Fall 1 credit
Dr. Corey Schou or James Frost Office location: Bldg 5, Rm. 415
Preferred email: Schou@mentor.net Office Phone: 282-4893
Secondary email: Schou@cob.isu.edu Office hours: By Appointment

Course Description

Develops the critical thinking skills necessary for Senior Management to analyze and evaluate submitted documentation for determination of the validity and reliability of a proposed information system to operate at a proposed level of trust. These skills will be developed by reviewing system architecture, system security measures, system operations policy, system security management plan, legal and ethical considerations, and provisions for system operator and end user training.

PREREQUISITES:

INFO 4411, INFO 4413, NFO 4414

Targeted Standards

CNSSI 4012 Competencies for this course are found on this website.

Students should submit the competencies form for evaluation prior to the examinations.

Required Materials

CNNSSI 4012 (available at https://www.cnss.gov/CNSS/issuances/Instructions.cfm)

Recommended Materials

Assigned as needed

Course Objectives

As a result of participation if INFO 4412, the successful student will demonstrate an understanding of

  • Granting final approval to operate an IS or network in a specified security mode.
  • Reviewing the accreditation documentation to confirm that the residual risk is within acceptable limits for each network and/or IS.
  • Verifying that each information system complies with the information assurance (IA) requirements
  • Ensuring the establishment, administration, and coordination of security for systems that agency, service, or command personnel or contractors operate.
  • Ensuring that the Program Manager/Official defines the system security requirements for acquisitions.
  • Assigning Information Assurance (IA) responsibilities to the individuals reporting directly to the SSM.
  • Defining the criticality and classification/sensitivity levels of each IS and approving the classification level required for the applications implemented on them
  • Allocating resources to achieve an acceptable level of security and to remedy security deficiencies
  • Ensuring that when classified/sensitive information is exchanged between IS or networks (internal or external), the content of this communication is protected from unauthorized observation, manipulation, or denial
  • Resolving issues regarding those systems requiring multiple or joint accreditation. This may require documentation of conditions or agreements in Memoranda of Agreement (MOA).

Grading Criteria

Assignments 20%
Papers 25%
Final Evaluation 50%
Participation 5%

Grading Scale

A 93% - 100%
A- 90% - 92.9%
B+ 87% - 89.9%
B 83% - 86.9%
B- 80% - 82.9%
C+ 77% - 79.9%
C 73% - 76.9%
C- 70% - 72.9%
D+ 67% - 69.9%
D 63% - 66.9%
D- 60% - 62.9%
F 0% - 59.9%

CNSSI 4012 Competencies

Competency Item Action Item Student Checklist
Access control policies 1  
Access controls – discretionary/mandatory 2  
Access privileges 3  
Accountability for sensitive data 4  
Accreditation 5  
Accreditation procedure 6  
Accreditation types 7  
Administrative security policies 8  
Approval to Operate (ATO) purpose and contents 9  
Assignment of individuals to perform information assurance functions 10  
Attacks 11  
Audit trail policy 12  
Auditable events 13  
Automated countermeasures/deterrents 14  
Automated security tools 15  
Availability (McCumber) 16  
Background investigations 17  
Backups 18  
Biometric policies 19  
Biometrics 20  
Budget 21  
Business recovery 22  
Certification 23  
Certification and Accreditation effort leading to Systems Security Authorization Agreement 24  
Certification and Accreditation process policy 25  
Certification procedure 26  
Certification roles 27  
Certification tools 28  
Certifiers understanding of mission 29  
Change control 30  
Clinger-Cohen Act 31  
Commercial proprietary information 32  
Commercial proprietary information protection 33  
Common Criteria (Product Assurance) role in acquiring systems 34  
Communications Security (COMSEC) materials 35  
Computer crime and the various methods 36  
Computer Fraud and Abuse Act as codified in 18 U.S.C.A. Section 1030 37  
Concept of Operations (CONOPS) 38  
Confidentiality (McCumber) 39  
Configuration management 40  
Connected organizations 41  
Connectivity involved in communications 42  
Contingency planning 43  
Continuity of operations 44  
Contracting for security services 45  
Copyright Act of 1976 and Copyright Amendment Act of 1992 as codified in 17 U.S.C.A 46  
Copyright protection and license 47  
Countermeasures 48  
Countermeasures/deterrents – automated/technical 49  
Criminal prosecution 50  
Declassification of media 51  
Delegation of authority 52  
Disaster recovery 53  
Disposition of classified material 54  
Documentation 55  
Documentation policies 56  
Documentation role in reducing risk 57  
Downgrade of media 58  
Due diligence 59  
Education, training, and awareness as a countermeasure 60  
Electronic emanations 61  
Electronic records management 62  
Electronic-mail security 63  
Emergency destruction 64  
Emergency destruction procedures 65  
Emissions Security (EMSEC) 66  
Ethics 67  
Evidence collection 68  
Evidence collection policies 69  
Evidence preservation 70  
Evidence preservation policies 71  
Execution of memoranda of understanding 72  
Facilities planning 73  
Federal Information Security Management Act (FISMA) 74  
Federal Property and Administration Service Act 75  
Federal Records Act 76  
Fraud waste and abuse 77  
Freedom of Information Act (FOIA) and Electronic Freedom of Information Act (EFOIA) 78  
Government Information Security Reform Act (GISRA) 79  
Government Paperwork Elimination Act (GPEA) 80  
Importance and role of non-repudiation 81  
Importance and role of PKI 82  
Importance of Security Test and Evaluation (ST&E) as part of acquisition process 83  
Incident response 84  
Incident response policy 85  
Information assurance – SSM role 86  
Information Assurance (IA) 87  
Information assurance budget 88  
Information assurance business aspects 89  
Information assurance cost benefit analysis 90  
Information classification 91  
Information ownership 92  
Information security policy 93  
Interim authority  to operate (IATO) 94  
Investigative authorities 95  
Justification for waiver 96  
Law enforcement interfaces 97  
Law enforcement policies 98  
Legal and liability issues as they apply to mission 99  
Legal issues and Information Assurance (IA) 100  
Legal issues which can affect Information Assurance (IA) 101  
Legal responsibilities of the SSM 102  
Liabilities associated with disclosure of sensitive information 103  
Licensing 104  
Life cycle management 105  
Life cycle security planning 106  
Life cycle system security planning 107  
Logging policies 108  
Marking classified/sensitive information 109  
Memorandum of Understanding/Agreement 110  
Methods of implementing risk mitigation strategies necessary to obtain ATO 111  
Millennium Copyright Act 112  
National Archives and Records Act 113  
Need-to-know controls 114  
Non-repudiation 115  
Operations Security 116  
Organizational – threats 117  
Organizational/agency information assurance emergency response team role 118  
Organizational/agency information assurance emergency response teams 119  
Paperwork Reduction Act as codified in 44 U.S.C.A. Section 3501 120  
Personnel security 121  
Personnel security guidance 122  
Personnel security policies 123  
PKI 124  
Principles of aggregation 125  
Principles of information ownership 126  
Principles of risk 127  
Principles of system reconstitution 128  
Privacy Act 129  
Problems associated with disclosure of sensitive information 130  
Procedural/administrative countermeasures 131  
Protection profiles 132  
Purpose of Systems Security Authorization Agreement (SSAA) 133  
Recertification 134  
Recertification effort 135  
Recertification of systems characteristics that need review 136  
Recertification process 137  
Recertification purpose 138  
Reconstitution 139  
Recovery plan 140  
Remanence 141  
Residual risk 142  
Resources 143  
Responsibilities associated with accreditation 144  
Restoration 145  
Restoration and continuity of operation 146  
Restoration process 147  
Results of certification tools 148  
Risk 149  
Risk acceptance 150  
Risk acceptance process 151  
Risk analysis 152  
Risk assessment 153  
Risk assessment as it supports granting waiver 154  
Risk assessment supporting granting an IATO 155  
Risk in certification and accreditation 156  
Risk management 157  
Risk mitigation 158  
Risk mitigation strategies 159  
Risk mitigation strategies necessary to obtain IATO 160  
Risk reports 161  
Risks associated with portable wireless systems, viz  PDAs etc. 162.  
Risks from connectivity 163  
Role of risk analyst 164  
Security Test and Evaluation (ST&E) as part of acquisition process 165  
Separation of duties 166  
Service Provider Exemption to the Federal Wiretap Statute [18 U.S.C.A. Section 2511(2)(a)(i)-(ii)] 167  
Storage (McCumber) 168  
System accreditors role 169  
System architecture 170  
System certifiers role 171  
System disposition 172  
System reutilization 173  
System security architecture 174  
System security architecture support of continuity of operations (CONOPS) 175  
Systems Security Authorization Agreement (SSAA) 176  
TEMPEST failures 177  
TEMPEST requirements 178  
Test and evaluation 179  
Threat 180  
Threat analysis 181  
Threats – assessment/environmental/human/natural 182  
Threats from contracting for security services 183  
Threats to systems 184  
Transmission (McCumber) 185  
Types of contracts for security services 186  
Vulnerability 187  
Vulnerability – aggregation 188  
Vulnerability – connected systems 189  
Vulnerability – improper disposition 190  
Vulnerability – improper reutilization 191  
Vulnerability – network 192  
Vulnerability – technical 193  
Vulnerability – wireless technology 194  
Role of System Security Officer (ISSO) 195  
Key Resource Managers 196  
NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service