vulnerability reports; there may be other sources
23. Determines Compliance W/ Security Plan
For some organizations this is the purpose of performing certifications, along with compliance with requirements and risk management
24. Identify Usable Products From EPL
EPL - Evaluated Products List - included in NSA Evaluated Products and Services Catalog, published quarterly, commercially available products
25. Finalize ST&E Procedure
security test & evaluation
26. Identify roles of groups/employees
Creator Declined Definition Request.
27. Evaluate contingency plans
Continuity of operations plans, viz., backup procedures, personnel and facilities in the event of loss of primary.
28. Identify Date For Certification
the certifier must coordinate with the ISSO to ensure resources are available and that everything is ready so that a mutually agreeable date can be set
29. Understand Scope Of Environment
Be able to identify the totality of factors that contribute to the environment under which the system will operate.
30. Identify Personnel Security Requirements
Creator Declined Definition Request.
31. Verify System Is Ready For Certification
there are many times that an organization is not ready or prepared, even though the DAA has scheduled a certification for that organization
32. Familiar With Physical Security Principle
physical security principles, i.e., locks, bolts, security clearances, sensitivity of data, etc.
33. Recognize Current Trends And Directions
Recognize the path industry follows and plan for future of the system. Additionally, recognize short-term solutions.
Relevant to security and operations!
34. Identify Site Support Requirements
need personnel to run tests on system, need resources such as space, phones, ISSO and personnel who can answer ?s and help with test
35. familiar with TEMPEST
spurious electronic emanations
36. Familiar With OPSEC
Operational Security
37. Validate The Security Features
the policy or secure CONOPS or similar document will discuss the sec feat. but these must be validated that they have been implemented, and implemented correctly
38. Familiar With TRANSEC
transmission security
39. Conduct a Threat Assessment
evaluates the threat posed to the mission, guides system development, ensures legitimate security services are incorporated to counter these threats.
40. Assign Values To Assists
Either quality or quantity values to help rank risks
41. Prepare Accred Package For DAA
upon completion of the CERT or ST&E, a package specifying the results (findings) are prepare in the form of a test report for the DAA
Please define if CERT means CERTIFICATION or Computer Emergency Response Team!
42. Understand Roles And Responsibilities
of ISSO, ISSM, system administrator, DAA, and user
43. Familiar With MAC
mandatory access control
44. Identify Threat
Generic environmental and human threat
45. Examine Environmental Vulnerabilities
explore penetrability of facilities, system electromagnetic emissions, line of sight holes, grounding vulnerabilities, etc.
46. Know & Understand Document Requirements
must know that there is a criteria by which the certification will be conducted. must know what to ask for, if documents are adequate and up to date, and understood
47. Understand COMSEC Pertinent COMSEC issue
Understand how COMSEC relates to the operational environment and what issues must be addressed in gaining accreditation
48. Brief DAA On Results Of Certification
49. Familiar With DAC
discretionary access control
50. Know Different Resources Available To
provide information (ASSIT, VAAP, counter intelligence, security police, fire)
51. Conducts Risk Assessments
Identify critical assets, generic threat, vulnerabilities, and risks
52. Understand Risk/Threat Assessments
have to understand to see if they have been mitigated
53. Coordinate With Appropriate Local Infrastructure
managers.
54. Be Aware Of The Affects Of Environmental
concerns on the availability of a system (natural disasters, UPS, air conditioning, fire alarms/suppression equip)
55. Acquire/Develop the ISSP
The Information System Security Policy outlines what the system needs to protect and the types of security services. Cert. is against this document.
56. Familiar With Current Penetration Tools
Ex. COPS, CRACK, SATAN, etc.
57. Performs Risk Analyses
The ability to determine the level of residual risk in the operation of a given system pre-supposes that the individual can perform risk analyses.
58. Appropriately Document System Topology
May be considered part of certification package.
59. Consider/Test In A Variety Of (Cont )
operating environment
60. Understand How Connectivity Issues
affect the posture of a system
61. Be Able To Identify When A System
needs re-certification (either because of modification or time since last certification)
62. Know meaning of Orange Book criteria
Know A, B, C, D ratings and things like a B2 can be a guard between adjacent classification levels but a B1 or higher is needed for more separation
63. Verify Configuration Control Documents
make sure the documents represent the system
64. Understand Sensitivity Of Data
The "sensitivity of the data" will drive the types of access controls which need to be imposed. Everything else being equal.
65. Document the Detailed OPCON
describes, identifies, and explains the details of the system architecture. Helps assess the impact of subsequent documents and analysis.
66. Ensure Local SYSADM And Users Trained
Certification requires a snap shot of the system and its configuration be taken. Educate the local administrator and users about what invalidates it.
67. Maintain Currency Of Certification Documents
Ensure that governing regulations, guidelines, and directives are current and applicable to a systems evolving environment
68. Verify Configuration Control Mechanisms
make sure a procedure exists to update the documents
69. Review Contingency Plans
The system owner, as he contemplates the specific platform for the system, should have developed some contingency plans. The certifier reviews them.
70. Review Disaster Recovery Plans
71. Be Able To Determine The Operational
environment of fixed and mobile systems
72. Understanding of COMPUSEC
Computer Security Vs Communications security Vs operational security
73. Identify Certification Tools
Software availability in identifying vulnerabilities as well as those dealing with such issues as access and authentication, etc.
74. Understand Red Book
75. Understand Embedded Cryptography Mechanisms
mechanisms - mechanisms
76. Understand Embedded Privacy Mechanisms
77. Determine/Validate Security Requirements
Builds off the CONOPS into a level of detail
78. Understand Mission Support
Know what the system is supposed to do in delivering product or service.
79. Familiarization with the Rainbow Series
80. Define user organ security requirements (cont)
Specify (minimum) personnel, physical, environmental and procedural security controls required to maintain integrity/reliability of the system.
81. Understand Operating Systems
problems
82. Understand Mainframes
there are several different mainframes in different configurations. Certifier must know if prop installed with proper safeguards and proper connections
83. Knowledge Of Protocols
84. Understand Various Applications In Use
understand applications to see if properly implemented, patches up to date, authorized users only, no holes, etc.
85. Understanding of Operational Environment
Physical environment, communications connectivity, users, security clearances, data classifications, policies, SOP's, etc. which define the environment
86. Familiar With COMSEC
the use of communications security devices is possible and they must be controlled, and have SOPs, etc. and properly installed, doctrine, policy, destruction proceed
87. Propose Accreditation Period
The period for which a system will be accredited (3 year or less), provisional, et
88. Familiar With System Topologies
a system is made up of many connections, back doors, internal LANs, external connections, etc. the collection of everything that affects/is affected
89. Conduct Initial Risk Assessment
Based upon the risks associated with a threat assessment the certifier can recommend countermeasures to the threats.
90. Understand Differences Between Different
classes of systems (main, mini, micro, LAN, WAN, etc.)
91. Ensures that test procedures meets requirements
Creator Declined Definition Request.
92. Review All System Documentation
documents should be reviewed for adequacy, completeness, and accuracy
93. Familiar With INFOSEC Architectures
the information system security architecture is made up of the security features and their implementation as in the DOD Goal sec arch
94. Identify Pertinent Personnel Policies
Personnel Security, clearances, need to know, threats, etc.;
95. Identify security mode of operation....
, dedicated, systems high, compartmented, or multilevel security modes
96. Ensures Security Related Testing Is Document.
97. Identify Security Features
98. Ability To Understand Technical Documentation
Certifier must know adequate documentation when he sees it. First question is, "is there adequate documentation?"; Certifier must know the answer.
99. Review Mechanisms To Update Documents
documentation needs to be current and reflect the system
100. Analyzes Connectivity
What are the LAN/WAN connections?
101. Participates in testing
Creator Declined Definition Request.
102. Make Certification Recommendation
Simply state what the system is certified against, what is met/not met.
103. verify hardware/software operate
hardware and software need to operate as designed; test for loopholes
104. Reviews hardware design
Creator Declined Definition Request.
105. Identify all hardware assets
All items of significant hardware included in the certification plan. Inventories, etc.
106. Hardware/software accountability
Know who is accountable for hardware and software inventories
107. Provides Support To DAA
The SA should be able to develop all materials needed by the DAA.
108. Educator and briefer to superiors
Creator Declined Definition Request.
109. Determine acceptable risk
Identify what risks are beyond the ability of technology to protect against.
110. Conduct Residual Risk Assessment
Define for the DAA what residual risk remains after testing the system in the operational environment.
111. Reviews Software Design
looks at design of operating system and application programs, particularly with respect to their security features; and the interaction of these
112. Ensures software is properly tested
113. Maintenance security issues
Identifying security issues relating to software/hardware maintenance, viz., security clearance/access. shipping & handling of classified hard/software
114. Validate Security Procedures
Cert. determines the effectiveness of the non-design related security procedures.
115. Familiar With /Laws, Policies, Procedures
116. Evaluate Non Security Safeguards
things such as environmental systems, UPS, fire protection
117. Establish Certification Review Schedule
Provide a schedule of when the topology and configuration is reviewed and updated. This will help ensure the system certification is current/valid.
118. Ensures RFPs Contain Security Req.
Security should be part the entire life cycle of an acquisition. The RFP is where this should begin
119. Verify Login Procedures
what don't you understand
120. Verify Audit Capabilities
make sure their is an audit function and check for robustness
121. Verify Environment
look at design environment with respect to real world environment
122. Conduct Certification Test and Evaluation
If applicable, CT&E is conducted against the technical requirements of the system.
123. Understands Details Of The Network Environment.
The overall security of the IS depends on how secure the environment is. If the IS is on a network, the network itself is a potential security threat
124. Conduct Security Test and Evaluation
Conduct ST&E. The system in its operational environment tested to meet the operational
125. Define Responsibilities To ISSO
Establish working relationship, duties and committed to ISSO
126. Identify CERT resources
Computer Emergency Response Team or comparable support resources.
127. Understand Security Management Structure
one of the problems with organizations is that they do not have a systems security man structure in place and the systems can not be in good shape need ISSO and
128. Covert Channel Analysis
see Orange book
129. Familiar With CM Tools
counter- measures for protecting/detecting problems
130. Attend Contractor Testing
If applicable, witness the contractor's security testing of a developed system.
131. Reviews Architecture And Configuration
?
132. Understands Personnel Security Levels.
People are the biggest risk to a system's security. It is imp. that the certifier know what clearance requirements are needed.
133. Attend Design Reviews
If applicable, the certifier should attend design reviews of a developing system.
134. Reviews Previous Certification Reports
If this system was old, a prior report may be available; also reports from development cycle
135. Disaster Recovery/Continuity Plans
Plans for continuing operations in the wake of disaster (fire, flood, terrorists) to include facilities, personnel, conops, resources, logistics, etc.
136. Develops Countermeasures To Reduce Risk
137. Determines Residual Risks
after all is said and done, what is the risk that remains after all countermeasures and security features are employed
138. Does Site Visit
visit the site to verify the environment conforms to the design goal, and that the system is being used as designed; the users/opts are knowledgeable
139. Conduct a Detailed System Sec. Analysis
determines whether and to what degree the detailed security requirements have been satisfied by a design.
140. Be Able To Run/Evaluate SPI
SPI is a DOD CM tool to assist in detection of system problems
141. Understand Password Implementation
the way the password system is implemented to ensure no weaknesses how often changed, old users deleted, etc.
142. Assesses Configuration Management
change must be managed to insure that the systems arch and topology is understood, and users are all authorized and procedures followed
143. Identity EMP threats
Electromagnetic Pulse
Task: (Brain Storm) Duties of System Certifier (DSC)
Creation Date: Tuesday, June 20, 1995 06:51 AM
Print Date: June 23, 1995
Initial Question / Instructions
What are the major duties of the system certifier ??
As appropriate for the IS environment. May be DCID 1/16, or NIST pubs.
Develop certification plan
an outline that lays out work to be done in the certification process,, at least a check list to ensure that security requirements are tested
Develop and conduct certification test
define the work (security safeguards to be tested), conduct test of effectiveness of safeguards, serve as a basis for making recommendation to the DAA
Documenting certification plans
Creator Declined Definition Request.
acquire the mission needs statement
The mission needs statement should explain the flow of information and overall functionality of the system.
finalize security test plan
before test, certifier must analyze and understand the plan which will be used and be sure its effective and does the job
Developing Certification Reports
knows how to access CERT, ASSIST reports
these are repositories for vulnerability reports; there may be other sources
determines compliance w/ security plan
For some organizations this is the purpose of performing certifications, along with compliance with requirements and risk management
Identify usable products from EPL
EPL - Evaluated Products List - included in NSA Evaluated Products and Services Catalog, published quarterly, commercially available products
finalize ST&E procedure
security test & evaluation
Identify roles of groups/employees
Creator Declined Definition Request.
Evaluate contingency plans
Continuity of operations plans, viz., backup procedures, personnel and facilities in the event of loss of primary.
identify date for certification
the certifier must coordinate with the ISSO to ensure resources are available and that everything is ready so that a mutually agreeable date can be set
Understand scope of environment
Be able to identify the totality of factors that contribute to the environment under which the system will operate.
Identify personnel security requirements
Creator Declined Definition Request.
verify system is ready for cert
there are many times that an organization is not ready or prepared, even though the DAA has scheduled a certification for that organization
familiar with physical security principle
physical security principles, i.e., locks, bolts, security clearances, sensitivity of data, etc.
Recognize current trends and directions
Recognize the path industry follows and plan for future of the system. Additionally, recognize short-term solutions.
Relevant to security and operations!
Identify site support requirements
need personnel to run tests on system, need resources such as space, phones, ISSO and personnel who can answer ?s and help with test
familiar with TEMPEST
spurious electronic emanations
familiar with OPSEC
Operational Security
validate the security features
the policy or secure CONOPS or similar document will discuss the sec feat. but these must be validated that they have been implemented, and imp correctly
familiar with TRANSEC
transmission security
Conduct a Threat Assessment
evaluates the threat posed to the mission, guides system development, ensures legitimate security services are incorporated to counter these threats.
Assign values to assists
Either quality or quantity values to help rank risks
prepare accred package for DAA
upon completion of the CERT or ST&E, a package specifying the results (findings) are prepare in the form of a test report for the DAA
Please define if CERT means CERTIFICATION or Computer Emergency Response Team!
Understand roles and responsibilities
of ISSO, ISSM, system administrator, DAA, and user
familiar with MAC
mandatory access control
IDENTIFY THREAT
Generic environmental and human threat
examine environmental vulnerabilities
explore penetrability of facilities, system electromagnetic emissions, line of sight holes, grounding vulnerabilities, etc.
know & understand document requirements
must know that there is a criteria by which the certification will be conducted. must know what to ask for, if documents are adequate and up to date, and understood
Understand COMSEC pertinent COMSEC issue
Understand how COMSEC relates to the operational environment and what issues must be addressed in gaining accreditation
Brief DAA on results of Certification
familiar with DAC
discretionary access control
Know different resources available to
provide information (ASSIT, VAAP, counter intelligence, security police, fire)
Conducts risk assessments
Identify critical assets, generic threat, vulnerabilities, and risks
understand risk/threat assessments
have to understand to see if they have been mitigated
Coordinate with appropriate local infrastructure
managers.
Be aware of the affects of environmental
concerns on the availability of a system (natural disasters, UPS, air conditioning, fire alarms/suppression equip)
Acquire/Develop the ISSP
The Information System Security Policy outlines what the system needs to protect and the types of security services. Cert. is against this document.
Familiar with current penetration tools
Ex. COPS, CRACK, SATAN, etc.
Performs Risk Analyses
The ability to determine the level of residual risk in the operation of a given system pre-supposes that the individual can perform risk analyses.
Appropriately document system topology
May be considered part of certification package.
Consider/test in a variety of (cont )
operating environment
Understand how connectivity issues
affect the posture of a system
Be able to identify when a system
needs re-certification (either because of modification or time since last certification)
Know meaning of Orange Book criteria
Know A, B, C, D ratings and things like a B2 can be a guard between adjacent classification levels but a B1 or higher is needed for more separation
verify configuration control documents
make sure the documents represent the system
Understand sensitivity of data
The "sensitivity of the data" will drive the types of access controls which need to be imposed. Everything else being equal.
Document the Detailed OPCON
describes, identifies, and explains the details of the system architecture. Helps assess the impact of subsequent documents and analysis.
Ensure local SYSADM and users trained
Certification requires a snap shot of the system and its configuration be taken. Educate the local administrator and users about what invalidates it.
Maintain currency of certification documents
Ensure that governing regulations, guidelines, and directives are current and applicable to a systems evolving environment
verify configuration control mechanisms
make sure a procedure exists to update the documents
Review Contingency Plans
The system owner, as he contemplates the specific platform for the system, should have developed some contingency plans. The certifier reviews them.
Review Disaster Recovery Plans
Be able to determine the operational
environment of fixed and mobile systems
Understanding of COMPUSEC
Computer Security Vs Communications security Vs operational security
Identify certification tools
Software availability in identifying vulnerabilities as well as those dealing with such issues as access and authentication, etc.
Understand Red Book
understand embedded cryptography mechanisms
mechanisms - mechanisms
understand embedded privacy mechanisms
what don't you understand???
Determine/Validate Security Requirements
Builds off the CONOPS into a level of detail
Understand mission support
Know what the system is supposed to do in delivering product or service.
Familiarization with the Rainbow Series
Define user organ security requirements (cont)
Specify (minimum) personnel, physical, environmental and procedural security controls required to maintain integrity/reliability of the system.
understand operating systems
problems
understand mainframes
there are several different mainframes in different configurations. Certifier must know if prop installed with proper safeguards and proper connections
knowledge of protocols
????
understand various applications in use
understand applications to see if properly implemented, patches up to date, authorized users only, no holes, etc.
Understanding of Operational Environment
Physical environment, communications connectivity, users, security clearances, data classifications, policies, SOP's, etc. which define the environment
familiar with COMSEC
the use of communications security devices is possible and they must be controlled, and have sops, etc. and prop installed, doctrine, policy, destruction proceed
Propose accreditation period
The period for which a system will be accredited (3 year or less), provisional, et
familiar with system topologies
a system is made up of many connections, back doors, internal LANs, external connections, etc. the collection of everything that affects/is affected
Conduct Initial Risk Assessment
Based upon the risks associated with a threat assessment the certifier can recommend countermeasures to the threats.
Understand differences between different
classes of systems (main, mini, micro, LAN, WAN, etc.)
Ensures that test procedures meets requirements
Creator Declined Definition Request.
review all system documentation
documents should be reviewed for adequacy, completeness, and accuracy
familiar with INFOSEC architectures
the information system security architecture is made up of the security features and their implementation as in the DOD Goal sec arch
Identify pertinent personnel policies
Personnel Security, clearances, need to know, threats, etc.;
Identify security mode of operation....
i.e., dedicated, systems high, compartmented, or multilevel security modes
Ensures security related testing is document.
Identify Security Features
Ability to understand technical documentation
Certifier must know adequate documentation when he sees it. First question is, "is there adequate documentation?"; Certifier must know the answer.
review mechanisms to update documents
documentation needs to be current and reflect the system
Analyzes Connectivity
What are the LAN/WAN connections?
Participates in testing
Creator Declined Definition Request.
Make Certification Recommendation
Simply state what the system is certified against, what is met/not met.
verify hardware/software operate
hardware and software need to operate as designed; test for loopholes
Reviews hardware design
Creator Declined Definition Request.
Identify all hardware assets
All items of significant hardware included in the certification plan. Inventories, etc.
Hardware/software accountability
Know who is accountable for hardware and software inventories
provides support to DAA
?????
Educator and briefer to superiors
Creator Declined Definition Request.
Determine acceptable risk
Identify what risks are beyond the ability of technology to protect against.
Conduct Residual Risk Assessment
Define for the DAA what residual risk remains after testing the system in the operational environment.
reviews software design
looks at design of operating system and application programs, particularly with respect to their security features; and the interaction of these
Ensures software is properly tested
Maintenance security issues
Identifying security issues relating to software/hardware maintenance, viz., security clearance/access. shipping & handling of classified hard/software
Validate Security Procedures
Cert. determines the effectiveness of the non-design related security procedures.
familiar w/laws, policies, procedures
Evaluate non security safeguards
things such as environmental systems, UPS, fire protection
Establish certification review schedule
Provide a schedule of when the topology and configuration is reviewed and updated. This will help ensure the system certification is current/valid.
Ensures RFPs contain security req.
Creator Declined Definition Request.
verify login procedures
what don't you understand
verify audit capabilities
make sure their is an audit function and check for robustness
verify environment
look at design environment with respect to real world environment
Conduct Certification Test and Evaluation
If applicable, CT&E is conducted against the technical requirements of the system.
Understands details of the network environment.
The overall security of the IS depends on how secure the environment is. If the IS is on a network, the network itself is a potential security threat
Conduct Security Test and Evaluation
Conduct ST&E. The system in its operational environment tested to meet the operational
define responsibilities to Information SystemSO
Establish working relationship, duties and
committed to Information SystemSO
Identify CERT resources
Computer Emergency Response Team or comparable support resources.
understand security management structure
one of the problems with organizations is that they do not have a systems security man structure in place and the systems can not be in good shape need Information SystemSO and
covert channel analysis
see Orange book
familiar with CM tools
counter- measures for protecting/detecting problems
Attend contractor testing
If applicable, witness the contractor's security testing of a developed system.
reviews architecture and configuration
?
Understands personnel security levels.
People are the biggest risk to a system's security. It is imp. that the certifier know what clearance requirements are needed.
Attend design reviews
If applicable, the certifier should attend design reviews of a developing system.
reviews previous certification reports
if this system was old, a prior report may be available; also reports from development cycle
Disaster recovery/continuity plans
Plans for continuing operations in the wake of disaster (fire, flood, terrorists) to include facilities, personnel, conops, resources, logistics, etc.
develops countermeasures to reduce risk
????
determines residual risks
after all is said and done, what is the risk that remains after all countermeasures and security features are employed
does site visit
visit the site to verify the environment conforms to the design goal, and that the system is being used as designed; the users/opts are knowledgeable
Conduct a Detailed System Sec. Analysis
determines whether and to what degree the detailed security requirements have been satisfied by a design.
be able to run/evaluate SPI
SPI is a DOD CM tool to assist in detection of system problems
understand password implementation
the way the password system is implemented to ensure no weaknesses how often changed, old users deleted, etc.
assesses configuration management
change must be managed to insure that the systems arch and topology is understood, and users are all authorized and procedures followed
Identity EMP threats
Electromagnetic Pulse
DAA - Certifier responsibilities
Task: (Discuss) Time-Out discussion
Creation Date: Tuesday, June 20, 1995 09:05 AM
Print Date: June 23, 1995
Initial Question / Instructions
Please distinguish in your mind the difference between certification and accreditation (process, output, level of authority. etc)
Folder List
Please distinguish difference
Please distinguish difference
Oversight relationship between the DAA and Certifier
************************
is this answering the question
************************
NO
The certifier prepares for an exam; the accreditor gives the exam.
************************
I don't understand this at all! What does it mean?
************************
The accreditor not only conducts the exam but gives the certifier a grade in the form of approval to operate or no approval. The certifier can not self-approve.
Certifier should have a tighter technical focus than DAA
Accreditation is the acceptance of responsibility for operation of a system. Certification is the acceptance of responsibility for ensuring a system meets security requirements.
************************
Excellent thought. The certifier reports the facts, the accreditor accepts responsibility.
************************
I assume you mean security aspects of the operation; the accreditor does not run the system from day to day; the accreditor's interest is primarily security
************************
The Certifier's interests don't necessarily reside with the operation of the system either!!
Please understand that certification is part of the Accreditation process. It is done on behalf of and at the request of the DAA by an independent team of certifier(testers) to allow the DAA to determine risk and make a decision.
************************
This is true as far as it goes.... There is more to it than meets the eye.
************************
Were does is say within the standards that a DAA cannot be a certifier?
************************
DAA is usually high rank individual who does not have time, except on a ship, but also, it is best to have an independent evaluation of system
************************
Who says this is best? What basis are they making this call on? And why cannot the DAA delegate this approval to the certifier?
certification: the technical and non-technical
assessment of operational information systems
to determine whether they are operating securely and according to security features, and are meeting policy, standards and requirements.
accreditation: the DAA takes the input from
the certifier and makes the determination as to
whether or not an information system can operate within acceptable risk.
The DAAs only action is to review the Certification Recommendation, the residual risk assessment, and make an accreditation statement based upon these inputs. The DAA accepts or rejects the risk of operating the system taking into account the remaining risk and the mission need to operate.
************************
the accreidtor can put limitations or restrictions on the use of the system before assuming security responsibility for the operation
************************
So what your saying is that the accreditor can indirectly control the certification process by rejecting the certification. Thus dictating the certification process.
Certification is the process of examining a system to determine 1) how well it adheres to prescribed security requirements, policy, etc., 2) how sufficient the non-security safeguards are to ensure continued system operation, and 3) how well all safeguards (security and non-security) met the vulnerabilities presented by the systems operational environment. In short identify the residual risk and probability of loss or compromise for a system.
************************
the accreditor takes this data, and makes the decision to operate or not, and assumes responsibility for the decision
************************
Do these functions HAVE to be mutually exclusive??
The authority for delegation of responsibility for accreditation is defined as stemming from assigned Principle Accrediting Authorities (PAAs). Those individuals can delegate/designate Designated Approving Authorities (DAAs). There is no defined limit as to how far 'down the line' that delegation can occur. If the PAA chooses to allow delegation of that responsibility to the System Certifier, then that is his/her choice and privilege.
************************
The Designated Accreditation Authority is the highest level of authority, I don't know who a "Principle" would be or where he/she would get their authority.
************************
somewhere I saw a regulation/policy that clearly states the accreditor can not be the certifier. It would be a disaster to do so (conflict of interests). in many cases the accrediting authority does delegate the accreditation responsibility to a lower level, but not to the certifier.
************************
In the SCI world, there are PAAs. DCI, DIRNSA, head of DIA are examples of PAAs. These guys are the only ones who can grant accreditation of Multilevel Information Systems.
************************
there is something in DOD rules that says you can not delegate to the certifier. you can delegate to lower authority
************************
What regulation? Why would it be a conflict of interest? The certifier should just be doing an evaluation of somebody's system. This certifying team wouldn't be the owner/operator of the system would they???
************************
I agree with the initial statement!!
The certifier evaluates whether or not the system can protect the data it will process. The accreditor must decide whether or not any residual risk is acceptable and gives the approval to operate.
************************
Should we add, "through technology" to expand this thought?
************************
This is the germinal idea and the heart of the problem. However, in terms of differentiating the two, they evaluate the system from the same input.
************************
Actually, I view it more that the certifier gathers organizes the input; while the accreditor evaluates the input
************************
Doesn't the certifier go through the evaluation process? Does he not do it more thoroughly? After all, the certifier puts together a package predicated on his evaluation of the total environment of the system.
************************
it would be nice to do everything by technology, but sometimes, policies and procedures will have to be used. this is reality in a non ideal world. if the residual risk is too bad even with policies and procedures, the accreditor might have to bite the bullet and not accredit the system to operate
The Certifier is responsible for evaluating the technical and non-technical functions of a system where the accreditor is responsible to assume the residual risk not provided for by technology through development and delineation of policy.
************************
Yes
the certifier is the technical person who evaluates the system against the given security policy and files a report on the findings. the accreditor is the person who accepts the responsibility to allow the system to operate in a given environment with applicable restrictions. the accreditor is also the person who is responsible for developing the overall security policy for the organization. if something goes wrong, the accreditor's neck is on the line. The accreditor and certifier should not be the same individuals to avoid conflict of interest, and as a safety check of one against the other.
************************
I agree that there is potential for "conflict of interest." There results in no checks and balances if the DAA is the System Certifier.
************************
Good observation.
************************
I agree with these observations
************************
yes
Accreditation is the MANAGEMENT decision to allow operation of the Information System. It is, hopefully, based on input from the System Certifier and takes into consideration the residual risk associated with allowance of operation.
the accreditor is GOD. the DAA has final say
the DAA is usually not qualified to complete a certification. The certifier reports the facts pertaining to the system for the DAA to make a decision.
Accreditation is the process of determining if the operational necessity of the system outweighs the residual risks and probability of loss or compromise of a system. Also, it is the process of determining if additional safeguards warrant the added cost as weighed against the value of the data processed or the probability of loss/compromise. In short, accreditation is a cost/benefit analysis.
************************
in so doing the accreditor accepts responsibility
A certifier addresses the technical issues and capabilities of a system, using established criteria to determine if the system meets all relevant expectations. If the systems meets these expectations, then the certifier renders a decision in this regard.
An accreditor, using the Certifier's findings, then makes the decision that the system can go operational. In so doing, the accreditor accepts the RESPONSIBLITY for the functional and operational use of the system and states,
in effect, that it meets security requirements in the context in which the system is used.
The growing inter-connection of computers within an organization and to the "outside world" tends increasingly to blur the distinction between certification and accreditation.
HOWEVER, if one utilizes OMB Circular A-130 (Appendix III) as a guide, the complementary and distinct role of each is reasonably clear: One normally CERTIFIES the software, and ACCREDITS the facility. This recognizes the interrelatedness of the application software and the facility on which it resides in making a determination as to the adequacy of security and the extent of residual risk.
Note that even the most robust security architecture built into an application can be eroded by the inadequacy of the security of the facility on which it resides.
Thus, certification and accreditation are two sides of the same coin, so to speak.
************************
I'm totally in disagreement with the initial statement made here. Certification should and must consider much more than the software.
************************
these comments are way off base, as I understand them
************************
of course it is more than software!!!!!!!!!
all these answers are good, what are we driving at?
************************
An analogy I have often used relates to the auto mechanic who certifies that a vehicle functions according to the designers specifications and provides for the safety of the passenger through technology. The accreditor is the law enforcement agency who establishes the rules under which that vehicle may operate and provides the operator with approval to use the hardware.
************************
more good stuff
************************
Why cannot a auto mechanic be reserve state trooper of deputy sheriff?
ACCREDITATION:
Official management/command decision (by the DAA) to approve the operation of an AInformation System in a specific environment employing specific security controls/countermeasures /safeguards. The recommendation(s) of the Certifier are used by the DAA in making the decision.
CERTIFICATION. A key element in the total accreditation process. Testing and evaluation of controls/countermeasures/safeguards employed in the operation of the AInformation System. Results are reported to the DAA and include recommendation(s) which are considered by the DAA in making a decision to approve (Accredit) the operation of the system..
DAA often has dozens if not hundreds of systems, no way can he certify
Certification comes in two areas. Prior to the certification effort the NSA evaluates commercial products for the EPL. These can be used in various service developments.
Certification can be broken down into a Developer's Certification in which a program manager develops an application system specific to a mission need. This effort may/may not use an EPL product, go through a certification process that evaluates the design of the application system on a hardware platform, and be assessed against a set of functional security requirements. The results of which is a "Developer's Certification" statement that indicates what the application system was designed to meet (security architecture and requirements].
The other certification area is the Operational Site Certification. This effort takes a developed application built upon a product (EPL or not) an places the application system into a specified environment. This Operational Site Certification takes the developer's certification adds the site security operating procedures and performs a Security Test and Evaluation against the system in its environment. The results of the ST&E are input into the residual risk assessment which is then given to the DAA for Accreditation.
The certification of software documents that it does exactly what it is supposed to do and nothing more. It further specifies that the software has the built-in security features to meet the requirements of the data to be processed -- and based upon the platform upon which it is expected to reside.
The accreditation of the facility takes into consideration both the security built into the software and the facility. The operating environment -- as a whole -- is considered. If an application cannot be certified as meeting the security requirements specified by the system sponsor, the issue of accreditation is substantially a mute point. While a facility which is accredited to handle highly sensitive or classified data may be able to mitigate some weaknesses in the application software, it should not and cannot be expected to make software "certifiable" which it not so on its own.
A DAA provides a system with the AUTHORITY to operate, (though CERT may give IATO) based on facts received from the certification team
The question shouldn't if a DAA can or should delegate the accreditation responsibilities, but what is the difference between the process of certification and accreditation
Task: (SC) DAA Vs CS
Creation Date: Tuesday, June 20, 1995 10:25 AM
Print Date: June 23, 1995
Initial Question / Instructions
The system certifier and the DAA have common training requirements (10 = agree 1=dissagree)
Criteria List
common training requirements (10 = agree 1=dissagree)
Folder List
DAA Vs CS
Voting Statistics - common training requirements (10 = agree 1=dissagree)
Folders
AVG
STD
SUM
Voted
Abstain
DAA Vs CS
5.73
2.76
86
15
0
Vote Totals - common training requirements (10 = agree 1=dissagree)
Rank / Weight
Folders
1
2
3
4
5
6
7
8
9
10
DAA Vs CS
1
1
3
0
2
1
2
3
0
2
Task: (Rank Order) Ranking of MAJOR duties for a System Certifier
Creation Date: Tuesday, June 20, 1995 10:36 AM
Print Date: June 23, 1995
Initial Question / Instructions
Rank from most important to least important suggested duty folders in terms of best fit.
Contains ideas that were not added to any other folder.
Policy, Guidance, rules, regulations,(issuances)
Education and Training
Risk
Access Controls
Certification Planning
DAA/Information SystemSO Activities
Environmental Security
Evaluate/Analyze System
Hardware Interactivity
Life Cycle Management
Organization Specific Issues
Physical Security
Reporting
Review System Documentation
Software/Hardware Accountability
System Specific Issues
Systems Connectivity
Team Functions
Testing
Ideas Not Allocated
This list appears in Appendix 1
Policy, Guidance, rules, regulations,(issuances)
Education and Training
Risk
Task: (Rank Order) Ranking of SC Duties
Creation Date: Tuesday, June 20, 1995 12:22 PM
Print Date: June 23, 1995
Initial Question / Instructions
Rank from the best DUTY to the worst DUTY.
Criteria List
Rank Order Vote
Folder List
Access Controls
Certification Planning
DAA/Information SystemSO Activities
Education And Training
Environmental Security
Evaluate/Analyze System
Hardware Interactivity
Ideas Not Allocated
Life Cycle Management
Organization Specific Issues
Physical Security
Policy, Guidance, Rules, Regulations,(Issuances)
Reporting
Review System Documentation
Risk
Software/Hardware Accountability
System Specific Issues
Systems Connectivity
Team Functions
Testing
Voting Statistics - Rank Order Vote
Folders
AVG
STD
SUM
Certification Planning
1.8
1.04
288
Evaluate/Analyze System
4.73
3.39
244
Policy, Guidance, Rules
5.26
4.59
236
Testing
6.33
4.26
220
Review System Documentation
6.4
3.36
219
Risk
7.73
3.76
199
Team Functions
8.93
5.48
181
System Specific Issues
9.73
2.86
169
Systems Connectivity
10.26
4.29
161
Hardware Interactivi
10.93
4.23
151
Organization Specific
11.86
3.49
137
DAA/Information SystemSO Activities
12
6.31
135
Software/Hardware Ac
12.13
3.11
133
Reporting
12.4
5.25
129
Access Controls
12.59
4.23
126
Education And Training
13.66
4.54
110
Life Cycle Management
14.33
5.19
100
Environmental Security
14.33
3.19
100
Physical Security
15.19
3.14
87
Ideas Not Allocated
19.33
1.39
25
Vote Totals - Rank Order Vote
Rank / Weight
Folders
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Certification Planning
9
1
4
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Evaluate/analyze System
1
4
1
3
3
0
0
1
0
1
0
0
0
1
0
0
0
0
0
0
Policy, Guidance, Rules
3
1
4
2
0
0
1
2
0
0
0
0
0
0
1
1
0
0
0
0
Testing
0
1
4
3
0
2
1
0
1
1
0
0
0
1
0
0
1
0
0
0
Review System Documentation
0
1
1
2
3
3
2
1
0
0
0
0
1
0
1
0
0
0
0
0
Risk
0
0
1
1
2
4
1
3
0
0
0
0
1
0
1
1
0
0
0
0
Team Functions
1
2
0
1
1
0
0
2
1
2
2
0
0
0
1
0
0
0
2
0
System Specific Issues
0
1
0
0
0
0
2
1
2
3
1
2
3
0
0
0
0
0
0
0
Systems Connectivity
0
0
0
1
0
2
3
0
1
2
1
1
0
2
0
0
0
1
1
0
Hardware Interactivity
0
0
0
0
3
0
1
1
1
1
2
0
1
0
1
3
1
0
0
0
Organization Specific
0
0
0
1
0
0
1
0
1
1
3
1
2
3
0
1
0
0
1
0
DAA/Information SystemSO Activities
1
2
0
0
1
0
0
0
0
1
1
0
1
0
3
0
1
2
2
0
Software/Hardware ac
0
0
0
0
0
1
0
0
2
2
1
3
1
2
1
1
0
0
1
0
Reporting
0
0
0
0
2
1
1
0
2
1
0
1
0
1
0
0
1
3
2
0
access controls
0
0
0
0
0
1
1
2
0
0
3
1
1
1
1
1
0
1
1
1
Education and Training
0
1
0
0
0
1
0
0
1
0
0
2
0
1
1
2
5
1
0
0
life cycle management
0
1
0
0
0
0
0
1
2
0
0
1
0
2
1
0
1
1
3
2
environmental security
0
0
0
0
0
0
1
0
1
0
0
1
3
1
2
1
3
1
1
0
physical security
0
0
0
0
0
0
0
1
0
0
1
2
1
0
1
2
2
4
1
0
Ideas Not Allocated
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
1
0
12
Task: (Brain Storm) SC duties with definitions (& unallocated)
Creation Date: Wednesday, June 21, 1995 07:03 AM
Print Date: June 23, 1995
Initial Question / Instructions
This is a data set containing the 14 working duties of an System Certifier and a category with un-catorgized stuff from the little duties that drove the 14 major cats.
the investigative procedures used in the analysis of system security features to determine tech. compliance.(may include desc)
Policy, Guidance, rules, regulations,(issuances)
aware of all applicable policy, guidance, laws, directives and regulations. which determine security requirements for the system.
Testing
Literal testing done on the Information System.
Review System Documentation
Review system documentation for completeness and accuracy
Team Functions
Defining team, etc.
System Specific issues
1) platforms unique (hardware/software) that are associated with certification. 2) site unique/spec. circumstances
Systems Connectivity
Evaluate impact/define controls when 1)connecting to external system/nets 2)allowing access by external system/nets 3)prevent unauthorized access
Hardware interactivity
Understanding the general underlying physical, electrical, and technological issues involved in system configuration
Organization Specific Issues
issues relating to the mission (organizational) that directly affect systems security ex. SCI compartmented facility.
DAA/Information SystemSO Activities
Those activities which are actual performed by either the DAA or the Information SystemSO
Software/Hardware accountability
Inventory of hardware and software (op. system, & apps) in the system. Inventory should be part of configuration management process
Reporting
Providing cert. teams evaluate/analysis results to DAA
Ideas Not Allocated
Contains ideas that were not added to any other folder.
Certification Planning
Evaluate/analyze System
Policy, Guidance, rules, regulations,(issuances)
Testing
Review System Documentation
Team Functions
System Specific issues
Systems Connectivity
Hardware interactivity
Organization Specific Issues
DAA/Information SystemSO Activities
Software/Hardware accountability
Reporting
Ideas Not Allocated
This list appears in Appendix 1
Task: (Brain Storm) Move old KSA to System Certifier (OSCK)
Creation Date: Wednesday, June 21, 1995 07:11 AM
Print Date: June 23, 1995
Initial Question / Instructions
Move the KSAs that relate to System Certifier to the folder.
Folder List
Ideas Not Allocated
Contains ideas that were not added to any other folder.
KSAs related to System Certifier
Ideas Not Allocated
1.
1. Account Administration
2. Accountability For Sensitive Data
3. Acquisitions
4. Aggregation
5. Aggregation Problem
6. Attenuation
7. Background Investigations
8. Basic/Generic Management Issues
9. Biometrics
10. Burst Transmission
11. Business Aspects Of Information Security
12. Careless Employees
13. Clearance Verification
14. Computer Matching
15. Computer Matching Responsibilities
16. Computers At Risk
17. COMSEC Custodian
18. COMSEC Material Destruction Procedures
19. COMSEC Material Identification And Inventory
20. COMSEC Testing
21. Consequences
22. Contracting For Security Services
23. Contracts. Agreements. And Other Obligations
24. Cost/Benefit Analysis
25. Cover And Deception
26. Criminal Prosecution
27. Cryptovariable
28. Customer Service Orientation
29. Detective Controls
30. Disgruntled Employees
31. Due Care
32. Education. Training And Awareness
33. Electronic Funds Transfer
34. Electronic Records Management
35. Electronic Sources Of Security Information
36. Evidence Acceptability
37. Evidence Collection And Preservation
38. Export Controls
39. Facilities Planning
40. Fraud
41. History Of Information Security
42. Hostile Intelligence Sources
43. Human Intelligence
44. Industrial Espionage
45. Industrial Security
46. Inference
47. Inference Engine
48. Information Categorization
49. Information Resources Management
50. Insurance
51. Intellectual Property Rights
52. International Espionage
53. International Security Considerations
54. Investigative Authorities
55. Information System Program Budgeting
56. Isolation And Mediation
57. Jamming
58. Lattice Model
59. Law Enforcement Interfaces
60. Lessons Learned
61. Line Of Sight
62. Low Power
63. Management Of The Security Function
64. Media Convergence
65. Message Authentication Codes
66. Metrics
67. Non-Inference Model
68. Organizational Culture
69. Organizational Placement Of The Information System/IT Se
70. Oversight
71. Position Sensitivity
72. Practices
73. Private Branch Exchange Security
74. Professional Interfaces
75. Quality Assurance
76. Reconciliation
77. Requirements Traceability
78. Safety
79. Satellite Communications Security
80. Security Education
81. Security Inspections
82. Security Reviews
83. Security Staffing Requirements
84. Security Violations Reporting Process
85. Site
86. Social Engineering
87. Software Architecture Study
88. Software Engineering
89. Software Licensing
90. Software Piracy
91. Space Systems Security
92. Spread Spectrum Analysis
93. Standards Of Conduct
94. Technical Surveillance Countermeasures
95. Third-Party Evaluation
96. Traffic Analysis
97. Value-Added Networks
98. Voice Communications Security
99. Warranties
100. Witness Interviewing/Interrogation
KSAs related to System Certifier
1.
1. Access Authorization
2. Access Control Models
3. Access Control Policies
4. Access Control Software
5. Access Controls
6. Access Privileges
7. Administrative Security Policies And Procedures
8. Agency-Specific Policies And Procedures
9. Alarms. Signals And Reports
10. Analog Technology
11. Application Development Control
12. Applications Security
13. Approval To Operate
14. Assessments (e.g.. Surveys. Inspections)
15. Asynchronous And Synchronous communications
16. Audit Collection Requirements
17. Audit Mechanism
18. Audit Trails And Logging
19. Audit Trails And Logging Policies
20. Auditable Events
21. Auditing Tools
22. Automated Security Tools
23. Availability
24. Backups
25. Binding/Handshaking
26. Cabling
27. Call-Back Security
28. Caller ID
29. Change Control Policies
30. Change Controls
31. Circuit-Switched Networks
32. Classified Materials Handling And Shipping
33. Client/Server Security
34. Common Carrier Security
35. Communications Center Security
36. Communications Security Policy And Guidance
37. Communications Systems Abuse
38. Compartmented/partitioned Mode
39. Computer Emergency Response Team
40. Computer Science And Architecture
41. COMSEC Accounting
42. Conformance Testing
43. Connectivity
44. Contingency Plan Testing
45. Contingency Planning
46. Continuity Planning
47. Contractor Security Safeguards
48. Coordination With Related Disciplines
49. Copyright Protection And Licensing
50. Corrective Actions
51. Countermeasures
52. Covert Channels
53. Critical Systems
54. Cryptographic Techniques
55. Customer IT Security Needs
56. Data Access Control
57. Data Processing Center Security
58. Database Integrity
59. Declassification/Downgrade Of Media
60. Dedicated Line
61. Dedicated Mode
62. Delegation Of Authority
63. Deletion Of Accounts
64. Development (Life Cycle)
65. Dial Number Indicator
66. Dial-Up Security
67. Digital/Analog Technology
68. Disaster Recovery
69. Disaster Recovery Plan Testing
70. Disaster Recovery Planning
71. Disclosure Of Sensitive Data
72. Discretionary Access Control
73. Diskless Workstations
74. Disposition Of Classified Information
75. Disposition Of Media And Data
76. Distributed Systems Security
77. Document Labeling
78. Documentation
79. Documentation Policies
80. Drop-Off/Add-On Protection
81. Electromagnetic Countermeasures
82. Electromagnetic Interference
83. Electronic Data Interchange
84. Electronic Key Management System
85. Electronic Monitoring
86. Electronic-Mail Privacy
87. Electronic-Mail Security
88. Emanations Security
89. Emergency Destruction
90. Emergency Destruction Procedures
91. Encryption Codes
92. End User Computing Security
93. Environmental Controls
94. Environmental/Natural Threats
95. Error Logs
96. Ethics
97. Evaluated Products
98. Evaluation Techniques (Evaluation)
99. Expert Security/Audit Tools
100. Expert Systems
101. Facility Management
102. Fault Tolerance
103. Fax Security
104. Filtered Power
105. Fire Prevention And Protection
106. Firmware Security
107. Formal Methods For Security Design
108. Fraud. Waste And Abuse
109. Generally Accepted Systems Security Principles
110. Generic Accreditation
111. Guidelines
112. Hackers (and Unauthorized Users)
113. Hardware Asset Management
114. Housekeeping Procedures
115. Human Threats
116. Incident Response
117. Information Availability
118. Information Classification
119. Information Confidentiality
120. Information Criticality
121. Information Integrity
122. Information Ownership
123. Information Resource Owner/Custodian
124. Information Security Policy
125. Information Sensitivity
126. Information States
127. Information Systems Security Officer
128. Information Valuation
129. Internal Controls And Security
130. Internet Security
131. Intrusion Detection
132. Intrusion Deterrents
133. Investigation Of Security Breaches
134. Information System Security Program Planning
135. IT Asset Valuation
136. Kernel
137. Key Certificate Administration
138. Keystroke Monitoring
139. Labeling
140. Laws. Regulations. And Other Public Policy
141. Leased-Line Networks
142. Legal And Liability Issues
143. Life Cycle System Security Planning
144. Line Authentication
145. List-Based Access Controls
146. Local Area Network Security
147. Logs And Journals
148. Maintenance Of Configuration Documentation
149. Maintenance Procedures. Contract Employee
150. Maintenance Procedures. Local Employee
151. Malicious Code
152. Mandatory Access Controls
153. Marking Of Media
154. Marking Of Sensitive Information
155. Memory (Non-Volatile)
156. Memory (Random)
157. Memory (Sequential)
158. Memory (Volatile)
159. Microwave/Wireless Communications Security
160. Mobile Workstation Security
161. Modems
162. Modes Of Operation
163. Monitoring
164. Monitoring (e.g.. Data. Line)
165. Multilevel Processing
166. National Information Infrastructure
167. Need-To-Know Controls
168. Network Communications Protocols
169. Network Firewalls
170. Network Monitoring
171. Network Security Software
172. Network Switching
173. Network Topology
174. Object Labeling
175. Off-Site Security (Information. Processing
176. One-Time Passwords
177. Open Systems Interconnect Model
178. Open Systems Security
179. Operating System Integrity
180. Operating System Security Features
181. Operating Systems
182. Operational Procedures Review
183. Optical/Imaging Systems Security
184. Packet Filtering
185. Packet Switched Networks
186. Password Management
187. Peer-To-Peer Security
188. Personnel Security Policies And Guidance
189. Platform-Specific Security
190. Policy Development
191. Policy Enforcement
192. Power Controls (e.g.. UPS. Emergency Power
193. Preventative Controls
194. Principles Of Control
195. Privacy
196. Private Key Cryptology
197. Private Networks
198. Privileges (Classified Nodes)
199. Protected Distributed System
200. Protected Services
201. Protection From Malicious Code
202. Protective Technology
203. Public Key Encryption
204. Rainbow Series
205. Redundancy
206. Reference Monitors
207. Reliability Testing
208. Remanance
209. Remote Terminal Protection Devices
210. Risk Acceptance Process
211. Role-Based Access Controls
212. Roles And Responsibilities
213. Rule Of Least Privilege
214. Rules-Based Access Controls
215. Secure System Operations
216. Security Architecture
217. Security Awareness
218. Security Domains
219. Security Functional Testing
220. Security Product Integration
221. Security Product Testing/Evaluation
222. Security Products
223. Security Training
224. Sensitive System
225. Separation Of Duties
226. Shielded Enclosures
227. Single Sign-On
228. Smartcards/Token Authentication
229. Software Asset Management
230. Stand-Alone Systems And Remote Terminals
231. Standards
232. Storage Area Controls
233. Storage Media Protection And Control
234. Synchronous Communication
235. System Security Architecture Study
236. System Security Engineering
237. System Software Controls
238. System Testing And Evaluation Process
239. System-High Mode
240. TCSEC/ITSEC/Common Criteria
241. Technical Security Guidance
242. Technological Threats
243. Technology Trends
244. Transportation Of Media
245. Trust
246. Trusted Computer System Evaluation Criteria
247. Trusted Network Interpretation (Red Book
248. Unauthorized Disclosure Of Information
249. Validation (Testing)
250. Verification And Validation Process
251. Voice Mail Security
252. Wide Area Network Security
253. Wide Area Networks
254. Workstations Security
255. Zone Of Control/Zoning
256. Grounding
257. Implementation (Life Cycle)
Task: (Brain Storm) NEW KSAs
Creation Date: Wednesday, June 21, 1995 09:54 AM
Print Date: June 23, 1995
Initial Question / Instructions
Enter KSAs that are NOT in the KSA list in the glossary AND related to the System Certifier. YOU MUST POVIDE A DEFINITION FOR _ALL_ KSAs PROVIDED!
Folder List
Ideas Not Allocated
Contains ideas that were not added to any other folder.
Ideas Not Allocated
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
firewall
a device connected to the network that can adjudicate traffic between your net and the outside in accordance with some preset policy
Technical Vulnerability
A hardware, Firmware, communications, or software weakness which leaves an AInformation System open for potential exploitation or damage. AR 380-19
Multilevel security
concept of processing information with different class that simulta access see 4009
See Modes of Operation/Security Modes of Operation
Authenticate
To verify the identity of a user, device, or other entity in a computer system, or to verify the integrity of data that have been stored. AR 380-19
system security profile
snapshot in time of the security features of a system and what protection they provide in a given configuration.
certification
see NSTInformation SystemSI no. 4009
comprehensive evaluate of the technical and non-technical security features of an AInformation System and other safeguards, to meet security and accreditation req.
Interim Approval to Operate
Authority delegated to Certifier Authorized by DAA - allows system to operation pending final approval by DAA (provided the Certification Authority intends to recommend approval to operate)
Not necessarily to the certifier. Some organizations have Accreditation Officers with this "power."
NSTInformation SystemSI No. 4009 -Temporary authority granted by a designated approving authority for an AInformation System to process classified information and information governed by 10 USC, Sec.2315 etc.
Degauss
To reduce magnetic flux density to zero by applying a reverse magnetizing field. AR 380-19
memo of understand or agreement
as required by 5200.28 between owners of data sharing same system, or when connect to others system
A question was not entered during the setup of this session.
Folder List
KSAs related to System Certifier
KSAs related to System Certifier
1.
1. Access Authorization
2. Access Control Models
3. Access Control Policies
4. Access Control Software
5. Access Controls
6. Access Privileges
7. Administrative Security Policies And Pro
8. Agency-Specific Policies And Procedures
9. Alarms. Signals And Reports
10. Analog Technology
11. Application Development Control
12. Applications Security
13. Approval To Operate
14. Assessments (e.g.. Surveys. Inspections)
15. Asynchronous And Synchronous Communications
16. Audit Collection Requirements
17. Audit Mechanism
18. Audit Trails And Logging
19. Audit Trails And Logging Policies
20. Auditable Events
21. Auditing Tools
22. Automated Security Tools
23. Availability
24. Backups
25. Binding/Handshaking
26. Cabling
27. Call-Back Security
28. Caller ID
29. Change Control Policies
30. Change Controls
31. Circuit-Switched Networks
32. Classified Materials Handling And Shipping
33. Client/Server Security
34. Common Carrier Security
35. Communications Center Security
36. Communications Security Policy And Guidance
37. Communications Systems Abuse
38. Compartmented/partitioned Mode
39. Computer Emergency Response Team
40. Computer Science And Architecture
41. COMSEC Accounting
42. Conformance Testing
43. Connectivity
44. Contingency Plan Testing
45. Contingency Planning
46. Continuity Planning
47. Contractor Security Safeguards
48. Coordination With Related Disciplines
49. Copyright Protection And Licensing
50. Corrective Actions
51. Countermeasures
52. Covert Channels
53. Critical Systems
54. Cryptographic Techniques
55. Customer IT Security Needs
56. Data Access Control
57. Data Processing Center Security
58. Database Integrity
59. Declassification/Downgrade Of Media
60. Dedicated Line
61. Dedicated Mode
62. Delegation Of Authority
63. Deletion Of Accounts
64. Development (Life Cycle)
65. Dial Number Indicator
66. Dial-Up Security
67. Digital/Analog Technology
68. Disaster Recovery
69. Disaster Recovery Plan Testing
70. Disaster Recovery Planning
71. Disclosure Of Sensitive Data
72. Discretionary Access Control
73. Diskless Workstations
74. Disposition Of Classified Information
75. Disposition Of Media And Data
76. Distributed Systems Security
77. Document Labeling
78. Documentation
79. Documentation Policies
80. Drop-Off/Add-On Protection
81. Electromagnetic Countermeasures
82. Electromagnetic Interference
83. Electronic Data Interchange
84. Electronic Key Management System
85. Electronic Monitoring
86. Electronic-Mail Privacy
87. Electronic-Mail Security
88. Emanations Security
89. Emergency Destruction
90. Emergency Destruction Procedures
91. Encryption Codes
92. End User Computing Security
93. Environmental Controls
94. Environmental/Natural Threats
95. Error Logs
96. Ethics
97. Evaluated Products
98. Evaluation Techniques (Evaluation)
99. Expert Security/Audit Tools
100. Expert Systems
101. Facility Management
102. Fault Tolerance
103. Fax Security
104. Filtered Power
105. Fire Prevention And Protection
106. Firmware Security
107. Formal Methods For Security Design
108. Fraud. Waste And Abuse
109. Generally Accepted Systems Security Principles
110. Generic Accreditation
111. Grounding
112. Guidelines
113. Hackers (and Unauthorized Users)
114. Hardware Asset Management
115. Housekeeping Procedures
116. Human Threats
117. Implementation (Life Cycle)
118. Incident Response
119. Information Availability
120. Information Classification
121. Information Confidentiality
122. Information Criticality
123. Information Integrity
124. Information Ownership
125. Information Resource Owner/Custodian
126. Information Security Policy
127. Information Sensitivity
128. Information States
129. Information Systems Security Officer
130. Information Valuation
131. Internal Controls And Security
132. Internet Security
133. Intrusion Detection
134. Intrusion Deterrents
135. Investigation Of Security Breaches
136. Information System Security Program Planning
137. IT Asset Valuation
138. Kernel
139. Key Certificate Administration
140. Keystroke Monitoring
141. Labeling
142. Laws. Regulations. And Other Public Policy
143. Leased-Line Networks
144. Legal And Liability Issues
145. Life Cycle System Security Planning
146. Line Authentication
147. List-Based Access Controls
148. Local Area Network Security
149. Logs And Journals
150. Maintenance Of Configuration Documentation
151. Maintenance Procedures. Contract Employee
152. Maintenance Procedures. Local Employee
153. Malicious Code
154. Mandatory Access Controls
155. Marking Of Media
156. Marking Of Sensitive Information
157. Memory (Non-Volatile)
158. Memory (Random)
159. Memory (Sequential)
160. Memory (Volatile)
161. Microwave/Wireless Communications Security
162. Mobile Workstation Security
163. Modems
164. Modes Of Operation
165. Monitoring
166. Monitoring (e.g.. Data. Line)
167. Multilevel Processing
168. National Information Infrastructure
169. Need-To-Know Controls
170. Network Communications Protocols
171. Network Firewalls
172. Network Monitoring
173. Network Security Software
174. Network Switching
175. Network Topology
176. Object Labeling
177. Off-Site Security (Information. Processing
178. One-Time Passwords
179. Open Systems Interconnect Model
180. Open Systems Security
181. Operating System Integrity
182. Operating System Security Features
183. Operating Systems
184. Operational Procedures Review
185. Optical/Imaging Systems Security
186. Packet Filtering
187. Packet Switched Networks
188. Password Management
189. Peer-To-Peer Security
190. Personnel Security Policies And Guidance
191. Platform-Specific Security
192. Policy Development
193. Policy Enforcement
194. Power Controls (e.g.. UPS. Emergency Power
195. Preventative Controls
196. Principles Of Control
197. Privacy
198. Private Key Cryptology
199. Private Networks
200. Privileges (Classified Nodes)
201. Protected Distributed System
202. Protected Services
203. Protection From Malicious Code
204. Protective Technology
205. Public Key Encryption
206. Rainbow Series
207. Redundancy
208. Reference Monitors
209. Reliability Testing
210. Remanance
211. Remote Terminal Protection Devices
212. Risk Acceptance Process
213. Role-Based Access Controls
214. Roles And Responsibilities
215. Rule Of Least Privilege
216. Rules-Based Access Controls
217. Secure System Operations
218. Security Architecture
219. Security Awareness
220. Security Domains
221. Security Functional Testing
222. Security Product Integration
223. Security Product Testing/Evaluation
224. Security Products
225. Security Training
226. Sensitive System
227. Separation Of Duties
228. Shielded Enclosures
229. Single Sign-On
230. Smartcards/Token Authentication
231. Software Asset Management
232. Stand-Alone Systems And Remote Terminals
233. Standards
234. Storage Area Controls
235. Storage Media Protection And Control
236. Synchronous Communication
237. System Security Architecture Study
238. System Security Engineering
239. System Software Controls
240. System Testing And Evaluation Process
241. System-High Mode
242. TCSEC/ITSEC/Common Criteria
243. Technical Security Guidance
244. Technological Threats
245. Technology Trends
246. Transportation Of Media
247. Trust
248. Trusted Computer System Evaluation Criteria
249. Trusted Network Interpretation (Red Book
250. Unauthorized Disclosure Of Information
251. Validation (Testing)
252. Verification And Validation Process
253. Voice Mail Security
254. Wide Area Network Security
255. Wide Area Networks
256. Workstations Security
257. Zone Of Control/Zoning
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
Firewall
a device connected to the network that can adjudicate traffic between your net and the outside in accordance with some preset policy
Technical Vulnerability
A hardware, Firmware, communications, or software weakness which leaves an AInformation System open for potential exploitation or damage. AR 380-19
Multilevel security
concept of processing information with different class that simulta access see 4009
See Modes of Operation/Security Modes of Operation
Authenticate
To verify the identity of a user, device, or other entity in a computer system, or to verify the integrity of data that have been stored. AR 380-19
System Security Profile
snapshot in time of the security features of a system and what protection they provide in a given configuration.
Certification
see NSTInformation SystemSI no. 4009
comprehensive evaluate of the technical and non-technical security features of an AInformation System and other safeguards, to meet security and accreditation req.
Interim Approval(Authority) to Operate
Authority delegated to Certification Authority by DAA - allows system to operation pending final approval by DAA (provided the Certification Authority intends to recommend approval to operate)
Not necessarily to the certifier. Some organizations have Accreditation Officers with this "power."
NSTInformation SystemSI No. 4009 -Temporary authority granted by a designated approving authority for an AInformation System to process classified information and information governed by 10 USC, Sec.2315 etc.
Degauss
To reduce magnetic flux density to zero by applying a reverse magnetizing field. AR 380-19
Memo of Understand or Agreement
as required by 5200.28 between owners of data sharing same system, or when connect to others system
Task: (Brain Storm) CKML to DSC(move to duty cats)
Creation Date: Wednesday, June 21, 1995 01:15 PM
Print Date: June 23, 1995
Initial Question / Instructions
Move the 267 KSAs into the Major Duties of the System Certifier.
Contains ideas that were not added to any other folder.
Certification Planning
DAA/Information SystemSO Activities
Evaluate/analyze System
Hardware interactivity
Ideas Not Allocated
Organization Specific Issues
Reporting
Review System Documentation
Software/Hardware accountability
System Specific issues
Systems Connectivity
Team Functions
Testing
Access Authorization
Access Control Models
Access Control Policies
Access Control Software
Access Controls
Access Privileges
Administrative Security Policies And Pro
Agency-Specific Policies And Procedures
Alarms. Signals And Reports
Analog Technology
Application Development Control
Applications Security
Approval To Operate
Assessments (e.g.. Surveys. Inspections)
Asynchronous And Synchronous Communications
Audit Collection Requirements
Audit Mechanism
Audit Trails And Logging
Audit Trails And Logging Policies
Auditable Events
Auditing Tools
Automated Security Tools
Availability
Backups
Binding/Handshaking
Cabling
Call-Back Security
Caller ID
Change Control Policies
Change Controls
Circuit-Switched Networks
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Center Security
Communications Security Policy And Guidance
Communications Systems Abuse
Compartmented/partitioned Mode
Computer Emergency Response Team
Computer Science And Architecture
COMSEC Accounting
Conformance Testing
Connectivity
Contingency Plan Testing
Contingency Planning
Continuity Planning
Contractor Security Safeguards
Coordination With Related Disciplines
Copyright Protection And Licensing
Corrective Actions
Countermeasures
Covert Channels
Critical Systems
Cryptographic Techniques
Customer IT Security Needs
Data Access Control
Data Processing Center Security
Database Integrity
Declassification/Downgrade Of Media
Dedicated Line
Dedicated Mode
Delegation Of Authority
Deletion Of Accounts
Development (Life Cycle)
Dial Number Indicator
Dial-Up Security
Digital/Analog Technology
Disaster Recovery
Disaster Recovery Plan Testing
Disaster Recovery Planning
Disclosure Of Sensitive Data
Discretionary Access Control
Diskless Workstations
Disposition Of Classified Information
Disposition Of Media And Data
Distributed Systems Security
Document Labeling
Documentation
Documentation Policies
Drop-Off/Add-On Protection
Electromagnetic Countermeasures
Electromagnetic Interference
Electronic Data Interchange
Electronic Key Management System
Electronic Monitoring
Electronic-Mail Privacy
Electronic-Mail Security
Emanations Security
Emergency Destruction
Emergency Destruction Procedures
Encryption Codes
End User Computing Security
Environmental Controls
Environmental/Natural Threats
Error Logs
Ethics
Evaluated Products
Evaluation Techniques (Evaluation)
Expert Security/Audit Tools
Expert Systems
Facility Management
Fault Tolerance
Fax Security
Filtered Power
Fire Prevention And Protection
Firmware Security
Formal Methods For Security Design
Fraud. Waste And Abuse
Generally Accepted Systems Security Principles
Generic Accreditation
Grounding
Guidelines
Hackers (and Unauthorized Users)
Hardware Asset Management
Housekeeping Procedures
Human Threats
Implementation (Life Cycle)
Incident Response
Information Availability
Information Classification
Information Confidentiality
Information Criticality
Information Integrity
Information Ownership
Information Resource Owner/Custodian
Information Security Policy
Information Sensitivity
Information States
Information Systems Security Officer
Information Valuation
Internal Controls And Security
Internet Security
Intrusion Detection
Intrusion Deterrents
Investigation Of Security Breaches
Information System Security Program Planning
IT Asset Valuation
Kernel
Key Certificate Administration
Keystroke Monitoring
Labeling
Laws. Regulations. And Other Public Policy
Leased-Line Networks
Legal And Liability Issues
Life Cycle System Security Planning
Line Authentication
List-Based Access Controls
Local Area Network Security
Logs And Journals
Maintenance Of Configuration Documentation
Maintenance Procedures. Contract Employee
Maintenance Procedures. Local Employee
Malicious Code
Mandatory Access Controls
Marking Of Media
Marking Of Sensitive Information
Memory (Non-Volatile)
Memory (Random)
Memory (Sequential)
Memory (Volatile)
Microwave/Wireless Communications Security
Mobile Workstation Security
Modems
Modes Of Operation
Monitoring
Monitoring (e.g.. Data. Line)
Multilevel Processing
National Information Infrastructure
Need-To-Know Controls
Network Communications Protocols
Network Firewalls
Network Monitoring
Network Security Software
Network Switching
Network Topology
Object Labeling
Off-Site Security (Information. Processing
One-Time Passwords
Open Systems Interconnect Model
Open Systems Security
Operating System Integrity
Operating System Security Features
Operating Systems
Operational Procedures Review
Optical/Imaging Systems Security
Packet Filtering
Packet Switched Networks
Password Management
Peer-To-Peer Security
Personnel Security Policies And Guidance
Platform-Specific Security
Policy Development
Policy Enforcement
Power Controls (e.g.. UPS. Emergency Power
Preventative Controls
Principles Of Control
Privacy
Private Key Cryptology
Private Networks
Privileges (Classified Nodes)
Protected Distributed System
Protected Services
Protection From Malicious Code
Protective Technology
Public Key Encryption
Rainbow Series
Redundancy
Reference Monitors
Reliability Testing
Remanance
Remote Terminal Protection Devices
Risk Management
Role-Based Access Controls
Roles And Responsibilities
Rule Of Least Privilege
Rules-Based Access Controls
Secure System Operations
Security Architecture
Security Awareness
Security Domains
Security Functional Testing
Security Product Integration
Security Product Testing/Evaluation
Security Products
Security Training
Sensitive System
Separation Of Duties
Shielded Enclosures
Single Sign-On
Smartcards/Token Authentication
Software Asset Management
Stand-Alone Systems And Remote Terminals
Standards
Storage Area Controls
Storage Media Protection And Control
Synchronous Communication
System Security Architecture Study
System Security Engineering
System Software Controls
System Testing And Evaluation Process
System-High Mode
TCSEC/ITSEC/Common Criteria
Technical Security Guidance
Technological Threats
Technology Trends
Transportation Of Media
Trust
Trusted Computer System Evaluation Criteria
Trusted Network Interpretation (Red Book
Unauthorized Disclosure Of Information
Validation (Testing)
Verification And Validation Process
Voice Mail Security
Wide Area Network Security
Wide Area Networks
Workstations Security
Zone Of Control/Zoning
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
Firewall
a device connected to the network that can adjudicate traffic between your net and the outside in accordance with some preset policy
Technical Vulnerability
A hardware, Firmware, communications, or software weakness which leaves an AInformation System open for potential exploitation or damage. AR 380-19
Multilevel security
concept of processing information with different class that simulta access see 4009
See Modes of Operation/Security Modes of Operation
Authenticate
To verify the identity of a user, device, or other entity in a computer system, or to verify the integrity of data that have been stored. AR 380-19
System Security Profile
snapshot in time of the security features of a system and what protection they provide in a given configuration.
Certification
see NSTInformation SystemSI no. 4009
comprehensive evaluate of the technical and non-technical security features of an AInformation System and other safeguards, to meet security and accreditation req.
Interim Approval(Authority) to Operate
Authority delegated to Certification Authority by DAA - allows system to operation pending final approval by DAA (provided the Certification Authority intends to recommend approval to operate)
Not necessarily to the certifier. Some organizations have Accreditation Officers with this "power."
NSTInformation SystemSI No. 4009 -Temporary authority granted by a designated approving authority for an AInformation System to process classified information and information governed by 10 USC, Sec.2315 etc.
Degauss
To reduce magnetic flux density to zero by applying a reverse magnetizing field. AR 380-19
Memo of Understand or Agreement
as required by 5200.28 between owners of data sharing same system, or when connect to others system
Policy, Guidance, rules, regulations,(issuances)
Task: (Brain Storm) Move KSAs into short list SCD
Creation Date: Wednesday, June 21, 1995 02:41 PM
Print Date: June 23, 1995
Initial Question / Instructions
Move the 267 KSAs into the Short List of Major Duties of the System Certifier.
Folder List
1. Report
Summarize the results of the test and evaluation and recommend to the DAA and/or offer interim approval to operate.
2. Evaluation
analysis of the results of the testing to determine the security posture of the system
3. Testing
examination of safeguards required to protect a system as they have been applied to an operational environment
4. Certification planning
Determine the dates, define the tasks and criteria, the documentation to be examined, coordinate w/ authorities etc.
5. Build/Direct a team
Identify the people with the skills and knowledge necessary to perform testing and evaluation of a system.
6. Ideas Not Allocated
Contains ideas that were not added to any other folder.
7. Unknown God
Report
Approval To Operate
Corrective Actions
Documentation
Maintenance Of Configuration Documentation
Evaluation
Access Privileges
Audit Trails And Logging
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Center Security
Countermeasures
Disaster Recovery
Documentation Policies
Emergency Destruction
Environmental Controls
Evaluation Techniques (Evaluation)
Facility Management
Human Threats
Incident Response
Intrusion Deterrents
Logs And Journals
Maintenance Of Configuration Documentation
Maintenance Procedures. Contract Employee
Maintenance Procedures. Local Employee
Marking Of Media
Password Management
Testing
Access Authorization
Access Control Models
Access Control Software
Access Controls
Access Privileges
Alarms. Signals And Reports
Applications Security
Assessments (E.G.. Surveys. Inspections)
Audit Mechanism
Audit Trails And Logging
Auditable Events
Auditing Tools
Automated Security Tools
Availability
Backups
Cabling
Call-Back Security
Caller ID
Change Controls
Circuit-Switched Networks
Client/Server Security
Compartmented/Partitioned Mode
Conformance Testing
Connectivity
Contingency Plan Testing
Countermeasures
Covert Channels
Data Access Control
Database Integrity
Deletion Of Accounts
Dial-Up Security
Disaster Recovery Plan Testing
Discretionary Access Control
Electromagnetic Countermeasures
Electronic-Mail Security
Emanations Security
Error Logs
Firewall
Firmware Security
Internal Controls And Security
Internet Security
Intrusion Detection
Intrusion Deterrents
Keystroke Monitoring
Labeling
List-Based Access Controls
Local Area Network Security
Malicious Code
Mandatory Access Controls
Memory (Non-Volatile)
Memory (Random)
Memory (Sequential)
Mobile Workstation Security
Modems
Network Firewalls
Network Security Software
Network Switching
One-Time Passwords
Operating System Integrity
Operating System Security Features
Operating Systems
Password Management
Platform-Specific Security
Protection From Malicious Code
Reliability Testing
Security Domains
Security Functional Testing
Security Product Testing/Evaluation
Validation (Testing)
Certification planning
Access Control Policies
Administrative Security Policies And Pro
Agency-Specific Policies And Procedures
Audit Collection Requirements
Audit Trails And Logging Policies
Auditable Events
Certification
Change Control Policies
Communications Security Policy And Guidance
Contingency Planning
Continuity Planning
Coordination With Related Disciplines
Disaster Recovery Planning
Documentation
Documentation Policies
Guidelines
Information Security Policy
Laws. Regulations. And Other Public Policy
Life Cycle System Security Planning
Roles And Responsibilities
Separation Of Duties
Build/Direct a team
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
Delegation Of Authority
Ideas Not Allocated
Unknown God
Administrative Security Policies And Procedures
Application Development Control
Audit Collection Requirements
Availability
Change Control Policies
Change Controls
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Security Policy And Guidance
Contingency Planning
Contractor Security Safeguards
Disposition Of Classified Information
Electromagnetic Countermeasures
Ethics
Evaluated Products
Expert Security/Audit Tools
Formal Methods For Security Design
Hackers (and Unauthorized Users)
Information Availability
Information Classification
Information Confidentiality
Information Criticality
Information Ownership
Information Resource Owner/Custodian
Information Security Policy
Information Sensitivity
Information States
Laws. Regulations. And Other Public Policy
Legal And Liability Issues
Life Cycle System Security Planning
Marking Of Sensitive Information
Network Communications Protocols
Open Systems Security
Policy Enforcement
Rainbow Series
Security Awareness
Security Training
Standards
Task: (Brain Storm) Re-Print
Creation Date: Wednesday, June 21, 1995 04:37 PM
Print Date: June 23, 1995
Initial Question / Instructions
Move the 267 KSAs into the Short List of Major Duties of the System Certifier.
Folder List
1. Report
Summarize the results of the test and evaluation and recommend to the DAA and/or offer interim approval to operate.
2. Evaluation
analysis of the results of the testing to determine the security posture of the system
3. Testing
examination of safeguards required to protect a system as they have been applied to an operational environment
4. Certification planning
Determine the dates, define the tasks and criteria, the documentation to be examined, coordinate w/ authorities etc.
5. Build/Direct a team
Identify the people with the skills and knowledge necessary to perform testing and evaluation of a system.
6. Ideas Not Allocated
Contains ideas that were not added to any other folder.
7. Unknown God
Contains items that should be in some category; however, the category is not identified yet
Report
Approval To Operate
Corrective Actions
Documentation
Maintenance Of Configuration Documentation
Evaluation
Access Privileges
Audit Trails And Logging
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Center Security
Countermeasures
Disaster Recovery
Documentation Policies
Emergency Destruction
Environmental Controls
Evaluation Techniques (Evaluation)
Facility Management
Human Threats
Incident Response
Intrusion Deterrents
Logs And Journals
Maintenance Of Configuration Documentation
Maintenance Procedures. Contract Employee
Maintenance Procedures. Local Employee
Marking Of Media
Password Management
Testing
Access Authorization
Access Control Models
Access Control Software
Access Controls
Access Privileges
Alarms. Signals And Reports
Applications Security
Assessments (e.g.. Surveys. Inspections)
Audit Mechanism
Audit Trails And Logging
Auditable Events
Auditing Tools
Automated Security Tools
Availability
Backups
Cabling
Call-Back Security
Caller ID
Circuit-Switched Networks
Client/Server Security
Conformance Testing
Connectivity
Contingency Plan Testing
Countermeasures
Database Integrity
Dial-Up Security
Disaster Recovery Plan Testing
Validation (Testing)
Firewall
a device connected to the network that can adjudicate traffic between your net and the outside in accordance with some preset policy
Change Controls
Compartmented/partitioned Mode
Covert Channels
Data Access Control
Deletion Of Accounts
Discretionary Access Control
Electromagnetic Countermeasures
Electronic-Mail Security
Emanations Security
Error Logs
Firmware Security
Internal Controls And Security
Internet Security
Intrusion Detection
Intrusion Deterrents
Keystroke Monitoring
Labeling
List-Based Access Controls
Local Area Network Security
Malicious Code
Mandatory Access Controls
Memory (Non-Volatile)
Memory (Random)
Memory (Sequential)
Mobile Workstation Security
Modems
Network Firewalls
Network Security Software
Network Switching
One-Time Passwords
Operating System Integrity
Operating System Security Features
Operating Systems
Password Management
Platform-Specific Security
Protection From Malicious Code
Reliability Testing
Security Domains
Security Functional Testing
Security Product Testing/Evaluation
Certification planning
Access Control Policies
Administrative Security Policies And Pro
Agency-Specific Policies And Procedures
Audit Collection Requirements
Audit Trails And Logging Policies
Auditable Events
Communications Security Policy And Guidance
Contingency Planning
Certification
see NSTInformation SystemSI no. 4009
comprehensive evaluate of the technical and non-technical security features of an AInformation System and other safeguards, to meet security and accreditation req.
Change Control Policies
Continuity Planning
Coordination With Related Disciplines
Disaster Recovery Planning
Documentation
Documentation Policies
Guidelines
Information Security Policy
Laws. Regulations. And Other Public Policy
Life Cycle System Security Planning
Roles And Responsibilities
Separation Of Duties
Build/Direct a team
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
Delegation Of Authority
Ideas Not Allocated
Analog Technology
Asynchronous And Synchronous Communications
Binding/Handshaking
Communications Systems Abuse
Computer Emergency Response Team
Computer Science And Architecture
COMSEC Accounting
Copyright Protection And Licensing
Critical Systems
Cryptographic Techniques
Customer IT Security Needs
Data Processing Center Security
Declassification/Downgrade Of Media
Dedicated Line
Dedicated Mode
Development (Life Cycle)
Dial Number Indicator
Digital/Analog Technology
Disclosure Of Sensitive Data
Diskless Workstations
Disposition Of Media And Data
Distributed Systems Security
Document Labeling
Drop-Off/Add-On Protection
Electromagnetic Interference
Electronic Data Interchange
Electronic Key Management System
Electronic Monitoring
Electronic-Mail Privacy
Emergency Destruction Procedures
Encryption Codes
End User Computing Security
Environmental/Natural Threats
Expert Systems
Fault Tolerance
Fax Security
Filtered Power
Fire Prevention And Protection
Fraud. Waste And Abuse
Generally Accepted Systems Security Principles
Generic Accreditation
Grounding
Hardware Asset Management
Housekeeping Procedures
Implementation (Life Cycle)
Information Integrity
Information Systems Security Officer
Information Valuation
Investigation Of Security Breaches
Information System Security Program Planning
IT Asset Valuation
Kernel
Key Certificate Administration
Leased-Line Networks
Line Authentication
Memory (Volatile)
Microwave/Wireless Communications Security
Modes Of Operation
Monitoring
Monitoring (e.g.. Data. Line)
Multilevel Processing
National Information Infrastructure
Need-To-Know Controls
Network Monitoring
Network Topology
Object Labeling
Off-Site Security (Information. Processing
Open Systems Interconnect Model
Operational Procedures Review
Optical/Imaging Systems Security
Packet Filtering
Packet Switched Networks
Peer-To-Peer Security
Personnel Security Policies And Guidance
Policy Development
Power Controls (e.g.. UPS. Emergency Power
Preventative Controls
Principles Of Control
Privacy
Private Key Cryptology
Private Networks
Privileges (Classified Nodes)
Protected Distributed System
Protected Services
Protective Technology
Public Key Encryption
Redundancy
Reference Monitors
Remanance
Remote Terminal Protection Devices
Risk Acceptance Process
Role-Based Access Controls
Rule Of Least Privilege
Rules-Based Access Controls
Secure System Operations
Security Architecture
Security Product Integration
Security Products
Sensitive System
Shielded Enclosures
Single Sign-On
Smartcards/Token Authentication
Software Asset Management
Stand-Alone Systems And Remote Terminals
Storage Area Controls
Storage Media Protection And Control
Synchronous Communication
System Security Architecture Study
System Security Engineering
System Software Controls
System Testing And Evaluation Process
System-High Mode
TCSEC/ITSEC/Common Criteria
Technical Security Guidance
Technological Threats
Technology Trends
Transportation Of Media
Trust
Trusted Computer System Evaluation Criteria
Trusted Network Interpretation (Red Book
Unauthorized Disclosure Of Information
Verification And Validation Process
Voice Mail Security
Wide Area Network Security
Wide Area Networks
Workstations Security
Zone Of Control/Zoning
Technical Vulnerability
A hardware, Firmware, communications, or software weakness which leaves an AInformation System open for potential exploitation or damage. AR 380-19
Multilevel security
concept of processing information with different class that simulta access see 4009
See Modes of Operation/Security Modes of Operation
Authenticate
To verify the identity of a user, device, or other entity in a computer system, or to verify the integrity of data that have been stored. AR 380-19
System Security Profile
snapshot in time of the security features of a system and what protection they provide in a given configuration.
Interim Approval(Authority) to Operate
Authority delegated to Certification Authority by DAA - allows system to operation pending final approval by DAA (provided the Certification Authority intends to recommend approval to operate)
Not necessarily to the certifier. Some organizations have Accreditation Officers with this "power."
NSTInformation SystemSI No. 4009 -Temporary authority granted by a designated approving authority for an AInformation System to process classified information and information governed by 10 USC, Sec.2315 etc.
Degauss
To reduce magnetic flux density to zero by applying a reverse magnetizing field. AR 380-19
Memo of Understand or Agreement
as required by 5200.28 between owners of data sharing same system, or when connect to others system
Unknown God
Administrative Security Policies And Pro
Application Development Control
Audit Collection Requirements
Availability
Change Control Policies
Change Controls
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Security Policy And Guidance
Contingency Planning
Contractor Security Safeguards
Disposition Of Classified Information
Electromagnetic Countermeasures
Ethics
Evaluated Products
Expert Security/Audit Tools
Formal Methods For Security Design
Hackers (and Unauthorized Users)
Information Availability
Information Classification
Information Confidentiality
Information Criticality
Information Ownership
Information Resource Owner/Custodian
Information Security Policy
Information Sensitivity
Information States
Laws. Regulations. And Other Public Policy
Legal And Liability Issues
Life Cycle System Security Planning
Marking Of Sensitive Information
Network Communications Protocols
Open Systems Security
Policy Enforcement
Rainbow Series
Security Awareness
Security Training
Standards
Task: (Brain Storm) Build/Direct Team(input only)
Creation Date: Wednesday, June 21, 1995 09:11 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Delegation Of Authority
Team Building
Delegation Of Authority
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
Task: (Brain Storm) Test(input only)
Creation Date: Wednesday, June 21, 1995 09:17 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
1.
1. Access Authorization
2. Access Control Models
3. Access Control Software
4. Access Controls
5. Access Privileges
6. Alarms. Signals And Reports
7. Applications Security
8. Assessments (e.g.. Surveys. Inspections)
9. Audit Mechanism
10. Audit Trails And Logging
11. Auditable Events
12. Auditing Tools
13. Automated Security Tools
14. Availability
15. Backups
16. Cabling
17. Call-Back Security
18. Caller ID
19. Change Controls
20. Circuit-Switched Networks
21. Client/Server Security
22. Compartmented/partitioned Mode
23. Conformance Testing
24. Connectivity
25. Contingency Plan Testing
26. Countermeasures
27. Covert Channels
28. Data Access Control
29. Database Integrity
30. Deletion Of Accounts
31. Dial-Up Security
32. Disaster Recovery Plan Testing
33. Discretionary Access Control
34. Electromagnetic Countermeasures
35. Electronic-Mail Security
36. Emanations Security
37. Error Logs
38. Firewall
39. Firmware Security
40. Internal Controls And Security
41. Internet Security
42. Intrusion Detection
43. Intrusion Deterrents
44. Keystroke Monitoring
45. Labeling
46. List-Based Access Controls
47. Local Area Network Security
48. Malicious Code
49. Mandatory Access Controls
50. Memory (Non-Volatile)
51. Memory (Random)
52. Memory (Sequential)
53. Mobile Workstation Security
54. Modems
55. Network Firewalls
56. Network Security Software
57. Network Switching
58. One-Time Passwords
59. Operating System Integrity
60. Operating System Security Features
61. Operating Systems
62. Password Management
63. Platform-Specific Security
64. Protection From Malicious Code
65. Reliability Testing
66. Security Domains
67. Security Functional Testing
68. Security Product Testing/Evaluation
69. Validation (Testing)
text
Access Authorization
Access Control Models
Access Control Software
Access Controls
Access Privileges
Alarms. Signals And Reports
Applications Security
Assessments (e.g.. Surveys. Inspections)
Audit Mechanism
Audit Trails And Logging
Auditable Events
Auditing Tools
Automated Security Tools
Availability
Backups
Cabling
Call-Back Security
Caller ID
Change Controls
Circuit-Switched Networks
Client/Server Security
Compartmented/partitioned Mode
Conformance Testing
Connectivity
Contingency Plan Testing
Countermeasures
Covert Channels
Data Access Control
Database Integrity
Deletion Of Accounts
Dial-Up Security
Disaster Recovery Plan Testing
Discretionary Access Control
Electromagnetic Countermeasures
Electronic-Mail Security
Emanations Security
Error Logs
Firewall
Firmware Security
Internal Controls And Security
Internet Security
Intrusion Detection
Intrusion Deterrents
Keystroke Monitoring
Labeling
List-Based Access Controls
Local Area Network Security
Malicious Code
Mandatory Access Controls
Memory (Non-Volatile)
Memory (Random)
Memory (Sequential)
Mobile Workstation Security
Modems
Network Firewalls
Network Security Software
Network Switching
One-Time Passwords
Operating System Integrity
Operating System Security Features
Operating Systems
Password Management
Platform-Specific Security
Protection From Malicious Code
Reliability Testing
Security Domains
Security Functional Testing
Security Product Testing/Evaluation
Validation (Testing
)
Task: (Brain Storm) Evaluate(input only)
Creation Date: Wednesday, June 21, 1995 09:21 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
1.
1. Access Privileges
2. Audit Trails And Logging
3. Classified Materials Handling And Shipping
4. Client/Server Security
5. Common Carrier Security
6. Communications Center Security
7. Countermeasures
8. Disaster Recovery
9. Documentation Policies
10. Emergency Destruction
11. Environmental Controls
12. Evaluation Techniques (Evaluation)
13. Facility Management
14. Human Threats
15. Incident Response
16. Intrusion Deterrents
17. Logs And Journals
18. Maintenance Of Configuration Documentation
19. Maintenance Procedures. Contract Employee
20. Maintenance Procedures. Local Employee
21. Marking Of Media
22. Password Management
23.
text
Access Privileges
Audit Trails And Logging
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Center Security
Countermeasures
Disaster Recovery
Documentation Policies
Emergency Destruction
Environmental Controls
Evaluation Techniques (Evaluation)
Facility Management
Human Threats
Incident Response
Intrusion Deterrents
Logs And Journals
Maintenance Of Configuration Documentation
Maintenance Procedures. Contract Employee
Maintenance Procedures. Local Employee
Marking Of Media
Password Management
Task: (Brain Storm) Report(input only)
Creation Date: Wednesday, June 21, 1995 09:25 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Place verbs under the KSAs for SC duty of CERTIFICATION PLANNING.
Folder List
1.
1. Access Control Policies
2. Administrative Security Policies And Pro
3. Agency-Specific Policies And Procedures
4. Audit Collection Requirements
5. Audit Trails And Logging Policies
6. Auditable Events
7. Certification
8. Change Control Policies
9. Communications Security Policy And Guidance
10. Contingency Planning
11. Continuity Planning
12. Coordination With Related Disciplines
13. Disaster Recovery Planning
14. Documentation
15. Documentation Policies
16. Guidelines
17. Information Security Policy
18. Laws. Regulations. And Other Public Policy
19. Life Cycle System Security Planning
20. Roles And Responsibilities
21. Separation Of Duties
Ideas Not Allocated
Contains ideas that were not added to any other folder.
Guidelines
Applies
Identifies
Roles And Responsibilities
Addresses
Identifies
Laws. Regulations. And Other Public Policy
Addresses
Identifies
Reads
Coordination With Related Disciplines
Information Security Policy
Identifies
Separation Of Duties
Identifies
Continuity Planning
Evaluate
Documentation Policies
Identifies
Documentation
Assembles
Identifies
Change Control Policies
Disaster Recovery Planning
Evaluate
Certification
see NSTInformation SystemSI no. 4009 comprehensive evaluate of the technical and non-technical security features of an AInformation System and other safeguards, to meet security and accreditation req.
Recommends
Contingency Planning
Identifies
Evaluate
Communications Security Policy And Guidance
Identifies
Appraises
Auditable Events
Identifies
Audit Trails And Logging Policies
Identifies
Appraises
Audit Collection Requirements
Addresses
Identifies
Questions
Appraises
Tests
Studies
Describes
Evaluate
Verifies
Specify
Agency-Specific Policies And Procedures
Addresses
Identifies
Questions
Applies
Appraises
Recommends
Compares
Defines
Evaluate
Studies
Relates
Verifies
Describes
Administrative Security Policies And Procedures
Addresses
Adheres
Identifies
Applies
Appraises
Reads
Recommends
Defines
Evaluate
Verifies
Tests
Studies
Describes
Interprets
Creates
Influences
Criticizes
Access Control Policies
Addresses
Appraises
Cognizant Of
Defines
Describes
Evaluate
Explains
Identifies
Interprets
Questions
Reads
Recommends
Studies
Life Cycle System Security Planning
Ideas Not Allocated
Task: (Brain Storm) Evaluate(input only)
Creation Date: Thursday, June 22, 1995 09:41 AM
Print Date: June 23, 1995
Initial Question / Instructions
Place verbs under the KSAs for System Certifier duty of EVALUATE.
Folder List
1. Access Privileges
2. Audit Trails And Logging
3. Classified Materials Handling And Shipping
4. Client/Server Security
5. Common Carrier Security
6. Communications Center Security
7. Countermeasures
8. Disaster Recovery
9. Documentation Policies
10. Emergency Destruction
11. Environmental Controls
12. Evaluation Techniques (Evaluation)
13. Facility Management
14. Human Threats
15. Incident Response
16. Intrusion Deterrents
17. Logs And Journals
18. Maintenance Of Configuration Documentation
19. Maintenance Procedures. Contract Employee
20. Maintenance Procedures. Local Employee
21. Marking Of Media
22. Password Management
Ideas Not Allocated
Contains ideas that were not added to any other folder.
Password Management
Appraises
Evaluate
Addresses
Studies
Verifies
Identifies
Maintenance Procedures Contract Employee
Appraises
Evaluate
Verifies
Identifies
Marking Of Media
Evaluate
Addresses
Appraises
Maintenance Of Configuration Documentation
Evaluate
Addresses
Verifies
Logs And Journals
Appraises
Evaluate
Addresses
Studies
Verifies
Identifies
Intrusion Deterrents
Appraises
Evaluate
Addresses
Verifies
Identifies
Evaluation Techniques (Evaluation)
Addresses
Appraises
Cognizant Of
Defines
Discusses
Evaluate
Identifies
Performs
Reports
Selects
Studies
Uses
Human Threats
Appraises
Evaluate
Addresses
Identifies
Incident Response
Appraises
Evaluate
Facility Management
Evaluate
Verifies
Identifies
Environmental Controls
Appraises
Evaluate
Addresses
Cognizant Of
Criticizes
Verifies
Identifies
Emergency Destruction
Evaluate
Addresses
Appraises
Identifies
Documentation Policies
Evaluate
Addresses
Interprets
Discusses
Identifies
Audit Trails And Logging
Appraises
Evaluate
Addresses
Interprets
Cognizant Of
Discusses
Studies
Countermeasures
Appraises
Evaluate
Addresses
Criticizes
Studies
Cognizant Of
Identifies
Verifies
Disaster Recovery
Appraises
Evaluate
Addresses
Access Privileges
Evaluate
Addresses
Appraises
Verifies
Studies
Discusses
Identifies
Cognizant Of
Classified Materials Handling And Shipping
Appraises
Evaluate
Addresses
Cognizant Of
Discusses
Verifies
Communications Center Security
Appraises
Evaluate
Addresses
Cognizant Of
Common Carrier Security
Appraises
Evaluate
Cognizant Of
Client/Server Security
Appraises
Discusses
Addresses
Cognizant Of
Evaluate
Verifies
Ideas Not Allocated
Maintenance Procedures Local Employee
Evaluate
Addresses
Identifies
Task: (Brain Storm) Test(input only)
Creation Date: Thursday, June 22, 1995 11:37 AM
Print Date: June 23, 1995
Initial Question / Instructions
Place verbs under the KSAs for System Certifier duty of Test.
Folder List
1. Access Authorization
2. Access Control Models
3. Access Control Software
4. Access Controls
5. Access Privileges
6. Alarms. Signals And Reports
7. Applications Security
8. Assessments (e.g.. Surveys. Inspections)
9. Audit Mechanism
10. Audit Trails And Logging
11. Auditable Events
12. Auditing Tools
13. Automated Security Tools
14. Availability
15. Backups
16. Cabling
17. Call-Back Security
18. Caller ID
19. Change Controls
20. Circuit-Switched Networks
21. Client/Server Security
22. Compartmented / partitioned Mode
23. Conformance Testing
24. Connectivity
25. Contingency Plan Testing
26. Countermeasures
27. Covert Channels
28. Data Access Control
29. Database Integrity
30. Deletion Of Accounts
31. Dial-Up Security
32. Disaster Recovery Plan Testing
33. Discretionary Access Control
34. Electromagnetic Countermeasures
35. Electronic-Mail Security
36. Emanations Security
37. Error Logs
38. Firewall
39. Firmware Security
40. Internal Controls And Security
41. Internet Security
42. Intrusion Detection
43. Intrusion Deterrents
44. Keystroke Monitoring
45. Labeling
46. List-Based Access Controls
47. Local Area Network Security
48. Malicious Code
49. Mandatory Access Controls
50. Memory (Non-Volatile)
51. Memory (Random)
52. Memory (Sequential)
53. Mobile Workstation Security
54. Modems
55. Network Firewalls
56. Network Security Software
57. Network Switching
58. One-Time Passwords
59. Operating System Integrity
60. Operating System Security Features
61. Operating Systems
62. Password Management
63. Platform-Specific Security
64. Protection From Malicious Code
65. Reliability Testing
66. Security Domains
67. Security Functional Testing
68. Security Product Testing/Evaluation
69. Validation (Testing)
Ideas Not Allocated
Contains ideas that were not added to any other folder.
The following is the list of the contents of the KSAs associated with the Test role of the system certifier. It contains the verbs that should direct the behavior of the systems certifier. For example in the KSA area of Electronic Mail Security, the systems certifier should test and evaluate.
Electronic-Mail Security
1. Tests
2. Evaluate
Memory (Sequential)
Tests
Memory (Random)
Tests
Memory (Non-Volatile)
Tests
Malicious Code
Security Domains
Tests
Network Switching
Tests
Modems
Tests
List-Based Access Controls
Tests
Evaluate
Operating System Integrity
Demonstrates
Tests
Evaluate
Operating System Security Features
Tests
Evaluate
Platform-Specific Security
Tests
Evaluate
Password Management
Tests
Operating Systems
Demonstrates
Evaluate
One-Time Passwords
Tests
Network Security Software
Tests
Evaluate
Network Firewalls
Addresses
Tests
Labeling
Addresses
Tests
Evaluate
Protection From Malicious Code
Addresses
Evaluate
Tests
Reliability Testing
Addresses
Appraises
Mandatory Access Controls
Tests
Local Area Network Security
Addresses
Evaluate
Tests
Keystroke Monitoring
Addresses
Intrusion Deterrents
Addresses
Tests
Evaluate
Internal Controls And Security
Tests
Appraises
Evaluate
Security Functional Testing
Addresses
Appraises
Evaluate
Security Product Testing/ Evaluation
Addresses
Appraises
Evaluate
Intrusion Detection
Addresses
Tests
Appraises
Evaluate
Internet Security
Tests
Evaluate
Identifies
Electromagnetic Countermeasures
Addresses
Appraises
Evaluate
Firmware Security
Tests
Appraises
Evaluate
Error Logs
Appraises
Evaluate
Tests
Covert Channels
Emanations Security
Evaluate
Compartmented/partitioned Mode
Deletion Of Accounts
Verifies
Tests
Discretionary Access Control
Addresses
Tests
Demonstrates
Evaluate
Change Controls
Evaluate
Tests
Data Access Control
Tests
Demonstrates
Evaluate
Firewall
Addresses
Tests
Disaster Recovery Plan Testing
Addresses
Appraises
Evaluate
Tests
Circuit-Switched Networks
Addresses
Tests
Dial-Up Security
Addresses
Tests
Evaluate
Cabling
Addresses
Evaluate
Tests
Database Integrity
Addresses
Tests
Appraises
Evaluate
Countermeasures
Addresses
Tests
Appraises
Evaluate
Identifies
Call-Back Security
Tests
Evaluate
Client/Server Security
Tests
Appraises
Evaluate
Contingency Plan Testing
Appraises
Tests
Evaluate
Identifies
Connectivity
Tests
Evaluate
Backups
Appraises
Tests
Evaluate
Conformance Testing
Addresses
Appraises
Tests
Evaluate
Identifies
Availability
Addresses
Appraises
Evaluate
Tests
Caller ID
Tests
Automated Security Tools
Tests
Appraises
Evaluate
Auditable Events
Addresses
Tests
Evaluate
Auditing Tools
Addresses
Tests
Appraises
Evaluate
Validation (Testing)
Addresses
Performs
Evaluate
Access Control Models
Addresses
Tests
Evaluate
Audit Trails And Logging
Addresses
Tests
Appraises
Verifies
Demonstrates
Evaluate
Assessments (e.g., Surveys, Inspections)
Addresses
Tests
Evaluate
Audit Mechanism
Addresses
Appraises
Demonstrates
Evaluate
Identifies
Tests
Verifies
Applications Security
Addresses
Tests
Appraises
Evaluate
Alarms. Signals And Reports
Addresses
Appraises
Demonstrates
Evaluate
Tests
Access Privileges
Addresses
Tests
Describes
Demonstrates
Evaluate
Identifies
Access Controls
Addresses
Tests
Describes
Demonstrates
Appraises
Evaluate
Identifies
Access Control Software
Addresses
Tests
Appraises
Demonstrates
Evaluate
Identifies
Access Authorization
Addresses
Tests
Evaluate
Identifies
Mobile Workstation Security
Evaluate
Ideas Not Allocated
Acts
Adheres
Allocates
Alters
Answers
Applies
Arranges
Asks
Assembles
Assigns
Assists
Breaks Down
Builds
Calibrates
Categorizes
Changes
Choose
Cleans
Cognizant Of
Combines
Compares
Compiles
Completes
Complies
Composes
Computes
Concludes
Conforms
Connects
Constructs
Contrasts
Converts
Corrects
Creates
Criticizes
Defends
Defines
Design
Destroys
Develops
Devises
Diagrams
Differentiates
Directs
Discovers
Discriminates
Discusses
Dismantles
Displays
Distinguishes
Drills
Enforce
Estimates
Examples
Exemplifies
Explains
Extends
Fastens
Fixes
Follows
Forms
Generalizes
Generates
Gives
Greets
Grinds
Grips
Hammers
Heats
Helps
Holds
Hooks
Illustrates
Implement
Infers
Influences
Initiates
Integrates
Interprets
Inventories
Invites
Joins
Justifies
Labels
Listens
Lists
Locates
Maintains
Makes
Manipulates
Matches
Mends
Mixes
Modifies
Monitors
Nails
Names
Operates
Orders
Organizes
Outlines
Paints
Paraphrases
Plans
Points Out
Points To
Practices
Predicts
Prepares
Prescribe
Presents
Prevent
Prioritizes
Produces
Promotes
Proposes
Qualifies
Questions
Reads
Rearranges
Recites
Recommends
Reconstructs
Relates
Reorganizes
Replies
Report
Reports
Reproduces
Requests
Revises
Rewrites
Sands
Saws
Selects
Separates
Serves
Sets
Sets Erect
Sews
Shares
Sharpens
Shows
Sketches
Solves
Specify
Starts
States
Stirs
Stores
Studies
Subdivides
Summarizes
Supports
Synthesizes
Tells
Uses
Weighs
Works
Wraps
Writes
Task: (Discuss) System Certifier (flesh out 1)
Creation Date: Thursday, June 22, 1995 02:01 PM
Print Date: June 23, 1995
Initial Question / Instructions
Complete each verb/KSA statement.
Folder List
Ideas Not Allocated
Evaluate
Certification Planning
Report
Direct / Build a Team
Ideas Not Allocated
Idea: Access Control
{Entry Level Activity}
Cognizant awareness of access control issues.
{Intermediate Level Activity}
Addresses and apply security standards to meet access control requirements.
{Advanced Level Activity}
Test, evaluates, explains, and proposes changes (if required) to access control systems.
Idea: Access Control Software
DELETE ENTRY
Idea: Access Controls
DELET ENTRY
Idea: Access Privileges
DELETE ENTRY
Idea: Alarms. Signals And Reports
Addresses
Defines
Describes
Identifies
Discusses
Evaluate
Idea: Application Software Security
{Intermediate Level Activity}
Addresses and apply security standards to meet application software security requirements.
{Advanced Level Activity}
Test, evaluates, explains, and proposes configuration changes to applications software as necessary.
Idea: Audit (mechanisms, automated tools, tools, events, trails and logins)
{Intermediate Level Activity}
Understands and addresses auditing requirements with focus on exception events.
{Advanced Level Activity}
Verifies, through direct testing, if a system's auditing procedures met security requirement. This verification should be accomplished by the use of tools, events, and audit trails.
Assessments (e.g.. Surveys. Inspections)
Addresses
Produces
Audit Trails And Logging
Addresses
Addresses
Identifies
Evaluate
Idea: Access Control Models
DELETE ENTRY
Validation (Testing)
Addresses
Evaluate
Interprets
Appraises
Addresses
Appraises
Auditing Tools
Addresses
Administrative Security Policies And Procedures
Prioritizes
Identifies
Completes
Interprets
Evaluate
Describes
Evaluate
Appraises
Auditable Events
Addresses
Appraises
Reads
Recommends
Tests
Automated Security Tools
Tests
Defines
Evaluate
Identifies
Caller ID
Tests
Availability
Addresses
Studies
Evaluate
Addresses
Identifies
Conformance Testing
Addresses
Influences
Cognizant Of
Defines
Discusses
Evaluate
Identifies
Addresses
Performs
Reports
Selects
Studies
Uses
Backups
Appraises
Applies
Appraises
Recommends
Evaluate
Connectivity
Tests
Compares
Defines
Tests
Evaluate
Identifies
Contingency Plan Testing
Appraises
Evaluate
Studies
Relates
Evaluate
Addresses
Verifies
Identifies
Client/Server Security
Tests
Describes
Call-Back Security
Tests
Questions
Evaluate
Addresses
Studies
Verifies
Identifies
Countermeasures
Addresses
Tests
Studies
Describes
Evaluate
Verifies
Tests
Appraises
Evaluate
Database Integrity
Addresses
Specify
Cabling
Addresses
Communications Security Policy And Guidelines
Identifies
Applies
Tests
Evaluate
Dial-Up Security
Addresses
Evaluate
Circuit-Switched Networks
Addresses
Disaster Recovery Planning Evaluate
Disaster Recovery Plan Testing
Addresses
Identifies
Firewall
a device connected to the network that c
Information Security Policy Identifies
Data Access Control
Tests
Reads
Change Controls
Evaluate
Guidelines Applies
Applies
Appraises
Recommends
Evaluate
Idea: Discretionary Access Control
DELETE ENTRY
Deletion Of Accounts
Verifies
Evaluate
Verifies
Emanations Security
Evaluate
Error Logs
Appraises
Evaluate
Cognizant Of
Firmware Security
Tests
Evaluate
Addresses
Cognizant Of
Appraises
Evaluate
Electromagnetic Countermeasures
Addresses
Classified Materials Handling And Shipping Appraises
Prioritizes
Identifies
Completes
Interprets
Evaluate
Describes
Evaluate
Appraises
Internet Security
Tests
Cognizant Of
Discusses
Verifies
Tests
Appraises
Evaluate
Intrusion Detection
Addresses
Access Privileges Evaluate
Supports
Security Product Testing/Evaluation
Addresses
Studies
Discusses
Identifies
Appraises
Evaluate
Security Functional Testing
Addresses
Cognizant Of
Internal Controls And Security
Tests
Addresses
Intrusion Deterrents
Addresses
Addresses
Criticizes
Studies
Cognizant Of
Tests
Evaluate
Keystroke Monitoring
Addresses
Local Area Network Security
Addresses
Identifies
Verifies
Mandatory Access Controls
Tests
Reliability Testing
Addresses
Addresses
Interprets
Evaluate
Tests
Protection From Malicious Code
Addresses
Cognizant Of
Discusses
Studies
Tests
Evaluate
Labeling
Addresses
Documentation Policies Evaluate
Identifies
Questions
Reads
Tests
Evaluate
Network Firewalls
Addresses
Discusses
Identifies
Evaluate
Network Security Software
Tests
Emergency Destruction Evaluate
Studies
Performs
Evaluate
One-Time Passwords
Tests
Operating Systems
Demonstrates
Identifies
Password Management
Tests
Platform-Specific Security
Tests
Addresses
Cognizant Of
Evaluate
Operating System Security Features
Tests
Criticizes
Verifies
Tests
Evaluate
Operating System Integrity
Demonstrates
Identifies
List-Based Access Controls
Tests
Identifies
Modems
Tests
Network Switching
Tests
Security Domains
Tests
Memory (Non-Volatile)
Tests
Memory (Random)
Tests
Memory (Sequential)
Tests
Electronic-Mail Security
Tests
Cognizant Of
Defines
Discusses
Evaluate
Identifies
Addresses
Performs
Reports
Selects
Studies
Uses
Mobile Workstation Security
Evaluate
Evaluate
Idea: Client/Server Security
Definition: Assembles
{Entry Level Activity}
The Certifier assembles (collects) the data from the tests.
Definition: Explains
{Intermediate Level Activity}
The Certifier explains what the results of the test data means.
Definition: Evaluate
[]
Common Carrier Security
Appraises
Evaluate
Tests
Communications Center Security
Appraises
Appraises
Evaluate
Classified Materials Handling And Shipping
Appraises
Prioritizes
Identifies
Completes
Interprets
Evaluate
Describes
Evaluate
Appraises
Idea: Access Privileges
Definition: Evaluate
{Entry Level Activity}
In the certification process, during evaluation, when evaluating, access privileges the certifier evaluates the results of test for the propagation of access privileges, assignments, proper functioning, etc.
Idea: Disaster Recovery
Definition: Evaluate
During the certification process, the certifier evaluates the results of Disaster Recovery testing including such items as: completeness of the plan, backups, continuity of operations, alternate processing options, data integrity, loss of data.
Definition: Appraises
During the certification process, the certifier appraises the effectiveness and adequacy of the Disaster Recovery Plan. Appraises how often the plan is updated or tested and how familiar personnel are with it.
Idea: Countermeasures
Definition: Appraises
During the certification process, the certifier appraises the adequacy of countermeasures
Definition: Evaluate
During the certification process, the certifier evaluates the effectiveness of countermeasures
Definition: Identifies
During the certification process, the certifier identifies any areas where countermeasures were not effective or non-existent.
Idea: Audit Trails And Logging
Definition: Appraises
During the certification process, the certifier appraises the adequacy of audit trails and logging
Definition: Evaluate
During the certification process, the certifier evaluates the effectiveness of audit trails and logging
Idea: Documentation Policies
Definition: Evaluate
During the certification process, the certifier evaluates the effectiveness of documentation policies
Definition: Identifies
During the certification process, the certifier identifies documentation and documentation policies which are inadequate or non-exist
Definition: Reads
Preferable the certifier will read the documentation policies and documentation before he evaluates them
Idea: Emergency Destruction
Definition: Evaluate
During the certification process, the certifier evaluates the effectiveness of emergency destruction procedures
Definition: Identifies
During the certification process, the certifier identifies emergency destruction procedures which are inadequate or non-existent
Environmental Controls
Appraises
Administrative Security Policies And procedures
Prioritizes
Identifies
Completes
Interprets
Evaluate
Describes
Evaluate
Appraises
Facility Management
Evaluate
Defines
Evaluate
Identifies
Incident Response
Appraises
Tests
Appraises
Tests
Evaluate
Human Threats
Appraises
Describes
Interprets
Creates
Appraises
Tests
Evaluate
Identifies
Evaluation Techniques (Evaluation)
Appraises
Evaluate
Intrusion Deterrents
Appraises
Verifies
Appraises
Evaluate
Logs And Journals
Appraises
Appraises
Tests
Appraises
Evaluate
Identifies
Maintenance Of Configuration Documentation
Evaluate
Specify
Marking Of Media
Evaluate
Auditable Events Identifies
Evaluate
Tests
Maintenance Procedures. Contract Employee
Appraises
Contingency Planning Identifies
Tests
Evaluate
Password Management
Appraises
Disaster Recovery Planning Evaluate
Maintenance Procedures. Local Employee
Evaluate
Information Security Policy Identifies
Certification Planning
Idea: Access Control Policies
Recommend removal
{Entry Level Activity}
Identifies Administrative Security Policies And Procedures
{Intermediate Level Activity}
Interprets Administrative Security Policies And Procedures
{Advanced Level Activity}
Interprets Administrative Security Policies And Procedures
{Entry Level Activity}
Identifies Agency-Specific Policies And Procedures
{Intermediate Level Activity}
Identifies Agency-Specific Policies And Procedures
{Advanced Level Activity}
Identifies Agency-Specific Policies And Procedures
{Entry Level Activity}
[N/A]
{Intermediate Level Activity}
Interprets audit collection requirements
[AI] Interprets audit collection requirements
Idea: Audit Trails And Logging Policies
Recommend removal
Definition: {Entry Level Activity}
Identifies which Auditable events to test.
Definition: {Intermediate Level Activity}
Identifies which Auditable events to test.
Definition: [AI] Identifies which Auditable events to test.
{Entry Level Activity}
Identifies Communications Security Policy And Guidance
{Intermediate Level Activity}
Interprets Communications Security Policy And Guidance
{Advanced Level Activity}
Interprets Communications Security Policy And Guidance
{Entry Level Activity}
[N/A]
{Intermediate Level Activity}
[N/A]
{Advanced Level Activity}
Evaluate contingency planning (if present)
Idea: Certification
Recommend Removal
Idea: Disaster Recovery Planning
Recommend removal
{Entry Level Activity}
Assembles Documentation
{Intermediate Level Activity}
Evaluates Documentation
{Advanced Level Activity}
Evaluates Documentation
Idea: Documentation Policies
Recommend removal
Idea: Continuity Planning
Recommend removal
Idea: Separation Of Duties
Recommend removal
{Entry Level Activity}
Identifies Information Security Policy
{Intermediate Level Activity}
Identifies Information Security Policy
{Advanced Level Activity}
Identifies Information Security Policy
{Entry Level Activity}
Identifies Laws. Regulations. And Other Public Policies
{Intermediate Level Activity}
Interprets Laws. Regulations. And Other Public Policy
{Advanced Level Activity}
Interprets Laws. Regulations. And Other Public Policies
{Entry Level Activity}
Identifies Roles And Responsibilities
{Intermediate Level Activity}
Identifies Roles And Responsibilities
{Advanced Level Activity}
Identifies Roles And Responsibilities
Idea: Guidelines
Recommend removal
Report
Idea: Approval To Operate
Definition: {Advanced Level Activity}
The certifier makes final recommendation to the DAA whether or not to accredit the system under evaluation and under what circumstances and for what period (for approval to operate). If authority to provide on-site interim approval has been granted by the DAA, the certifier will provide a written, detailed certification package outline operating procedures pending approval/disapproval of DAA.
Definition: {Advanced Level Activity}
The certifier addresses all environmental considerations associated with the accreditation process for approval to operate..
Definition: {Advanced Level Activity}
The certifier appraises the results of the evaluation process for approval to operate e.
Definition: {Advanced Level Activity}
The certifier verifies compliance with all security requirements for approval to operate.
Definition: {Advanced Level Activity}
The certifier evaluates all input made in support of the certification process (for approval to operate).
Idea: Corrective Actions
Definition:{Advanced Level Activity}
The certifier addresses proper corrective actions to be taken in order to obtain full accreditation for the system.
Definition: {Advanced Level Activity}
The certifier identifies all corrective actions to be taken in order to meet requirement for accreditation..
Definition: {Advanced Level Activity}
The certifier initiates all corrective actions necessary to obtain accreditation.
Definition: {Advanced Level Activity}
The certifier tests the validity of corrective actions necessary to obtain accreditation.
Definition: {Advanced Level Activity}
The certifier appraises the efficacy of corrective actions taken to obtain accreditation.
Definition: {Advanced Level Activity}
The certifier demonstrates that corrective actions have been taken to obtain accreditation.
Definition: {Advanced Level Activity}
The certifier evaluates all corrective actions taken to obtain accreditation.
Idea: Documentation
Definition: Explains
Definition: Influences
Definition: Outlines
Definition: Tests
Definition: Describes
Definition: Demonstrates
Definition: Evaluate
Definition: Identifies
Maintenance Of Configuration Documentation
Direct / Build a Team
Team Building
Be able to identify the skills and expertise
Tests
Evaluate
Identifies
Delegation Of Authority
Allocates
Assigns
Evaluate
Addresses
Evaluate
Identifies
Task: (Brain Storm) Build/direct a team(folder)
Creation Date: Thursday, June 22, 1995 02:05 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Direct / Build a Team
Direct / Build a Team
Team Building
Be able to identify the skills and expertise
Assembles
Proposes
Identifies
Initiates
Creates
Organizes
Develops
Directs
Selects
Plans
Names
Delegation Of Authority
Allocates
Assigns
Prioritizes
Identifies
Influences
Outlines
Directs
Task: (Brain Storm) Report(folder)
Creation Date: Thursday, June 22, 1995 02:07 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Report
Report
Approval To Operate
Recommends
Supports
Corrective Actions
Addresses
Explains
Develops
Defines
Describes
Identifies
Discusses
Interprets
Evaluate
Proposes
Recommends
Verifies
Plans
Documentation
Explains
Completes
Interprets
Evaluate
Describes
Prepares
Produces
Maintenance Of Configuration Documentation
Task: (Brain Storm) Certification Planning(fold)
Creation Date: Thursday, June 22, 1995 02:11 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Certification Planning
Certification Planning
Access Control Policies
Explains
Addresses
Appraises
Cognizant Of
Identifies
Questions
Reads
Recommends
Defines
Studies
Evaluate
Interprets
Describes
Administrative Security Policies And Pro
Addresses
Adheres
Identifies
Applies
Appraises
Reads
Recommends
Defines
Evaluate
Verifies
Tests
Studies
Describes
Interprets
Creates
Influences
Criticizes
Agency-Specific Policies And Procedures
Addresses
Identifies
Questions
Applies
Appraises
Recommends
Compares
Defines
Evaluate
Studies
Relates
Verifies
Describes
Audit Collection Requirements
Addresses
Identifies
Questions
Appraises
Tests
Studies
Describes
Evaluate
Verifies
Specify
Audit Trails And Logging Policies
Identifies
Appraises
Auditable Events
Identifies
Communications Security Policy And Guidance
Identifies
Appraises
Contingency Planning
Identifies
Evaluate
Certification
see NSTInformation SystemSI no. 4009
Recommends
Disaster Recovery Planning
Evaluate
Documentation
Assembles
Identifies
Documentation Policies
Identifies
Continuity Planning
Evaluate
Separation Of Duties
Identifies
Information Security Policy
Identifies
Laws. Regulations. And Other Public Policy
Addresses
Identifies
Reads
Roles And Responsibilities
Addresses
Identifies
Guidelines
Applies
Identifies
Task: (Brain Storm) Evaluate(folder)
Creation Date: Thursday, June 22, 1995 02:13 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Evaluate
Evaluate
Client/Server Security
Appraises
Discusses
Addresses
Cognizant Of
Evaluate
Verifies
Common Carrier Security
Appraises
Evaluate
Cognizant Of
Communications Center Security
Appraises
Evaluate
Addresses
Cognizant Of
Classified Materials Handling And Shipping
Appraises
Evaluate
Addresses
Cognizant Of
Discusses
Verifies
Access Privileges
Evaluate
Addresses
Appraises
Verifies
Studies
Discusses
Identifies
Cognizant Of
Disaster Recovery
Appraises
Evaluate
Addresses
Countermeasures
Appraises
Evaluate
Addresses
Criticizes
Studies
Cognizant Of
Identifies
Verifies
Audit Trails And Logging
Appraises
Evaluate
Addresses
Interprets
Cognizant Of
Discusses
Studies
Documentation Policies
Evaluate
Addresses
Interprets
Discusses
Identifies
Emergency Destruction
Evaluate
Addresses
Appraises
Identifies
Environmental Controls
Appraises
Evaluate
Addresses
Cognizant Of
Criticizes
Verifies
Identifies
Facility Management
Evaluate
Verifies
Identifies
Incident Response
Appraises
Evaluate
Human Threats
Appraises
Evaluate
Addresses
Identifies
Evaluation Techniques (Evaluation)
Appraises
Cognizant Of
Defines
Discusses
Evaluate
Identifies
Addresses
Performs
Reports
Selects
Studies
Uses
Intrusion Deterrents
Appraises
Evaluate
Addresses
Verifies
Identifies
Logs And Journals
Appraises
Evaluate
Addresses
Studies
Verifies
Identifies
Maintenance Of Configuration Documentation
Evaluate
Addresses
Verifies
Marking Of Media
Evaluate
Addresses
Appraises
Maintenance Procedures. Contract Employee
Appraises
Evaluate
Verifies
Identifies
Password Management
Appraises
Evaluate
Addresses
Studies
Verifies
Identifies
Maintenance Procedures. Local Employee
Evaluate
Addresses
Identifies
Task: (Brain Storm) Test (folder)
Creation Date: Thursday, June 22, 1995 02:18 PM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Ideas Not Allocated
Ideas Not Allocated
Access Authorization
Addresses
Tests
Evaluate
Identifies
Access Control Software
Addresses
Tests
Appraises
Demonstrates
Evaluate
Identifies
Access Controls
Addresses
Tests
Describes
Demonstrates
Appraises
Evaluate
Identifies
Access Privileges
Addresses
Tests
Describes
Demonstrates
Evaluate
Identifies
Alarms. Signals And Reports
Addresses
Appraises
Demonstrates
Evaluate
Tests
Applications Security
Addresses
Tests
Appraises
Evaluate
Audit Mechanism
Addresses
Tests
Appraises
Demonstrates
Verifies
Evaluate
Identifies
Assessments (e.g.. Surveys. Inspections)
Addresses
Tests
Evaluate
Audit Trails And Logging
Addresses
Tests
Appraises
Verifies
Demonstrates
Evaluate
Access Control Models
Addresses
Tests
Evaluate
Validation (Testing)
Addresses
Performs
Evaluate
Auditing Tools
Addresses
Tests
Appraises
Evaluate
Auditable Events
Addresses
Tests
Evaluate
Automated Security Tools
Tests
Appraises
Evaluate
Caller ID
Tests
Availability
Addresses
Appraises
Tests
Evaluate
Conformance Testing
Addresses
Appraises
Tests
Evaluate
Identifies
Backups
Appraises
Tests
Evaluate
Connectivity
Tests
Evaluate
Contingency Plan Testing
Appraises
Tests
Evaluate
Identifies
Client/Server Security
Tests
Appraises
Evaluate
Call-Back Security
Tests
Evaluate
Countermeasures
Addresses
Tests
Appraises
Evaluate
Identifies
Database Integrity
Addresses
Tests
Appraises
Evaluate
Cabling
Addresses
Evaluate
Tests
Dial-Up Security
Addresses
Tests
Evaluate
Circuit-Switched Networks
Addresses
Tests
Disaster Recovery Plan Testing
Addresses
Appraises
Evaluate
Tests
Firewall
a device connected to the network that c
Addresses
Tests
Data Access Control
Tests
Demonstrates
Evaluate
Change Controls
Evaluate
Tests
Discretionary Access Control
Addresses
Tests
Demonstrates
Evaluate
Deletion Of Accounts
Verifies
Tests
Emanations Security
Evaluate
Error Logs
Appraises
Evaluate
Tests
Firmware Security
Tests
Appraises
Evaluate
Electromagnetic Countermeasures
Addresses
Appraises
Evaluate
Internet Security
Tests
Evaluate
Identifies
Intrusion Detection
Addresses
Tests
Appraises
Evaluate
Security Product Testing/Evaluation
Addresses
Appraises
Evaluate
Security Functional Testing
Addresses
Appraises
Evaluate
Internal Controls And Security
Tests
Appraises
Evaluate
Intrusion Deterrents
Addresses
Tests
Evaluate
Keystroke Monitoring
Addresses
Local Area Network Security
Addresses
Tests
Evaluate
Mandatory Access Controls
Tests
Reliability Testing
Addresses
Appraises
Protection From Malicious Code
Addresses
Evaluate
Tests
Labeling
Addresses
Tests
Evaluate
Network Firewalls
Addresses
Tests
Network Security Software
Tests
Evaluate
One-Time Passwords
Tests
Operating Systems
Demonstrates
Evaluate
Password Management
Tests
Platform-Specific Security
Tests
Evaluate
Operating System Security Features
Tests
Evaluate
Operating System Integrity
Demonstrates
Tests
Evaluate
List-Based Access Controls
Tests
Evaluate
Modems
Tests
Network Switching
Tests
Security Domains
Tests
Memory (Non-Volatile)
Tests
Memory (Random)
Tests
Memory (Sequential)
Tests
Electronic-Mail Security
Tests
Evaluate
Mobile Workstation Security
Evaluate
Task: (Discuss) System Certifier (flesh out 2)
Creation Date: Friday, June 23, 1995 06:40 AM
Print Date: June 23, 1995
Initial Question / Instructions
Continue to flesh out the Verb/KSA comments for System Certifier in your focus groups. Remember to use the {Entry Level Activity}
, {Intermediate Level Activity}
, and {Advanced Level Activity}
tags (or [N/A])
Folder List
Test
Evaluate
Certification Planning
Report
Direct / Build a Team
Test
Idea: Access Control
{Entry Level Activity}
Cognizant awareness of access control issues.
{Intermediate Level Activity}
Addresses and apply security standards to meet access control requirements.
{Advanced Level Activity}
Test, evaluates, explains, and proposes changes (if required) to access control systems.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Cognizant awareness".
************************
all functions should be at the entry level; add a little more specificity to each; for instance, some access control features are: DAC, MAC, password control, access rosters, etc.
Idea: Access Control Software
DELETE ENTRY
************************
Keep. One of the items that should be tested is if access control software functions as advertised and that if a person has only limited rights then he gets only those rights
************************
IT Information System UNDER ACCESS CONTROL
************************
Access Control could be interpreted as physical access to the system whereas Access Control Software is specific. In either case both should be addressed in the definitions as both are tested by very different methods.
Access controls must be tested to ensure that one they function properly and two they are implemented properly. If we have no access controls we have no security.
************************
I concur that the notion of access controls is at the heart of a secure Information System. Regardless of whether it is an aggregated or decomposed idea, it needs to be strongly emphasized for the system Certifier's training.
************************
With so many "DELETE ENTRIES" in this folder, it would be very helpful to know why each one was deleted. In some cases, I believe you are simply favoring the placement of the idea under a "broader" folder.
************************
the KSA definitions and the verbs were similar and in come cases the E, I, A entries were redundant. we expected an individual to know ACCESS requirements, which would cover the other areas.
************************
need to keep access control and test it thoroughly. a lot of security depends on access control working as planned
Idea: Access Privileges
DELETE ENTRY
************************
entry needs to point to access control
************************
Disagree. Access Privileges is different from Access Control. One tests the assignment and allocation of "privileges" (read, write, execute) and the other tests the mechanisms of access (DAC, MAC).
Idea: Alarms. Signals And Reports
DELETE ENTRY
************************
KEEP
If alarms, be it intrusion detection, fire, or system threshold, don't work then the Information SystemSO or SA would not be aware of abnormal operation of the system. This area must be tested.
************************
IT Information System UNDER PHYSICAL SECURITY
************************
Alarms are more than physical security. You can set a system alarm to go off is a bad userid/password is entered.
************************
we discussed that and that became part of audit.
************************
physical security is a portion of certification; but it goes beyond pure physical, there are also technical (electronic) considerations to be tested;
************************
Also, audit is an "already been happened" event whereas alarms or signals is a "hey they're doing it now". Audit and alarms must be separate functions or mechanisms to be tested separately.
Idea: Application Software Security
{Intermediate Level Activity}
Addresses and apply security standards to meet application software security requirements.
{Advanced Level Activity}
Test, evaluates, explains, and proposes configuration changes to applications software as necessary.
************************
Each statement should address only one behavior.
************************
this is again entry level; a good verb would be "verify"; the system certifier verifies the presence of these features and verifies they are working as expected;
Idea: Audit (mechanisms, automated tools, tools, events, trails and logins)
{Intermediate Level Activity}
Understands and addresses auditing requirements with focus on exception events.
{Advanced Level Activity}
Verifies, through direct testing, if a system's auditing procedures met security requirement. This verification should be accomplished by the use of tools, events, and audit trails.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either "Understands".
************************
Is an "event' the same as a "transaction"? If not, what is the difference? I think transaction analysis may be a better description here.
************************
too much was merged into one KSA; needs further refinement;
Idea: Assessments (e.g.. Surveys. Inspections)
{Entry Level Activity}
Understands and is cognizant of the importance of Information System assessments. Demonstrates effective use of assessment documentation.
{Intermediate Level Activity}
Obtain and evaluate required assessment documentation specific to the system being tested.
************************
Are "risk assessments" intended to be included in this category as well -- or are you suggesting that only "audit" type activities are within scope?
************************
we went by the definition in the volume two although we did not entirely agree with it. we felt we would not change it, we compromised, but if you read the definition, you might want to throw it out.
************************
KSAs need to be defined, and all work then proceed on the agreed upon definitions;
Idea: Physical Security
{Entry Level Activity}
Understand significance and relevance of alarms, signals, and reports; backups; contingency plan; disaster recovery plans; emanations security; and internal controls and security.
{Intermediate Level Activity}
Provide adequate review of physical security issues.
{Advanced Level Activity}
Identifies, and tests as necessary, physical security safeguards. Provides recommendations for improvements as necessary.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Understand".
************************
all entry level
Idea: Access Control Models
DELETE ENTRY
************************
I would think the system certifier is going to need to understand the "Access Control Model" being relied upon for the Information System -- before he is able to go further in testing the security of the Information System.
Can't see how this can be left out.
************************
knowledge of access control should cover this, see access control
************************
there is a difference between access control model and security policy;
Idea: System Security Test and Evaluation
{Entry Level Activity}
Recognize and understand the importance of verifying the security safeguards that protect an information system.
{Intermediate Level Activity}
Demonstrate skill necessary to verify the security safeguards that protect an information system.
{Advanced Level Activity}
Evaluate and/or choose security test(s) and procedures best suited for a particular Information System.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Recognize and understand".
Idea: Auditing Tools
DELETE ENTRY
************************
Keep
If they are installed on a system they need to be tested
************************
see auditing or audit
Idea: Auditable Events
DELETE ENTRY
Idea: Automated Security Tools
DELETE ENTRY
************************
Keep
If they are on a system they need to tested for proper functioning and to determine if they can detect either breaches of security or violations.
************************
this was covered in another category, but I can not remember where
Idea: Caller ID
DELETE ENTRY
Idea: Availability
DELETE ENTRY
************************
Keep
Part of continuity of operations
************************
see Availability, integrity, confidentiality
Idea: Conformance Testing
DELETE ENTRY
Idea: Backups
DELETE ENTRY
************************
Keep this.
One of the areas examined is continuity of operations, or recovery from disaster. With this in mind the certify must first determine if system backups are performed and two that the backups will allow for continuity of operation should a disaster occur.
************************
back UP WAS INCLUDED UNDER ANOTHER HEADING, TRY PHYSICAL SECURITY
************************
Backups are not a physical security item. The protection of backups might be, but not the making or using of backups
Idea: Connectivity (call back security, cabling, dial-up security, networks and security, Internet security, modems, Firewalls, encryption, etc.)
{Entry Level Activity}
Understand the importance of, and be cognizant of issues relating to the logical and physical connections made within an information system's architecture.
{Intermediate Level Activity}
Identifies, evaluates, and tests the appropriateness of connectivity locus of points.
{Advanced Level Activity}
Compares, contrasts, and helps define relevant connectivity issues and associated contingency plans.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Understand".
Idea: Contingency Plan Testing
DELETE ENTRY
************************
Keep.
The certifier also tests for continuity of operations base on the criticality of the data and system. The contingency plan is built to ensure continuity of operations
The certifier must determine if countermeasures have been installed on a system, if the countermeasures work, and if the countermeasures are appropriate for the threat against the system. If a threat exists against the system and no countermeasure is installed to meet it then security does not exist. The countermeasures help make up the security posture which is what the certifier is determining.
Idea: Integrity, confidentiality, and availability. (IC&A)
{Entry Level Activity}
Understand the fundamental information systems requirements of IC&A.
{Intermediate Level Activity}
Identify shortfalls in information system security mechanism which fail to meet minimum IC&A criteria.
{Advanced Level Activity}
Specify and test IC&A safeguards.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Understand".
Idea: Object Reuse
{Entry Level Activity}
Understand principles involved with the remenance of data problem associated with computer hardware (i.e. magnetic media, video terminals, toner cartridges and copier drums, typewriter ribbons, computer memory, circuit boards, backup tapes, etc.).
{Intermediate Level Activity}
Demonstrate skills necessary to clear computer hardware and eliminate remenant data.
{Advanced Level Activity}
Verify and test that object reuse mechanism are properly implemented and working.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Understand".
Idea: Dial-Up Security
DELETE ENTRY
Idea: Circuit-Switched Networks
DELETE ENTRY
Idea: Disaster Recovery Plan Testing
DELETE ENTRY
************************
Keep
See contingency planning
Idea: Firewall
DELETE ENTRY
************************
Keep
See network firewall
Idea: Data Access Control
DELETE ENTRY
Idea: Change Controls
DELETE ENTRY
************************
Keep
The certifier must determine that only authorized individuals can modify a system and that authorized modifications are documented and tested. Otherwise, you have no clue what the system really looks like.
************************
THInformation System WAS INCLUDED UNDER ANOTHER CATEGORY, TRY CONFIGURATION MANAGEMENT OR SO SECURITY
Idea: Discretionary Access Control
DELETE ENTRY
Idea: Deletion Of Accounts
DELETE ENTRY
************************
Keep.
The certifier must determine if accounts are deleted as put forth in policy, guidance, etc. Not only that but that the accounts are deleted and not just inactive or hidden.
************************
Included under access controls, I think
Idea: Emanations Security
DELETE ENTRY
************************
Keep!!!
Hopefully one of the people on the team is a TEMPEST person. We still have TEMPEST requirements and those need to be followed before a system can be certified
************************
this entry included under physical security
Idea: Error Logs
DELETE ENTRY
************************
Keep
See audit
Idea: Firmware Security
DELETE ENTRY
Idea: Electromagnetic Countermeasures
DELETE ENTRY
************************
Keep
See countermeasures
************************
this was included under emanations security under physical
Idea: Internet Security
DELETE ENTRY
Idea: Intrusion Detection and Deterrence
{Entry Level Activity}
Understand and is cognizant of methods of intrusion.
{Intermediate Level Activity}
Applies and demonstrates skills necessary to test and evaluate intrusion prevention techniques.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Understand".
Idea: Security Product Testing/Evaluation Products List
{Entry Level Activity}
Knows of existence and importance of evaluated products list that can be matched to system needs.
{Intermediate Level Activity}
Demonstrates skills necessary to match evaluated products with systems needs.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Knows".
Idea: Security Functional Testing
DELETE ENTRY
************************
Keep
In all reality this is a large part of what the certifier does
************************
DInformation SystemAGREE functional testing is a different animal. The certifier may do functional testing on security features during DT/OT and prior to fielding, (usually done by contractor). What the certifier does may include the testing of a function, but by Directives, is not "functional testing"
************************
The certifier test the systems security features to see if they are implemented and functioning properly. How more functional does it get?!
Idea: Internal Controls And Security
DELETE ENTRY
************************
Keep
See comments under access controls, change controls, etc.
Idea: Intrusion Deterrents
DELETE ENTRY
************************
Keep
See comments under access controls; alarms, signals reports; countermeasures. You have to test these areas in order to determine your security posture
************************
this is under "intrusion detection"
Idea: Keystroke Monitoring
DELETE ENTRY
Idea: Local Area Network Security
DELETE ENTRY
Idea: Mandatory Access Controls
DELETE ENTRY
Idea: Reliability Testing
DELETE ENTRY
Idea: Protection From Malicious Code
DELETE ENTRY
************************
Keep.
This needs to be tested. What if you have a virus scanner installed that can't detect a virus or has been disabled?
************************
this is covered under software security or OS security
Idea: Labeling
DELETE ENTRY
Idea: Network Firewalls
DELETE ENTRY
************************
KEEP
Keep either this entry or Firewalls. While Firewalls may not be the security panacea once thought, if Firewalls are installed they need to be tested. A non-functioning firewall gives a false sense of security which may be worse than no security at all.
************************
try "Network Security"
Idea: Network Security
{Entry Level Activity}
Understand the inherent security risks involved in network architecture (access control, electronic mail, connectivity, backups, physical protection, etc.). Associated iate network security mechanisms and practice with these weaknesses.
{Intermediate Level Activity}
Demonstrate effective review of mechanisms and practices. Demonstrate skills in effectively matching protection with weaknesses.
{Advanced Level Activity}
Perform tests on network security mechanisms and features. Reviews and evaluates weakness in network security practices.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Understand".
Idea: One-Time Passwords
DELETE ENTRY
************************
See comments under password management. If a system uses one time passwords some should check and see if they really are one time and if only authorized users can use them
************************
try access controls
Idea: Operating Systems
DELETE ENTRY
Idea: Password Management
DELETE ENTRY
************************
Keep
See comments under access controls and access control software. This is a part of it. What happens if passwords are stored in an un-encrypted file, never expire, etc.?
Idea: Platform-Specific Security
DELETE ENTRY
Idea: Software Security
{Entry Level Activity}
Recognize and understand the interaction of various operating systems, system software, user programs and applications (to include malicious code and its implications) as it relates to security testing and protection.
{Intermediate Level Activity}
Demonstrate testing skills (to include software configuration control, data deletion, software access, etc.) necessary to verify software security mechanisms.
************************
Each statement should address only one behavior.
All behaviors should be measurable and observable. You cannot do either with "Recognize and understand".
Idea: Operating System Integrity
DELETE ENTRY
Idea: List-Based Access Controls
DELETE ENTRY
Idea: Modems
DELETE ENTRY
Idea: Network Switching
DELETE ENTRY
Idea: Security Domains
DELETE ENTRY
Idea: Memory (Non-Volatile)
DELETE ENTRY
Idea: Memory (Random)
DELETE ENTRY
Idea: Memory (Sequential)
DELETE ENTRY
Idea: Electronic-Mail Security
DELETE ENTRY
Idea: Mobile Workstation Security
DELETE ENTRY
Evaluate
Idea: Client/Server Security (Note: consider changing Idea to Distributed System Processing)
Definition: Assembles
{Entry Level Activity}
The Certifier assembles (collects) the data from the tests.
Definition: Explains
{Entry Level Activity}
The Certifier explains what the results of the test data means.
Definition: Evaluate
[]
{Entry Level Activity}
The Certifier evaluates the adequacy of test results to ensure the security of the client/server system.
************************
Change "Distributed System Processing" to "Distributed System Security"
Idea: Common Carrier Security
Definition: Appraises
{Entry Level Activity}
The certifier appraises the contract with the common carrier to determine what security mechanisms are in place on the common carrier lines.
Definition: Evaluate
{Entry Level Activity}
The Certifier will evaluate the adequacy and use of the security of the common carrier lines existent in the operational environment.
GIVEN THE AMBIGUITY THAT SEEMS TO EXInformation SystemT IN TERMS OF DEFINITION, IT MIGHT BE A GOOD IDEA TO DELETE MOST REFERENCES TO APPRAInformation SystemES AND REPLACE IT WITH EVALUATE.
************************
Suggest deleting "Appraises" from list.
Idea: Communications Center Security
Definition: Appraises
{Entry Level Activity}
The Certifier appraises the protection of the communications center, switching center, PBX's, routers, gateways, etc. both physically and technically.
Definition: Evaluate
{Entry Level Activity}
The Certifier evaluates the effectiveness of the protection and access mechanisms to the communications center , switching center, PBX's, routers, gateways, etc. both physically and technically.
************************
Suggest removing appraise from the list. We probably only care if the evaluation is favorable or not. Let the communications center appraise THEIR system.
Idea: Classified Materials Handling And Shipping
Definition: Identifies
{Entry Level Activity}
The Certifier identifies the administrative procedures relevant to Classified Materials Handling and Shipping.
Definition: Evaluate
{Entry Level Activity}
The Certifier evaluates the adequacy of and compliance with the procedures.
Idea: Access Privileges
Definition: Evaluate
{Entry Level Activity}
In the certification process, during evaluation, when evaluating, access privileges the certifier evaluates the results of test for the propagation of access privileges, assignments, proper functioning, etc.
************************
What does this really mean? I cannot follow the grammar.
************************
you mean "grammar"
Idea: Disaster Recovery
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the results of Disaster Recovery testing including such items as: completeness of the plan, backups, continuity of operate ions, alternate processing options, data integrity, loss of data.
Definition: Appraises
{Entry Level Activity}
During the certification process, the certifier appraises the effectiveness and adequacy of the Disaster Recovery Plan. Appraises how often the plan is updated o r tested and how familiar personnel are with it.
************************
What is the difference between appraises and evaluates here??
Idea: Countermeasures
Definition: Appraises
{Entry Level Activity}
During the certification process, the certifier appraises the adequacy of countermeasures
Definition: Interprets
{Entry Level Activity}
The certifier has to be able to interpret applicable laws, directives, regulations, etc. to ensure that the intent is met by the countermeasures.
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of countermeasures. Also, the certifier evaluates the Information SystemSOs ability to maintain the security posture of the system (the local INFOSEC program), this includes ASSInformation SystemT/CERT/CIAC reports, ongoing tests of the system and procedures, identification n of new vulnerabilities, application of new countermeasures, etc.
Definition: Identifies
{Entry Level Activity}
During the certification process, the certifier identifies any areas where countermeasures were not effective or non-existent.
************************
Add "policy" to the list of items to interpret.
************************
Under "identifies" add "identifies the countermeasures in use"
************************
Suggest deleting appraises or evaluates. The difference is still questionable.
Idea: Audit Trails And Logging
Definition: Appraises
{Entry Level Activity}
During the certification process, the certifier appraises the adequacy of audit trails and logging
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of audit trails and logging
************************
Under "evaluate" add "adequacy of audit trails & logging"
************************
Appraises Vs Evaluates! Next time on NOVA.
************************
See the TV Guide for time and date
Idea: Documentation Policies
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of documentation policies
Definition: Identifies
{Entry Level Activity}
During the certification process, the certifier identifies documentation and documentation policies which are inadequate or non-exist
Definition: Reads
{Entry Level Activity}
Preferable the certifier will read the documentation policies and documentation before he evaluates them
************************
Under "evaluate" add "completeness of documentation required by policy"
************************
Delete "Reads" from the verb list. Not necessary and only clutters the folder.
Idea: Emergency Destruction
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of emergency destruction procedures
Definition: Identifies
{Entry Level Activity}
During the certification process, the certifier identifies emergency destruction procedures which are inadequate or non-existent
************************
Suggest the evaluator review the results of the destruction procedures test.
Idea: Environmental Controls
Definition: Appraises
{Entry Level Activity}
During the certification process, the certifier appraises the adequacy and effectiveness of environmental controls and the ability of personnel to operate the environmental controls .
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of environmental controls such as: fire suppression equipment, air conditioning, humidifiers, UPS
************************
Appraise VS Evaluate??
Idea: Facility Management
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of facility management procedures such as: access controls rosters, end of day close checklists, escorting of visitors, etc.
************************
Add "adequacy of facility management procedures" to the definition of "evaluate"
Idea: Incident Response
Definition: Appraises
{Entry Level Activity}
During the certification process, the certifier appraises the adequacy and appropriateness of incident response, the users familiarity with the incident response procedures, and the Information SystemO's response to the incident.
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the effectiveness of incident response procedures such as: reporting, user actions.
************************
Appraises VS Evaluates
Idea: Human Threats
Definition: Appraises
{Entry Level Activity}
The certifier will appraise the potential data loss/damage which can occur through the manifestation of a human threat.
Definition: Evaluate
{Entry Level Activity}
During the certification process, the certifier evaluates the likelihood of human threats manifesting themselves against the system.
Definition: Identifies
{Entry Level Activity}
During the certification process, the certifier must identify intentional (hacker, disgruntled employee) and unintentional (the idiots, omissions, deletions) human threats against the system.
************************
A VS E
************************
Add to the "evaluate" definition "evaluation of the adequacy of controls to protect against human threats"
Idea: Evaluation Techniques (Evaluation)
Definition: Choose
{Entry Level Activity}
The certifier must choose the appropriate evaluation techniques/tools (SPI, sniffers, SATAN, etc.) for the gathered data.
Definition: Use
{Entry Level Activity}
The certifier uses various evaluation techniques to analyze the gathered data.
************************
Sounds like the evaluator is being confused with the tester!?!
Idea: Intrusion Deterrents
Definition: Appraises
{Entry Level Activity}
The certifier appraises the adequacy of physical, administrative, and technical intrusion deterrents and the proficiency of users and SAs in applying them.
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates the effectiveness of intrusion deterrents such as: guards, fences, locks, alarms, I&A mechanisms, addressing.
************************
A VS E
Idea: Logs And Journals
Definition: Appraises
{Entry Level Activity}
The certifier appraises the adequacy of the different logs and the information tracked to determine if they provide a sufficiently detailed picture of the day to day operation of the system.
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates if the information collected in logs and journals is tamper-resistant and contains accurate information (e.g., the real address of the machine logging on)
Idea: Maintenance Of Configuration Documentation
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates if maintenance and configuration documentation is keep up to date and accurately reflects changes made to the system.
Idea: Marking Of Media
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates the policy and procedures for marking media provide sufficient protection for the media. Also, the certifier evaluates user awareness and compliance with the policy and procedures.
Idea: Maintenance Procedures. Contract Employee
Definition: Appraises
{Entry Level Activity}
The certifier appraises the adequacy of maintenance procedures for contractors.
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates the effectiveness of the maintenance procedures for contractors: the contractor can/can't take the equipment off-site, the contract specifiers that all employees will have an appropriate clearance, contractors/contractor applications receive the minimum access privileges that still allows them to fulfill the contract (enforce least privilege).
Idea: Password Management
Definition: Appraises
{Entry Level Activity}
The certifier appraises the adequacy of password management policies and procedures and the SAs and users familiarity with and adherence to the policies procedures
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates the effectiveness of the password management software in enforcing policies and procedures.
Definition: Verify
{Entry Level Activity}
The certifier must verify that userids and passwords are not shared among users.
************************
Suggest we change " verify that userids and passwords are not shared among users" to "established password policy is followed"
Idea: Maintenance Procedures. Local Employee
Definition: Appraises
{Entry Level Activity}
The certifier appraises the adequacy of maintenance procedures for employees.
Definition: Evaluate
{Entry Level Activity}
The certifier evaluates the effectiveness of the maintenance procedures for employees: the employee can/can't take the equipment off-site, all employees will have an appropriate clearance, employee/employee applications receive the minimum access privileges that still allows them to fulfill their duties (enforce least privilege).
Certification Planning
Idea: Access Control Policies
Recommend removal
{Entry Level Activity}
Identifies Administrative Security Policies And Procedures
{Intermediate Level Activity}
Interprets Administrative Security Policies And Procedures
{Advanced Level Activity}
Interprets Administrative Security Policies And Procedures
************************
collapse into entry level functions
{Entry Level Activity}
Identifies Agency-Specific Policies And Procedures
{Intermediate Level Activity}
Identifies Agency-Specific Policies And Procedures
{Advanced Level Activity}
Identifies Agency-Specific Policies And Procedures
{Entry Level Activity}
[N/A]
{Intermediate Level Activity}
Interprets audit collection requirements
[AI] Interprets audit collection requirements
************************
Audit collection requirements are usually identified and interpreted during the development of the system or application system. Recommend removal from the Certification Planning folder.
Idea: Audit Trails And Logging Policies
Recommend removal
************************
need to collect the policies and some sample output from each type log and audit trail for further evaluation
************************
Concur with removal. The collection of policies/examples is the same as identify and interpret audit requirements
************************
The policies (Information System Security Policy, administrative, audit, procedural, etc. should be identified or developed during the Planning phase and interpreted during the Test phase. Recommend collection of all policies into one Idea for development (if necessary) and identification during Planning and interpretation during Testing.
Definition: {Entry Level Activity}
Identifies which Auditable events to test.
Definition: {Intermediate Level Activity}
Identifies which Auditable events to test.
Definition: [AI] Identifies which Auditable events to test.
************************
if it is the same task at each level, then only the entry level is needed. It is assumed the Intermediate and Advanced can do the entry level functions.
************************
In the Certification Planning phase I would assume that the Certification Team is planning "how", "who", and at a very high level the "what" to certify. In the "certification planning" phase I don't see identification of Auditable events for testing as included. That should be part of test planning.
{Entry Level Activity}
Identifies Communications Security Policy And Guidance
{Intermediate Level Activity}
Interprets Communications Security Policy And Guidance
{Advanced Level Activity}
Interprets Communications Security Policy And Guidance
************************
for the entry level, you need to add the reason why you are collecting the policies and guidance; I also believe all functions listed are entry level;
************************
Good point!
************************
I disagree. We cannot hope to draw the local 7-11 shop clerk into our fold and expect to train him/her from beginning to end. There must be some expected competence level.
************************
Perhaps, but somewhere along the career progression from Slurpies to DAA, this gentle soul needs to be made aware of much. This is a prerequisite issue that is not so easily resolved.
{Entry Level Activity}
[N/A]
{Intermediate Level Activity}
[N/A]
{Advanced Level Activity}
Evaluate contingency planning (if present)
************************
in the planning process, you are planning what needs to be done and how to do it; you do not evaluate in planning.
************************
Agree this should be removed
************************
Well . . . maybe. Some consideration should be given to identifying what issues need to be included in the planning process.
Idea: Certification
Recommend Removal
************************
Agree
************************
I don't remember the verbs associated with this Idea but during Certification Planning the certifier should address the Certification "process" and identify major certification steps (Plan, Test, Evaluate, Report).
Idea: Disaster Recovery Planning
Recommend removal
************************
Agree
{Entry Level Activity}
Assembles Documentation
{Intermediate Level Activity}
Evaluates Documentation
{Advanced Level Activity}
Evaluates Documentation
************************
recommend combining all functions into an entry level job;;
================
during the planning phase, usually we decide on team members, expertise required, provide criteria to organization being tested, choose dates, state what resources we need available, review system topology, ensure test plans and procedures are adequate, assign specific duties to team members, choose reports person(ss), determine length of test, meet with Information SystemSO and DAA from organization being tested, etc.
************************
Agree this category needs to be readdress.
Idea: Documentation Policies
Recommend removal
************************
you need to assemble the policies for further evaluation;
************************
Maybe "identify" policies would be appropriate in planning
Idea: Continuity Planning
Recommend removal
************************
Agree
Idea: Separation Of Duties
Recommend removal
************************
Agree
{Entry Level Activity}
Identifies Information Security Policy
{Intermediate Level Activity}
Identifies Information Security Policy
{Advanced Level Activity}
Identifies Information Security Policy
************************
collapse into one entry level function
************************
Agree
************************
I recommend we explain what is expect of individual. This doesn't explain a whole lot.
************************
I agree. The certifier should either identify or develop what should be in the policy (what the system is protecting and how it will provide this protection) for this specific system.
{Entry Level Activity}
Identifies Laws. Regulations. And Other Public Policies
{Intermediate Level Activity}
Interprets Laws. Regulations. And Other Public Policy
{Advanced Level Activity}
Interprets Laws. Regulations. And Other Public Policies
************************
collapse all functions into entry level jobs
************************
Agree
{Entry Level Activity}
Identifies Roles And Responsibilities
{Intermediate Level Activity}
Identifies Roles And Responsibilities
{Advanced Level Activity}
Identifies Roles And Responsibilities
************************
collapse into one entry level functions
************************
What roles and responsibilities are being identified? DAA, Certification Team (submembers), IV&V agent (if applicable), etc. should be identified and what role/responsibility they have in the certification process should be provided in the Certification Planning phase.
************************
Agree
************************
GO BABY!!
Idea: Guidelines
Recommend removal
************************
Probably should "identify" guidelines here
************************
recommend we readdress this issue.
Report
Idea: Approval To Operate
1. Definition: {Advanced Level Activity}
The certifier makes final recommendation to the DAA whether or not to accredit the system under evaluation and under what circumstances and for what period (for approval to operate). Documentation of the previously approved accreditation will be supplied as part of the current package.
2. Definition: {Advanced Level Activity}
The certifier ad dresses all environmental considerations associated with the accreditation process for approval to operate..
3. Definition: {Advanced Level Activity}
The certifier appraises the results of the evaluation process for approval to operate.
4. Definition: {Advanced Level Activity}
The certifier verifies compliance with all security requirements for approval to operate.
5. Definition: {Advanced Level Activity}
The certifier evaluates all input made in support of the certification process (for approval to operate).
************************
Suggest deletion of the 'evaluates' verb.
The certifier should be reporting on data gathered during testing which has already undergone evaluation.
This KSA should only really state that the certifier recommends approval to operate. I agree, except that the recommendation may be NON-APPROVAL to operate, connect or Cont. to operate
************************
this function should be entry level because all certifier have to do this;
************************
Perhaps the certifier should "evaluate" the adequacy of input made to support certification or non-certification
************************
!!!!!!!!!! ATTENTION !!!!!!!!!!
A PARADIGM EXInformation SystemTS RIGHT BEFORE YOUR EYES LETS SEE IF WE CAN SHIFT IT
I HAVE TRIED REPEATEDLY TO ADDRESS THInformation System Information SystemSUE. FOR THOSE OF YOU WHO HAVE NEVER CERTIFIED A SYSTEM LInformation SystemTEN: JUST BECAUSE YOUR DAA DOESN'T HAVE THE FAITH IN YOUR CERTIFIERS DOESN'T MEAN THE REST OF THE GOVERNMENT DOESN'T. REMOVING THE COMMENTS ABOUT WHAT TO DO IF YOUR DAA HAS ASSIGNED APPROVAL AUTHORITY, OR INTERUM APPRROVAL Information System A VERY BBBBBIIIIIIIIIIIGGGGGGGGGGGGG MInformation SystemTAKE15. LESLIE PAOLUCCI
************************
The good captain has a well-taken point here. What needs to be re-inserted here is: THE Information SystemSUE OF TRAINING FOR THOSE INDIVIDUALS WHO HAVE BEEN GRANTED THE AUTHORITY TO PROVIDE APPROVAL TO OPERATE IN ANY FORM. In other words, the individual needs to be provided with the training required to act as the DAA's representative should that he be so designated.
************************
doesn't anyone think that it is important to write up the findings and recommendations after or during the ST&E? This report become critical for the final approval, if there are cat I or Cat II findings. It is a record for the organization, and a record for the next (3-5 year) follow-on. Also, it gives the DAA the specifics, if wanted, but also COVERS THE CERTIFIER
Idea: Corrective Actions
1. Definition:{Advanced Level Activity}
The certifier addresses proper corrective actions to be taken in order to obtain full accreditation for the system.
2. Definition: {Advanced Level Activity}
The certifier identifies all corrective actions to be taken in order to meet requirement for accreditation..
3. Definition: {Advanced Level Activity}
The certifier initiates all corrective actions necessary to obtain accreditation.
4. Definition: {Advanced Level Activity}
The certifier tests the validity of corrective actions necessary to obtain accreditation.
5. Definition: {Advanced Level Activity}
The certifier appraises the efficacy of corrective actions taken to obtain accreditation.
6. Definition: {Advanced Level Activity}
The certifier demonstrates that corrective actions have been taken to obtain accreditation.
7. Definition: {Advanced Level Activity}
The certifier evaluates all corrective actions taken to obtain accreditation.
************************
The certifier does not initiate any corrective actions. He can identify deficiencies and recommend solutions for them. He can report his findings but he does not initiate anything.
************************
Suggest deletion of the verbs "tests," "appraises," "demonstrates," and "evaluates."
All done in either testing or evaluating.
************************
delete all verbs and select the verb "recommend". In the report process, the certifier is analyzing the test and evaluations to prepare a report. the heart of the report is the recommendations (in this case the corrective actions that need to be done prior to DAA granting approval to operate).
************************
I would use verbs "identify" and "recommend" to indicate what certifier does here.
Idea: Documentation
1. Definition: {Entry Level Activity}
The certifier is capable of explaining the systems certification documentation process.
2. Definition: {Intermediate Level Activity}
The certifier influences the overall development of the systems certification documentation process.
3. Definition: {Entry Level Activity}
The certifier outlines the documentation process in support of certification.
4. Definition: {Entry Level Activity}
The certifier ensures that testing procedures and results are included in the certification package supporting the certification effort.
5. Definition: {Entry Level Activity}
The certifier is capable of describing the documentation process supporting certification.
6. Definition: {Advanced Level Activity}
The certifier evaluates systems certification documentation prior to the submission of the certification package.
************************
****************
Somewhere in these definitions it would seem appropriate to relate the reporting emphasis on the certification activities and the results of such activities. As stated these definitions could easily be placed in another folder for "the evaluation of certification documentation".
For example, changing the first KSA definition to "The certifier is capable of explaining the documentation within the reporting process for system certification" would relate the definition to the reporting function.
It is unclear how the "evaluates" KSA applies to reports. As defined this would belong in the evaluation folder.
************************
collapse all into entry level functions; the certifier needs to follow the report SOP (most likely a given or modified in the certification planning process) on documentation preparation;
************************
Are we addressing the certification of security documentation for a system or, as these definitions seem to indicate, are we talking about the certification report as the documentation? Recommend we redo this folder.
Idea: Maintenance Of Configuration Documentation
Definition: Has no verb and is redundant. Suggest deletion.
************************
Concur NOT PART OF REPOTING
Direct / Build a Team
Idea: Team Building
1. Definition: {Intermediate Level Activity}
2. Be able to identify the skills and expertise necessary in building an effective systems certification team.
3. Definition: Tests Stupid!!!!! Suggest deletion. What four knuckleheads threw this into the pot?
4. Definition: Evaluate. We apparently have found another four knuckleheads. Obviously, their attention was elsewhere at the time. Suggest deletion.
5. Definition: {Intermediate Level Activity}
6. The certifier identifies the process of building a certification team and the respective skills required of each member.
************************
Suggest deletion of the 'identifies' verb.
************************
the KSA is to identify, to choose and to analyze; delete all else; replace with:
"the certifier analyzes the system to be certified to identify the skills and abilities necessary to certify the system at hand and selects personnel with the appropriate capabilities";
************************
Agree with last comment
Idea: Delegation Of Authority
1. Definition: allocates This one sucks! Obviously, the four knuckleheads have struck again. Look, there goes Haley's comet!!!!
2. Definition: {Advanced Level Activity}
3. The certifier assigns further delegation of authority within the certification team. (Delegation of Authority)
4. Definition: Evaluate Again, the body-of-four have taken leave of their senses.
5. Definition: {Intermediate Level Activity}
6. The certifier addresses all facets of building and directing the certification teams.
7. (Delegation of Authority)
8. ************************
This idea (KSA) really needs to be something like:
Certifier delegates authority to specific team members for accomplishing specific tasks/tests to be performed during the certification process.
************************
this is an entry level KSA; the verb should be delegate (not assigns); I suggest:
The certifier assigns various tasks to specific team members and in so doing delegates authority to the team member for the specific tasks;
************************
Concur with last comment
Task: (Brain Storm) Unknown God
Creation Date: Friday, June 23, 1995 09:40 AM
Print Date: June 23, 1995
Initial Question / Instructions
A question was not entered during the setup of this session.
Folder List
Unknown God
Unknown God
1.
1. Application Development Control
2. Contractor Security Safeguards
3. Disposition Of Classified Information
4. Ethics
5. Evaluated Products
6. Expert Security/Audit Tools
7. Formal Methods For Security Design
8. Hackers (and Unauthorized Users)
9. Information Availability
10. Information Classification
11. Information Confidentiality
12. Information Criticality
13. Information Ownership
14. Information Resource Owner/ Custodian
15. Information Sensitivity
16. Information States
17. Legal And Liability Issues
18. Marking Of Sensitive Information
19. Network Communications Protocols
20. Open Systems Security
21. Policy Enforcement
22. Rainbow Series
23. Security Awareness
24. Security Training
25. Standards
Task: (Brain Storm) (capture data - delete me)
Creation Date: Friday, June 23, 1995 09:40 AM
Print Date: June 23, 1995
Initial Question / Instructions
Move the 267 KSAs into the Short List of Major Duties of the System Certifier.
Folder List
Report
Summarize the results of the test and evaluation and recommend to the DAA and/or offer interim approval to operate.
Evaluation
analysis of the results of the testing to determine the security posture of the system
Testing
examination of safeguards required to protect a system as they have been applied to an operational environment
Certification planning
Determine the dates, define the tasks and criteria, the documentation to be examined, coordinate w/ authorities etc.
Build/Direct a team
Identify the people with the skills and knowledge necessary to perform testing and evaluation of a system.
Unknown God
Report
1.
1. Approval To Operate
2. Corrective Actions
3. Documentation
4. Maintenance Of Configuration Documentation
Evaluation
1.
1. Access Privileges
2. Audit Trails And Logging
3. Classified Materials Handling And Shipping
4. Client/Server Security
5. Common Carrier Security
6. Communications Center Security
7. Countermeasures
8. Disaster Recovery
9. Documentation Policies
10. Emergency Destruction
11. Environmental Controls
12. Evaluation Techniques (Evaluation)
13. Facility Management
14. Human Threats
15. Incident Response
16. Intrusion Deterrents
17. Logs And Journals
18. Maintenance Of Configuration Documentation
19. Maintenance Procedures. Contract Employee
20. Maintenance Procedures. Local Employee
21. Marking Of Media
22. Password Management
23.
Testing
1.
1. Access Authorization
2. Access Control Models
3. Access Control Software
4. Access Controls
5. Access Privileges
6. Alarms. Signals And Reports
7. Applications Security
8. Assessments (e.g.. Surveys. Inspections)
9. Audit Mechanism
10. Audit Trails And Logging
11. Auditable Events
12. Auditing Tools
13. Automated Security Tools
14. Availability
15. Backups
16. Cabling
17. Call-Back Security
18. Caller ID
19. Circuit-Switched Networks
20. Client/Server Security
21. Conformance Testing
22. Connectivity
23. Contingency Plan Testing
24. Countermeasures
25. Database Integrity
26. Dial-Up Security
27. Disaster Recovery Plan Testing
28. Validation (Testing)
29. Firewall
a device connected to the network that can adjudicate traffic between your net and the outside in accordance with some preset policy
30. Change Controls
31. Compartmented/partitioned Mode
32. Covert Channels
33. Data Access Control
34. Deletion Of Accounts
35. Discretionary Access Control
36. Electromagnetic Countermeasures
37. Electronic-Mail Security
38. Emanations Security
39. Error Logs
40. Firmware Security
41. Internal Controls And Security
42. Internet Security
43. Intrusion Detection
44. Intrusion Deterrents
45. Keystroke Monitoring
46. Labeling
47. List-Based Access Controls
48. Local Area Network Security
49. Malicious Code
50. Mandatory Access Controls
51. Memory (Non-Volatile)
52. Memory (Random)
53. Memory (Sequential)
54. Mobile Workstation Security
55. Modems
56. Network Firewalls
57. Network Security Software
58. Network Switching
59. One-Time Passwords
60. Operating System Integrity
61. Operating System Security Features
62. Operating Systems
63. Password Management
64. Platform-Specific Security
65. Protection From Malicious Code
66. Reliability Testing
67. Security Domains
68. Security Functional Testing
69. Security Product Testing/Evaluation
Certification planning
1. Access Control Policies
2. Administrative Security Policies And Pro
3. Agency-Specific Policies And Procedures
4. Audit Collection Requirements
5. Audit Trails And Logging Policies
6. Auditable Events
7. Communications Security Policy And Guidance
8. Contingency Planning
9. Certification
see NSTInformation SystemSI no. 4009
comprehensive evaluate of the technical and non-technical security features of an AInformation System and other safeguards, to meet security and accreditation req.
10. Change Control Policies
11. Continuity Planning
12. Coordination With Related Disciplines
13. Disaster Recovery Planning
14. Documentation
15. Documentation Policies
16. Guidelines
17. Information Security Policy
18. Laws. Regulations. And Other Public Policy
19. Life Cycle System Security Planning
20. Roles And Responsibilities
21. Separation Of Duties
22.
Build/Direct a team
Team Building
Be able to identify the skills and expertise team members must have in order to conduct a comprehensive evaluation
Delegation Of Authority
Unknown God
Administrative Security Policies And Pro
Application Development Control
Audit Collection Requirements
Availability
Change Control Policies
Change Controls
Classified Materials Handling And Shipping
Client/Server Security
Common Carrier Security
Communications Security Policy And Guidance
Contingency Planning
Contractor Security Safeguards
Disposition Of Classified Information
Electromagnetic Countermeasures
Ethics
Evaluated Products
Expert Security/Audit Tools
Formal Methods For Security Design
Hackers (and Unauthorized Users)
Information Availability
Information Classification
Information Confidentiality
Information Criticality
Information Ownership
Information Resource Owner/Custodian
Information Security Policy
Information Sensitivity
Information States
Laws. Regulations. And Other Public Policy
Legal And Liability Issues
Life Cycle System Security Planning
Marking Of Sensitive Information
Network Communications Protocols
Open Systems Security
Policy Enforcement
Rainbow Series
Security Awareness
Security Training
Standards
Task: (Brain Storm) Ideas Not Allocated (wagon #1)
Creation Date: Friday, June 23, 1995 09:54 AM
Print Date: June 23, 1995
Initial Question / Instructions
Place any ideas where they belong (leave others on trail)
Folder List
important (but not relevant to SC)
Ideas Not Allocated
Contains ideas that were not added to any other folder.
Belongs in core
Important (but not relevant to System Certifier)
1. Declassification/Downgrade Of Media
2. Electronic Key Management System
3. Investigation Of Security Breaches
Ideas Not Allocated
Belongs in core
1.
1. Computer Emergency Response Team
2. Multilevel security
concept of processing information with different class that simulta access see 4009
See Modes of Operation/Security Modes of Operation
3. Copyright Protection And Licensing
4. Technical Vulnerability
A hardware, Firmware, communications, or software weakness which leaves an AInformation System open for potential exploitation or damage. AR 380-19
5. Customer IT Security Needs
6. Environmental/Natural Threats
7. Information Integrity
8. Information Systems Security Officer
9. Modes Of Operation
10. Multilevel Processing
11. Network Monitoring
12. Network Topology
13. Object Labeling
14. Personnel Security Policies And Guidance
15. Protected Distributed System
16. Redundancy
17. Risk Acceptance Process
18. Rule Of Least Privilege
19. Rules-Based Access Controls
20. Security Architecture
21. Security Product Integration
22. Shielded Enclosures
23. Smartcards/Token Authentication
24. Storage Media Protection And Control
25. System Software Controls
26. System Testing And Evaluation Process
27. TCSEC/ITSEC/Common Criteria
28. Technological Threats
29. Trusted Network Interpretation (Red Book
30. Verification And Validation Process
Task: (Brain Storm) Unknown god (pass 2)
Creation Date: Friday, June 23, 1995 10:46 AM
Print Date: June 23, 1995
Initial Question / Instructions
Of the "UNKNOWN GOD" what items belong in core (or perhaps belong in folder set)
Folder List
belongs in core
report
certification planning
build /direct team
test
evaluate
Ideas Not Allocated
Contains ideas that were not added to any other folder.
Leave on trail
belongs in core
Ethics
Information Availability
Information Integrity
Information Ownership
Information Sensitivity
Legal And Liability Issues
Network Communications Protocols
Rainbow Series
report
certification planning
build /direct team
test
evaluate
Ideas Not Allocated
Leave on trail
Policy Enforcement
Information States
Open Systems Security
Task: (Discuss) Final Comments and Suggestions
Creation Date: Friday, June 23, 1995 01:56 PM
Print Date: June 23, 1995
Initial Question / Instructions
Please enter commentary in any of the folders.
Folder List
Suggestions for modifying the software?
Suggestions for future sessions?
Did the session meet your expectations?
Suggestions for modifying the software?
* The software is outstanding
* in any exercise, allow the user to bring up definitions
* ************************
* If possible, I think it might be desirable to have a means of reviewing what KSAs one has already loaded in a particular folder.
* in YES/NO voting, don't pre-select any selection; count absentee votes as abstain
* VIEW OPTIONS - suppress options not applicable to the brainstorming session
* VIEW OPTIONS - is "ideas I have not moved" is chosen, an idea can only be placed in one folder; this needs to allow for placement in many folders;
* ADD IDEA - allow for more than 40 characters to be entered; if definition field is used as continuation, the definition function is fooled to think the continuation is a definition
* RANK order tool - allow to move several ideas to more than one folder at a time
* rank order tool - keep marker to know where you came from
* rank order tool - put long lists into two columns
* General:
add definitions for all KSAs
number lists in all tools when lists presented
cross link definition function to the glossary
The on-line research materials make all the difference
Suggestions for future sessions?
* Less Rain.
* ************************
* Have a DACUM for DAA and develop materials
* Have Information SystemU put their data on CD-ROM or Internet
* Ensure that there is sufficient technical expertise to provide quality input.
* define all KSAs
* convene another DACUM to review all prior work
* more detail for sign ins
* Information SystemU should host meeting to complete KSA definitions.
* more organization for last day
* Invest in more knowledgeable/experienced personnel.
* the online references make up for some lack of experience
* Schedule 4 - 6 Dacum Sessions per year on various sec topics
Did the session meet your expectations?
* Yes and more. I learned a lot about other services functions and how this neat tool works.
* This is the first security exercise I have participated in that allowed all organizations to participate on an even footing
* Yes, We accomplished more this week than my organization has done in six years
* Minimally. - not sure all folders, particularly the UNKNOWN GOD was fully addressed
* Yes and not if I say no. Seriously, I am concerned that National Level Policy is being developed and there appears to be a lack of commitment from some of the major players.
* YES, I believe the system allows the minority report to be represented without stopping the process.
Appendix One
1. Understand Hardware and protocols
2. Identify certification team members
Determine what functional area specialists (e.g., physical security, fire) will be a part of the team
As appropriate for the Information System environment. May be DCID 1/16, or NInformation SystemT pubs.
16. Develop Certification Plan
an outline that lays out work to be done in the certification process,, at least a check list to ensure that security requirements are tested
17. Develop And Conduct Certification Test
define the work (security safeguards to be tested), conduct test of effectiveness of safeguards, serve as a basis for making recommendation to the DAA
18. Documenting Certification Plans
Creator Declined Definition Request.
19. Acquire The Mission Needs Statement
The mission needs statement should explain the flow of information and overall functionality of the system.
20. Finalize Security Test Plan
before test, certifier must analyze and understand the plan which will be used and be sure its effective and does the job
21. Developing Certification Reports
22. Knows How To Access CERT, ASSInformation SystemT Reports
these are repositories for vulnerability reports; there may be other sources
23. Determines Compliance W/ Security Plan
For some organizations this is the purpose of performing certifications, along with compliance with requirements and risk management
24. Identify Usable Products From EPL
EPL - Evaluated Products List - included in NSA Evaluated Products and Services Catalog, published quarterly, commercially available products
25. Finalize ST&E Procedure
security test & evaluation
26. Identify roles of groups/employees
Creator Declined Definition Request.
27. Evaluate contingency plans
Continuity of operations plans, viz., backup procedures, personnel and facilities in the event of loss of primary.
28. Identify Date For Certification
the certifier must coordinate with the Information SystemSO to ensure resources are available and that everything is ready so that a mutually agreeable date can be set
29. Understand Scope Of Environment
Be able to identify the totality of factors that contribute to the environment under which the system will operate.
30. Identify Personnel Security Requirements
Creator Declined Definition Request.
31. Verify System Is Ready For Certification
there are many times that an organization is not ready or prepared, even though the DAA has scheduled a certification for that organization
32. Familiar With Physical Security Principle
physical security principles, i.e., locks, bolts, security clearances, sensitivity of data, etc.
33. Recognize Current Trends And Directions
Recognize the path industry follows and plan for future of the system. Additionally, recognize short-term solutions.
Relevant to security and operations!
34. Identify Site Support Requirements
need personnel to run tests on system, need resources such as space, phones, Information SystemSO and personnel who can answer ?s and help with test
35. familiar with TEMPEST
spurious electronic emanations
36. Familiar With OPSEC
Operational Security
37. Validate The Security Features
the policy or secure CONOPS or similar document will discuss the sec feat. but these must be validated that they have been implemented, and implemented correctly
38. Familiar With TRANSEC
transmission security
39. Conduct a Threat Assessment
evaluates the threat posed to the mission, guides system development, ensures legitimate security services are incorporated to counter these threats.
40. Assign Values To Assists
Either quality or quantity values to help rank risks
41. Prepare Accred Package For DAA
upon completion of the CERT or ST&E, a package specifying the results (findings) are prepare in the form of a test report for the DAA
Please define if CERT means CERTIFICATION or Computer Emergency Response Team!
42. Understand Roles And Responsibilities
of Information SystemSO, Information SystemSM, system administrator, DAA, and user
43. Familiar With MAC
mandatory access control
44. Identify Threat
Generic environmental and human threat
45. Examine Environmental Vulnerabilities
explore penetrability of facilities, system electromagnetic emissions, line of sight holes, grounding vulnerabilities, etc.
46. Know & Understand Document Requirements
must know that there is a criteria by which the certification will be conducted. must know what to ask for, if documents are adequate and up to date, and understood
47. Understand COMSEC Pertinent COMSEC issue
Understand how COMSEC relates to the operational environment and what issues must be addressed in gaining accreditation
48. Brief DAA On Results Of Certification
49. Familiar With DAC
discretionary access control
50. Know Different Resources Available To
provide information (ASSIT, VAAP, counter intelligence, security police, fire)
51. Conducts Risk Assessments
Identify critical assets, generic threat, vulnerabilities, and risks
52. Understand Risk/Threat Assessments
have to understand to see if they have been mitigated
53. Coordinate With Appropriate Local Infrastructure
managers.
54. Be Aware Of The Affects Of Environmental
concerns on the availability of a system (natural disasters, UPS, air conditioning, fire alarms/suppression equip)
55. Acquire/Develop the Information SystemSP
The Information System Security Policy outlines what the system needs to protect and the types of security services. Cert. is against this document.
56. Familiar With Current Penetration Tools
Ex. COPS, CRACK, SATAN, etc.
57. Performs Risk Analyses
The ability to determine the level of residual risk in the operation of a given system pre-supposes that the individual can perform risk analyses.
58. Appropriately Document System Topology
May be considered part of certification package.
59. Consider/Test In A Variety Of (Cont )
operating environment
60. Understand How Connectivity Issues
affect the posture of a system
61. Be Able To Identify When A System
needs re-certification (either because of modification or time since last certification)
62. Know meaning of Orange Book criteria
Know A, B, C, D ratings and things like a B2 can be a guard between adjacent classification levels but a B1 or higher is needed for more separation
63. Verify Configuration Control Documents
make sure the documents represent the system
64. Understand Sensitivity Of Data
The "sensitivity of the data" will drive the types of access controls which need to be imposed. Everything else being equal.
65. Document the Detailed OPCON
describes, identifies, and explains the details of the system architecture. Helps assess the impact of subsequent documents and analysis.
66. Ensure Local SYSADM And Users Trained
Certification requires a snap shot of the system and its configuration be taken. Educate the local administrator and users about what invalidates it.
67. Maintain Currency Of Certification Documents
Ensure that governing regulations, guidelines, and directives are current and applicable to a systems evolving environment
68. Verify Configuration Control Mechanisms
make sure a procedure exists to update the documents
69. Review Contingency Plans
The system owner, as he contemplates the specific platform for the system, should have developed some contingency plans. The certifier reviews them.
70. Review Disaster Recovery Plans
71. Be Able To Determine The Operational
environment of fixed and mobile systems
72. Understanding of COMPUSEC
Computer Security Vs Communications security Vs operational security
73. Identify Certification Tools
Software availability in identifying vulnerabilities as well as those dealing with such issues as access and authentication, etc.
74. Understand Red Book
75. Understand Embedded Cryptography Mechanisms
mechanisms - mechanisms
76. Understand Embedded Privacy Mechanisms
77. Determine/Validate Security Requirements
Builds off the CONOPS into a level of detail
78. Understand Mission Support
Know what the system is supposed to do in delivering product or service.
79. Familiarization with the Rainbow Series
80. Define user organ security requirements (cont)
Specify (minimum) personnel, physical, environmental and procedural security controls required to maintain integrity/reliability of the system.
81. Understand Operating Systems
problems
82. Understand Mainframes
there are several different mainframes in different configurations. Certifier must know if prop installed with proper safeguards and proper connections
83. Knowledge Of Protocols
84. Understand Various Applications In Use
understand applications to see if properly implemented, patches up to date, authorized users only, no holes, etc.
85. Understanding of Operational Environment
Physical environment, communications connectivity, users, security clearances, data classifications, policies, SOP's, etc. which define the environment
86. Familiar With COMSEC
the use of communications security devices is possible and they must be controlled, and have SOPs, etc. and properly installed, doctrine, policy, destruction proceed
87. Propose Accreditation Period
The period for which a system will be accredited (3 year or less), provisional, et
88. Familiar With System Topologies
a system is made up of many connections, back doors, internal LANs, external connections, etc. the collection of everything that affects/is affected
89. Conduct Initial Risk Assessment
Based upon the risks associated with a threat assessment the certifier can recommend countermeasures to the threats.
90. Understand Differences Between Different
classes of systems (main, mini, micro, LAN, WAN, etc.)
91. Ensures that test procedures meets requirements
Creator Declined Definition Request.
92. Review All System Documentation
documents should be reviewed for adequacy, completeness, and accuracy
93. Familiar With INFOSEC Architectures
the information system security architecture is made up of the security features and their implementation as in the DOD Goal sec arch
94. Identify Pertinent Personnel Policies
Personnel Security, clearances, need to know, threats, etc.;
95. Identify security mode of operation....
, dedicated, systems high, compartmented, or multilevel security modes
96. Ensures Security Related Testing Is Document.
97. Identify Security Features
98. Ability To Understand Technical Documentation
Certifier must know adequate documentation when he sees it. First question is, "is there adequate documentation?"; Certifier must know the answer.
99. Review Mechanisms To Update Documents
documentation needs to be current and reflect the system
100. Analyzes Connectivity
What are the LAN/WAN connections?
101. Participates in testing
Creator Declined Definition Request.
102. Make Certification Recommendation
Simply state what the system is certified against, what is met/not met.
103. verify hardware/software operate
hardware and software need to operate as designed; test for loopholes
104. Reviews hardware design
Creator Declined Definition Request.
105. Identify all hardware assets
All items of significant hardware included in the certification plan. Inventories, etc.
106. Hardware/software accountability
Know who is accountable for hardware and software inventories
107. Provides Support To DAA
?????
108. Educator and briefer to superiors
Creator Declined Definition Request.
109. Determine acceptable risk
Identify what risks are beyond the ability of technology to protect against.
110. Conduct Residual Risk Assessment
Define for the DAA what residual risk remains after testing the system in the operational environment.
111. Reviews Software Design
looks at design of operating system and application programs, particularly with respect to their security features; and the interaction of these
112. Ensures software is properly tested
113. Maintenance security issues
Identifying security issues relating to software/hardware maintenance, viz., security clearance/access. shipping & handling of classified hard/software
114. Validate Security Procedures
Cert. determines the effectiveness of the non-design related security procedures.
115. Familiar With /Laws, Policies, Procedures
116. Evaluate Non Security Safeguards
things such as environmental systems, UPS, fire protection
117. Establish Certification Review Schedule
Provide a schedule of when the topology and configuration is reviewed and updated. This will help ensure the system certification is current/valid.
118. Ensures RFPs Contain Security Req.
Creator Declined Definition Request.
119. Verify Login Procedures
what don't you understand
120. Verify Audit Capabilities
make sure their is an audit function and check for robustness
121. Verify Environment
look at design environment with respect to real world environment
122. Conduct Certification Test and Evaluation
If applicable, CT&E is conducted against the technical requirements of the system.
123. Understands Details Of The Network Environment.
The overall security of the Information System depends on how secure the environment is. If the Information System is on a network, the network itself is a potential security threat
124. Conduct Security Test and Evaluation
Conduct ST&E. The system in its operational environment tested to meet the operational
125. Define Responsibilities To Information SystemSO
Establish working relationship, duties and committed to Information SystemSO
126. Identify CERT resources
Computer Emergency Response Team or comparable support resources.
127. Understand Security Management Structure
one of the problems with organizations is that they do not have a systems security man structure in place and the systems can not be in good shape need Information SystemSO and
128. Covert Channel Analysis
see Orange book
129. Familiar With CM Tools
counter- measures for protecting/detecting problems
130. Attend Contractor Testing
If applicable, witness the contractor's security testing of a developed system.
131. Reviews Architecture And Configuration
?
132. Understands Personnel Security Levels.
People are the biggest risk to a system's security. It is imp. that the certifier know what clearance requirements are needed.
133. Attend Design Reviews
If applicable, the certifier should attend design reviews of a developing system.
134. Reviews Previous Certification Reports
If this system was old, a prior report may be available; also reports from development cycle
135. Disaster Recovery/Continuity Plans
Plans for continuing operations in the wake of disaster (fire, flood, terrorists) to include facilities, personnel, conops, resources, logistics, etc.
136. Develops Countermeasures To Reduce Risk
137. Determines Residual Risks
after all is said and done, what is the risk that remains after all countermeasures and security features are employed
138. Does Site Visit
visit the site to verify the environment conforms to the design goal, and that the system is being used as designed; the users/opts are knowledgeable
139. Conduct a Detailed System Sec. Analysis
determines whether and to what degree the detailed security requirements have been satisfied by a design.
140. Be Able To Run/Evaluate SPI
SPI is a DOD CM tool to assist in detection of system problems
141. Understand Password Implementation
the way the password system is implemented to ensure no weaknesses how often changed, old users deleted, etc.
142. Assesses Configuration Management
change must be managed to insure that the systems arch and topology is understood, and users are all authorized and procedures followed
143. Identity EMP threats
Electromagnetic Pulse
Appendix 2
Applying This Technique To Your Organization
By applying this technique even in this prototype study, the federal government has saved over a year of development time and thousands of work hours. In order to begin developing projects like this one, your organizational management should be aware that there is a triad of countermeasures that support information systems security. They are Technology, Policy and Practice and AT&E.
We recognize that in some organizations, the three tasks - senior management, Systems Administrator and Information Systems Security Officer will be performed by the same individual; however, the tasks and responsibilities remain the same. Therefore it is important to customize the training to meet the specific needs of the organization; however, the basic structure will be the same.
End User
End users are the most obvious target within the model; all employees who have access to information resources are in this category. The DACUM process has clearly revealed a key fact which seems to hold true across all organizations: As long as one excludes organization-specific process and equipment, the end user AT&E requirements are the same. A preliminary observation is that many organizations provide limited awareness programs for all employees. Most organizations do not provide end user training but rely heavily on the systems administrators to implement effective and efficient security measures. The contents of the Green Book provide many tools for establishing end-user training.
Systems Administrator
Although we would like for all information security to start with the end user, the current environment makes the systems administrator the first effective line of defense. One problem with this is that they perform their security related duties as a collateral task. Generally, the systems administrator devotes less than 20% of his or her time to security issues. To make their efforts more effective, they should have sufficient training to ensure that information security is both ubiquitous and unobtrusive while not compromising the security functions of a systems.
In large organizations, both systems administrators and management personnel frequently lack the technical background in information security to match their managerial capability and responsibility, i.e., job titles are not a reliable predictor of actual responsibility nor system criticality. Awareness materials for systems administrators and functional managers have been developed to aid them in understanding threats, vulnerabilities and countermeasures. For technical issues systems administrators tend to rely heavily on the security professional.
Information Systems Security Professionals
The security professional plays a central role. He/she has a multi-level task that seems to be associated with complexity and size of the networks controlled rather than any specific position he/she occupies in the organizational hierarchy. The DACUM results have identified that the associated tasks are very technical in nature. During DACUM IV, examples of instructional materials were developed. These were focused on the federal government position called the Information Systems Security Officer (Information SystemSO).
Since our preliminary results indicate that there is less than a five percent job difference among DoD, civilian and industrial personnel, these awareness, training and education materials are being generalized for use in the non-government environment.
Senior Management
All the DACUM results have pointed out that the CIO is the top of the responsibility hierarchy. He/she must be made aware that information security serves a critical organizational mission and that it can not be an afterthought. In addition, the CIO must communicate the criticality of information systems security to both his peers and his superiors in the organization. The CIO should be made aware of the AT&E pyramid and be provided with structured information that allows him/her to allocate resources for information security to AT&E activities in an effective manner.
The first step in renewing and revitalizing an information systems security program should be to review all training completed within the organization in the past two years to see if it meets the basic suggested structure. At a minimum, every organization should have activities available at all three levels of AT&E. To aid in this effort the DACUMs have developed executive-level awareness materials for information security that can be modified easily to meet virtually any organization's needs.
Systems Certifier
Although the ultimate responsibility for the system lies with the DAA, The systems certifier is the one who makes recommendations to the DAA. eDACUM V has established the training domain for the Systems Certifier. The group definition is:
A member of a team that performs the comprehensive assessment of the technical and non-technical security features and other safeguards of an Information System, in its final configuration, made in support of the accreditation process. The certifier identifies the assurance levels achieved in meeting all applicable security policies, standards and requirements upon which the DAA makes the determination as to whether or not an Information System can/is operating within the bounds of acceptable risk.
Acknowledgments
The following is a partial list of organizations that have participated in development and review of these materials. They represent a broad spectrum of the information systems security community and the collective contributions are gratefully acknowledged.
Blue Shield
Center For Decision Support
Center For Information Systems Security
Data Processing Managers Association
Defense Logistics Agency
Department of Agriculture
Department of Commerce
Department of Defense
Department of Education
Department of Energy
Department of Interior
Department of Justice
Department of Labor
Department of State
Department of Treasury
EG&G
Federal Aviation Administration
Federal Bureau of Investigation
Federal Computer Security Program Managers' Forum
Federal Information Systems Security Educators Association
General Accounting Office
General Services Administration
Health and Human Services
House of Representatives
Idaho State University
Indian Health Service
Information Security Institute
Information Systems Security Association
International Federation For Information Processing
Information SystemC2
Logicon
Marines
MInformation System Training Institute
Monsanto Co.
National Computer Security Center
National Cryptologic School
National Institute of Standards And Technology
National Security Agency
NESSEC
New Your Stock Exchange
NSTInformation SystemSC
Office of Naval Research
Public Health Service
Racore Computer Products
Rockwell International Corporation
Simplot Decision Support Center
Smithsonian
Social Security Administration
State of Idaho
TRW
US Air Force
US Army
US Marshals Service
US Navy
US Postal Service
Westinghouse
1 The 'Other' category was often referred to as the unknown god . This is from the Classic Greek tradition of offering the first toast at the party to the unknown gods. The theory here was that if there were a god they had not yet identified, they would not insult him/her. This approach has proved valuable. The models are extensible and have provided insight to many security roles in both industry and government.
2 ____________, Keeping the U.S,. Computer Industry Competitive: Defining the Agenda, National Research Council, National Academy Press, Washington, DC, 1990.
3 McCumber, John, Proceedings of the 14th National Computer Security Conference, National Computer Security Center, p334, October 1991.
4 Schou, Corey D., 1993. "Information Security Professionalism for the '90s," Computer Security", Vol. x, No x, Spring 1993. pp. xx-xx
5 Mitchell, William, 1990. "Enterprise Networks: The Multi-vendor Networks of the 1990's," Network Management, Vol. 8, No. 2, Feb., pp 69-72
6 _____________, 1991. Computes At Risk Safe Computing In the Information Age
7 Schou, Corey D., J. Frost, N. Wingert, H. LaFond Enhancing Productivity and Quality Using Collaborative Organizational Re-Engineering and Paradigm Change Processes, Proceedings of the Association of Management, Atlanta Georgia, August 1993.
8 C.K. Prahalad and Gary Hamel, "The Core Competence of the Corporation", Harvard Business Review, May-June 1990.
9 Schou, Corey D, W. Vic Maconachy, and James Frost. Developing Awareness, Training, and Education, A Cost Effective Tool for Maintaining System Integrity, in IFIP Transactions Computer Security (A-37), pp. 53-63, North Holland, 1993.
10 The 'Other' category was often referred to as the unknown god . This is from the Classic Greek tradition of offering the first toast at a celebration to the unknown gods. The theory here was that if there were a god they had not yet identified, they would not insult him/her. Several additional categories, in fact, have been proposed and may be added in the future.
11 Schou, Corey D., Integrating Information Security, Center for Decision Support, Report 162, Idaho State University, Pocatello, ID 83205-4043
12 A means of classifying knowledge.
13 Knowledge-A broad comprehension of a subject that cannot be necessarily be applied
Skill-Comprehension of a subject that is or can be specifically applied
Attribute-personality characteristics which is or can be developed to enhance job performance
14 Bloom Taxonomy of Educational Objectives: Cognitive Domain. New York , David McKay, Co. Fifty-Seventh yearbook, Part II, National society for the Study of Education. Chicago University of Chicago press.
15 There was considerable discussion about the role of the DAA and the System Certifier.
7/23/95 CENTER FOR DECISION SUPPORT - IDAHO STATE UNIVERSITY
PAGE 1
�
9/18/96
8
7/23/95 EDACUM VI (BRAIN STORM) EDACUM VI EXPECTATIONS
PAGE 41
7/23/95 EDACUM VI (BRAIN STORM) DEFINE SYSTEM CERTIFIER
PAGE 45
7/23/95 EDACUM VI (RANK ORDER) FIRST CUT OF SYSTEM CERTIFIER DEFINITION
PAGE 47
7/23/95 EDACUM VI (ST) SYSTEM CERTIFIER DEFINITION
PAGE 59
7/23/95 EDACUM VI (YN) Y/N ON #10
PAGE 63
7/23/95 EDACUM VI (BRAIN STORM) MAJOR DUTIES (MON. PM SYSTEM CERT)
PAGE 69
7/23/95 EDACUM VI (BRAIN STORM) DUTIES OF SYSTEM CERTIFIER (DSC)
PAGE 79
9/18/96 EDACUM VI (DISCUSS) TIME-OUT DISCUSSION
PAGE 87
9/18/96 EDACUM VI (SC) DAA VS CS
PAGE 58
9/18/96 EDACUM VI (RANK ORDER) RANKING OF MAJOR DUTIES FOR A SC
PAGE 93
7/23/95 EDACUM VI (BRAIN STORM) COLAPSING WORKING
PAGE 95
9/18/96 EDACUM VI (BRAIN STORM) WORKING WITH DUTIES
PAGE 95
9/18/96 EDACUM VI (RANK ORDER) RANKING OF SC DUTIES
PAGE 97
7/23/95 EDACUM VI (BRAIN STORM) SC DUTIES WITH DEFS (&UNALLOCATED)
PAGE 99
9/18/96 EDACUM VI (BRAIN STORM) MOVE OLD KSA TO SYSTEM CERT (OSCK)
PAGE 105
9/18/96 EDACUM VI (BRAIN STORM) CERTIFIER KSA MASTER LIST(CKML)
PAGE 109
7/23/95 EDACUM VI (BRAIN STORM) MOVE KSA'S INTO SHORT LIST SCD
PAGE 121
7/23/95 EDACUM VI (BRAIN STORM) RE-PRINT
PAGE 129
9/18/96 EDACUM VI (BRAIN STORM) BUILD/DIRECT TEAM(INPUT ONLY)
PAGE 138
9/18/96 EDACUM VI (BRAIN STORM) TEST(INPUT ONLY)
PAGE 133
9/18/96 EDACUM VI (BRAIN STORM) EVALUATE(INPUT ONLY)
PAGE 143
9/18/96 EDACUM VI (BRAIN STORM) REPORT(INPUT ONLY)
PAGE 137
9/18/96 EDACUM VI (BRAIN STORM) CERTIFICATION PLANNING(INPUT ONLY)
PAGE 141
9/18/96 EDACUM VI (BRAIN STORM) REPORT(INPUT ONLY)
PAGE 148
9/18/96 EDACUM VI (BRAIN STORM) CIRTIFICATION PLNNING(INPUT ONLY)
PAGE 145
9/18/96 EDACUM VI (BRAIN STORM) EVALULATE(INPUT ONLY)
PAGE 147
9/18/96 EDACUM VI (BRAIN STORM) TEST(INPUT ONLY)
PAGE 147
7/23/95 EDACUM VI (DISCUSS) SYSTEM CERTIFIER (FLESH OUT 1)
PAGE 167
9/18/96 EDACUM VI (BRAIN STORM) BUILD/DIRECT A TEAM(FOLDER)
PAGE 198
9/18/96 EDACUM VI (BRAIN STORM) REPORT(FOLDER)
PAGE 199
9/18/96 EDACUM VI (BRAIN STORM) CERTIFICATION PLNN(FOLD)
PAGE 171
9/18/96 EDACUM VI (BRAIN STORM) EVALUATE(FOLDER)
PAGE 173
9/18/96 EDACUM VI (MULTIPLE CHOICE) PICK TOP TEN
PAGE 175
9/18/96 EDACUM VI (DISCUSS) SYSTEM CERTIFIER (FLESH OUT 2)
PAGE 209
7/23/95 EDACUM VI (BRAIN STORM) UNKNOWN GOD
PAGE 252
9/18/96 EDACUM VI (BRAIN STORM) (CAPTURE DATA - DELETE ME)
PAGE 215
9/18/96 EDACUM VI (BRAIN STORM) IDEAS NOT ALLOCATED (WAGON #1)
