Fall 1 credit
Dr. Corey Schou or James Frost Office location: Bldg 5, Rm. 415
Preferred email: Schou@mentor.net Office hours: By Appointment
Secondary email: Schou@cob.isu.edu Office Phone: 282-4893

Course Description

Develops the critical thinking skills necessary for Senior Management to analyze and evaluate submitted documentation for determination of the validity and reliability of a proposed information system to operate at a proposed level of trust. These skills will be developed by reviewing system architecture, system security measures, system operations policy, system security management plan, legal and ethical considerations, and provisions for system operator and end user training.

PREREQUISITES: INFO 6611, INFO 6613, INFO 6614, INFO 5519 (6 credits)

Targeted Standards

CNSSI 4012 Competencies for this course are found on this website.

Students should submit the competencies form for evaluation prior to the examinations.

Required Materials

CNNSSI 4012 (available at https://www.cnss.gov/CNSS/openDoc.cfm?EfLMz/Pka3CE00HQO7bRWQ==)

Course Objectives

As a result of participation in INFO 6612, the successful student will demonstrate an understanding of

  • Granting final approval to operate an IS or network in a specified security mode.
  • Reviewing the accreditation documentation to confirm that the residual risk is within acceptable limits for each network and/or IS.
  • Verifying that each information system complies with the information assurance (IA) requirements
  • Ensuring the establishment, administration, and coordination of security for systems that agency, service, or command personnel or contractors operate.
  • Ensuring that the Program Manager/Official defines the system security requirements for acquisitions.
  • Assigning Information Assurance (IA) responsibilities to the individuals reporting directly to the SSM.
  • Defining the criticality and classification/sensitivity levels of each IS and approving the classification level required for the applications implemented on them
  • Allocating resources to achieve an acceptable level of security and to remedy security deficiencies
  • Ensuring that when classified/sensitive information is exchanged between IS or networks (internal or external), the content of this communication is protected from unauthorized observation, manipulation, or denial.
  • Resolving issues regarding those systems requiring multiple or joint accreditation. This may require documentation of conditions or agreements in Memoranda of Agreement (MOA)

Advanced Masters courses and preliminary doctoral courses.

As part of the development of our advanced masters courses, we have decided to use the content structures from our undergraduate courses; however, these advanced courses will require either experience in the Information Systems field or a student must take the 4000/5000 level course as a prerequisite.  These courses will be research oriented rather than ‘book learning’ focused. The students will be expected to perform both physical research, where appropriate, as well as literary review and analysis.

Grading Scale for INFO 6612

Article Reviews 15%
Final Evaluation 30%
Participation 5%
Research Project Defense 50%

Grading Scale

A 93% - 100%
A- 90% - 92.9%
B+ 87% - 89.9%
B 83% - 86.9%
B- 80% - 82.9%
C+ 77% - 79.9%
C 73% - 76.9%
F 0% - 69.9%

Major Topics

  • Access Control Techniques
  • Administrative Techniques
  • Communications Security
  • Continuity Of Operations (Coop)
  • Legal Liabilities Issues
  • Life Cycle Management
  • Policy
  • Risk Management
  • Tempest, EMP, and Electronic Emanation
  • Threats And Incidents

CNSSI 4012 Competencies

Competency Item Action Item   Student Checklist  
Access control policies   1      
Access controls – discretionary/mandatory   2      
Access privileges   3      
Accountability for sensitive data   4      
Accreditation   5      
Accreditation procedure   6      
Accreditation types   7      
Administrative security policies   8      
Approval to Operate (ATO) purpose and contents   9      
Assignment of individuals to perform information assurance functions   10      
Attacks   11      
Audit trail policy   12      
Auditable events   13      
Automated countermeasures/deterrents   14      
Automated security tools   15      
Availability (McCumber)   16      
Background investigations   17      
Backups   18      
Biometric policies   19      
Biometrics   20      
Budget   21      
Business recovery   22      
Certification   23      
Certification and Accreditation effort leading to Systems Security Authorization Agreement   24      
Certification and Accreditation process policy   25      
Certification procedure   26      
Certification roles   27      
Certification tools   28      
Certifiers understanding of mission   29      
Change control   30      
Clinger-Cohen Act   31      
Commercial proprietary information   32      
Commercial proprietary information protection   33      
Common Criteria (Product Assurance) role in acquiring systems   34      
Communications Security (COMSEC) materials   35      
Computer crime and the various methods   36      
Computer Fraud and Abuse Act as codified in 18 U.S.C.A. Section 1030   37      
Concept of Operations (CONOPS)   38      
Confidentiality (McCumber)   39      
Configuration management   40      
Connected organizations   41      
Connectivity involved in communications   42      
Contingency planning   43      
Continuity of operations   44      
Contracting for security services   45      
Copyright Act of 1976 and Copyright Amendment Act of 1992 as codified in 17 U.S.C.A   46      
Copyright protection and license   47      
Countermeasures   48      
Countermeasures/deterrents – automated/technical   49      
Criminal prosecution   50      
Declassification of media   51      
Delegation of authority   52      
Disaster recovery   53      
Disposition of classified material   54      
Documentation   55      
Documentation policies   56      
Documentation role in reducing risk   57      
Downgrade of media   58      
Due diligence   59      
Education, training, and awareness as a countermeasure   60      
Electronic emanations   61      
Electronic records management   62      
Electronic-mail security   63      
Emergency destruction   64      
Emergency destruction procedures   65      
Emissions Security (EMSEC)   66      
Ethics   67      
Evidence collection   68      
Evidence collection policies   69      
Evidence preservation   70      
Evidence preservation policies   71      
Execution of memoranda of understanding   72      
Facilities planning   73      
Federal Information Security Management Act (FISMA)   74      
Federal Property and Administration Service Act   75      
Federal Records Act   76      
Fraud waste and abuse   77      
Freedom of Information Act (FOIA) and Electronic Freedom of Information Act (EFOIA)   78      
Government Information Security Reform Act (GISRA)   79      
Government Paperwork Elimination Act (GPEA)   80      
Importance and role of non-repudiation   81      
Importance and role of PKI   82      
Importance of Security Test and Evaluation (ST&E) as part of acquisition process   83      
Incident response   84      
Incident response policy   85      
Information assurance – SSM role   86      
Information Assurance (IA)   87      
Information assurance budget   88      
Information assurance business aspects   89      
Information assurance cost benefit analysis   90      
Information classification   91      
Information ownership   92      
Information security policy   93      
Interim authority  to operate (IATO)   94      
Investigative authorities   95      
Justification for waiver   96      
Law enforcement interfaces   97      
Law enforcement policies   98      
Legal and liability issues as they apply to mission   99      
Legal issues and Information Assurance (IA)   100      
Legal issues which can affect Information Assurance (IA)   101      
Legal responsibilities of the SSM   102      
Liabilities associated with disclosure of sensitive information   103      
Licensing   104      
Life cycle management   105      
Life cycle security planning   106      
Life cycle system security planning   107      
Logging policies   108      
Marking classified/sensitive information   109      
Memorandum of Understanding/Agreement   110      
Methods of implementing risk mitigation strategies necessary to obtain ATO   111      
Millennium Copyright Act   112      
National Archives and Records Act   113      
Need-to-know controls   114      
Non-repudiation   115      
Operations Security   116      
Organizational – threats   117      
Organizational/agency information assurance emergency response team role   118      
Organizational/agency information assurance emergency response teams   119      
Paperwork Reduction Act as codified in 44 U.S.C.A. Section 3501   120      
Personnel security   121      
Personnel security guidance   122      
Personnel security policies   123      
PKI   124      
Principles of aggregation   125      
Principles of information ownership   126      
Principles of risk   127      
Principles of system reconstitution   128      
Privacy Act   129      
Problems associated with disclosure of sensitive information   130      
Procedural/administrative countermeasures   131      
Protection profiles   132      
Purpose of Systems Security Authorization Agreement (SSAA)   133      
Recertification   134      
Recertification effort   135      
Recertification of systems characteristics that need review   136      
Recertification process   137      
Recertification purpose   138      
Reconstitution   139      
Recovery plan   140      
Remanence   141      
Residual risk   142      
Resources   143      
Responsibilities associated with accreditation   144      
Restoration   145      
Restoration and continuity of operation   146      
Restoration process   147      
Results of certification tools   148      
Risk   149      
Risk acceptance   150      
Risk acceptance process   151      
Risk analysis   152      
Risk assessment   153      
Risk assessment as it supports granting waiver   154      
Risk assessment supporting granting an IATO   155      
Risk in certification and accreditation   156      
Risk management   157      
Risk mitigation   158      
Risk mitigation strategies   159      
Risk mitigation strategies necessary to obtain IATO   160      
Risk reports   161      
Risks associated with portable wireless systems, viz  PDAs etc.   162.      
Risks from connectivity   163      
Role of risk analyst   164      
Security Test and Evaluation (ST&E) as part of acquisition process   165      
Separation of duties   166      
Service Provider Exemption to the Federal Wiretap Statute [18 U.S.C.A. Section 2511(2)(a)(i)-(ii)]   167      
Storage (McCumber)   168      
System accreditors role   169      
System architecture   170      
System certifiers role   171      
System disposition   172      
System reutilization   173      
System security architecture   174      
System security architecture support of continuity of operations (CONOPS)   175      
Systems Security Authorization Agreement (SSAA)   176      
TEMPEST failures   177      
TEMPEST requirements   178      
Test and evaluation   179      
Threat   180      
Threat analysis   181      
Threats – assessment/environmental/human/natural   182      
Threats from contracting for security services   183      
Threats to systems   184      
Transmission (McCumber)   185      
Types of contracts for security services   186      
Vulnerability   187      
Vulnerability – aggregation   188      
Vulnerability – connected systems   189      
Vulnerability – improper disposition   190      
Vulnerability – improper reutilization   191      
Vulnerability – network   192      
Vulnerability – technical   193      
Vulnerability – wireless technology   194      
Role of System Security Officer (ISSO)   195      
Key Resource Managers   196      
NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service