The following competencies are covered in the course INFO 4416, 5516 and 6616.  The materials used are from a draft set of instructional materials developed by NIATEC.  In addition students use Information Assurance for the Enterprise: A Roadmap to Information Security by Schou and Shoemaker 2007.

Students should use the following table to prepare for examinations. Submit a completed form prior to each examination.  At the end of the semester, you will fill out an online form at the NIATEC site.

The successful student in INFO 4416, 5516, 6616 demonstrates entry-level competency as they provide, discuss, identify, explain, assist, conduct, outline, determine, evaluate, define, describe, monitor, recommend, summarize, appraise, examine, list, team, use, analyze, apply, assess, build, interpret, apprise, characterize, develop, discriminate, ensure, influence, integrate, relate, report, review, support, understand, and verify the following terms via slide shows, modules, written or oral exams
Action Item and Competency Student Checklist
1. E  - Adverse findings and affect on continued IT operations in a given mission environment  
2. E  - Adverse system findings and halting mission support operations  
3. E  - Agency/Local guidance  
4. E  - Agency-Specific policies and procedures in relation to risk environment  
5. E  - Agency-Specific system reutilization policies and procedures  
6. E  - All component and overall risks inherent in system  
7. E  - Alternative actions permitted on system  
8. E  - Analysis of security safeguards of a system as they have been applied to an operational environment to determine security posture  
9. E  - Analysis of threats, vulnerabilities, attacks, and consequences in relationship to risk assessment of a system  
10. E  - Applicable IA laws, regulations, and policies  
11. E  - Applicable national level policies  
12. E  - Applicable organizational certification and accreditation processes  
13. E  - Applied security evaluation and analysis  
14. E  - Approaches to risk management  
15. E  - Aspects of security in a vulnerability testing and evaluation plan  
16. E  - Assessment of costs of data protection for a system versus cost of loss or compromise  
17. E  - Audit mechanism processes used to collect, review, and/or examine system activities  
18. E  - Audit trails and logging policies  
19. E  - Building a compendium of relative threats, vulnerabilities, attacks, and consequences related to system  
20. E  - Change control policies for incorporation in IA training  
21. E  - Chronological record of system activities for reconstruction and examination of events and/or changes in an event  
22. E  - Classification policies as part of risk management plan  
23. E  - Communications security policy and guidance for incorporation into IT training  
24. E  - Compendium of relative threats, vulnerabilities, attacks, and consequences related to a system (Common vulnerabilities and exploitations)  
25. E  - Cost analysis of data protection versus cost of data lose or compromise  
26. E  - Cost assessment for providing data protection versus cost of data loss or compromise  
27. E  - Cost/Benefit of organization’s IA countermeasure plans  
28. E  - Cost/Benefit of personnel supporting access control policies  
29. E  - Countermeasures based on threat capabilities and motivations  
30. E  - Critical database security pitfalls  
31. E  - Criticality of applications security  
32. E  - Current mission and role of information system in supporting mission  
33. E  - Database best practices and pitfalls in database security  
34. E  - Decision makers of existing countermeasure models, tools, and techniques  
35. E  - Defining countermeasures directed at specific threats and vulnerabilities  
36. E  - Definitions of security requirements  
37. E  - Detailed evaluation of vulnerabilities, attack, threats, and consequences that may affect system  
38. E  - Detailed examination and evaluation of impact of attacks  
39. E  - Detailed examination and evaluation of possible actions to mitigate vulnerabilities  
40. E  - Detailed examination and evaluation of sources and factors that can adversely impact system  
41. E  - Detailed examination of vulnerabilities, attack, threats, and consequences that may affect system  
42. E  - Development of ST&E plan and procedure for testing and evaluating a system  
43. E  - Differences between security features and capabilities  
44. E  - Discrimination with known and potential vulnerabilities based on test procedures  
45. E  - EDPP for incorporation in IA training  
46. E  - Effect of countermeasures on risk through the analysis of paired interaction of a defense  
47. E  - Effectiveness of automated security tools that confirm validity of a transmission  
48. E  - Effectiveness of automated security tools that verify an individual’s eligibility to receive specific categories of information  
49. E  - Effects of mitigation derived from application of countermeasures to a system  
50. E  - Elements of database security features  
51. E  - Environment in relation to current threat  
52. E  - Environmental and natural threats as part of security management plan  
53. E  - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited  
54. E  - Evaluation of threats, vulnerabilities, and countermeasures to determine residual risk  
55. E  - Examination and evaluation of sources and factors that can adversely impact system  
56. E  - Examination of vulnerabilities, attack, threats and consequences that may affect system  
57. E  - Exploitable weaknesses in information system, security procedures, internal controls or implementations  
58. E  - Files created by operating system for review of audit process  
59. E  - Hardware or software flow that opens an information system to potential exploitation  
60. E  - Hardware, firmware, communications, or software weaknesses that open an information system to exploitation  
61. E  - Hostile intelligence sources as part of vulnerabilities and attack venues  
62. E  - How certification process ensures security requirement implementation  
63. E  - Identifying protections offered by security features in specific configurations  
64. E  - Vulnerability assessment methodologies  
65. E  - Impact of hostile agents seeking national security information which could potentially cause harm to national security  
66. E  - Impact of security breaches and estimate an attacker’s probable response  
67. E  - Impact of security on mission  
68. E  - Information acquisition and review process for best use of resources to protect system  
69. E  - Information system analysis in determining adequacy of security measures  
70. E  - Information system support mission  
71. E  - Jamming as a potential threat  
72. E  - Known and hypothetical variable discrimination based on executed test procedures  
73. E  - Known and hypothetical variables based on test procedures  
74. E - Weaknesses in system, system security procedures, and internal controls and implementation  
75. E  - Known avenues of attack such as operating system bugs, network vulnerabilities, human threats, etc  
76. E  - Level of threat based on its applicability to system  
77. E  - Vulnerability analysis to determine adequacy of security measures, identify security deficiencies, and provide data to predict effectiveness of security measures  
78. E  - Life cycle countermeasures based on assessment of threats, capabilities, and motivations to exploit vulnerability  
79. E  - Life cycle management SCMB policies and procedures  
80. E  - Life cycle operation and maintenance project milestones relating to risk  
81. E  - Local application of IA laws, regulations, and policies  
82. E  - Local policies and procedures implementing regulations, laws, and procedures in local environment  
83. E  - Local policies and procedures to supplement and implement higher-level guidance  
84. E  - Maintenance of accounting files, tools, user accounts, and system statistics  
85. E  - Maintenance of user accounts  
86. E  - Maintenance plans for protective measures to ensure tolerable level of risk  
87. E  - Maintenance procedures concerning life cycle operations and analysis issues  
88. E  - Means through which a threat agent can adversely affect information system, facility, or operation  
89. E  - Methodologies used to evaluate system security safeguards  
90. E  - Methods through which threat agent adversely affects information system, facility, or operation  
91. E  - National and local level access control policies  
92. E  - Organization IT security needs and relations to countermeasure requirements  
93. E  - Organizational capability and ability to evaluate threats, and vulnerabilities  
94. E  - Organizational mission in conjunction with vulnerabilities and attack venues  
95. E  - Paired interaction of a vulnerability to an attack  
96. E  - Paired interaction of system threats and vulnerabilities  
97. E  - Payoff to and liabilities incurred by an attacker in a successful attack  
98. E  - Performance measurement data in operations and maintenance examination of events and/or changes in an event  
99. E  - Physical security requirements  
100. E  - Policy, guidance and process for the capture, maintenance, and distribution of audit logs  
101. E  - Potential vulnerabilities that may lead to defeat of security services  
102. E  - Process for selecting and purchasing new information technology (IT)  
103. E  - Process of analyzing paired interactions of system threats and vulnerabilities  
104. E  - Process of formally evaluating degree of threat and describing nature of threat  
105. E  - Process of selecting and purchasing IT designed to implement management risk process  
106. E  - Process to determine underlying state of system  
107. E  - Process to ensure that applications function according to specifications  
108. E  - Processes for disposition of media and data  
109. E  - Processes for timely deletion of accounts  
110. E  - Processes for updating access  
111. E  - Processes for verification of authorization prior to adding new account  
112. E  - Program or user operations that can be performed during testing and Evaluation  
113. E  - Protections offered by security features in specific configurations  
114. E  - Purpose of using copies of backup files for later reconstruction of files  
115. E  - Questions for determining countermeasures during C&A process  
116. E  - Respective value of penetration testing post-testing actions, general information principles, and summary comparison of network testing techniques  
117. E  - Results of certification tools during testing and evaluation  
118. E  - Risk analysis examination and evaluation process to determine relationships among threats, vulnerabilities, and countermeasures  
119. E  - Risk analysis processes used in development of life cycle functions  
120. E  - Risk analyst concerns relating to life cycle system security planning  
121. E  - Risk assessment methodology in relation to risk analyst function  
122. E  - Risk management methodology in relation to system security  
123. E  - Risk management methodology which includes evaluation of threats, vulnerabilities, and countermeasures  
124. E  - Risk methodologies used to evaluate measures taken to protect system  
125. E  - Risk mitigation decisions derived from analysis and review of physical security requirements  
126. E  - Risk variables to build a compendium of relative threats, vulnerabilities, attacks, and consequences related to a system  
127. E  - Risks associated with distributed systems security  
128. E  - Role of formal methods in security design as part of risk management plan  
129. E  - Role of personnel security policies and guidance as part of overall risk management plan  
130. E  - Role of RA in certification and accreditation process  
131. E  - Security and software countermeasures during design, implementation, and testing phases to achieve required level of confidence  
132. E  - Security countermeasures in relation to vulnerabilities and attack venues  
133. E  - Security features of system  
134. E  - Security inspections conducted during C&A process  
135. E  - Security laws applicable to certification/accreditation process  
136. E  - Security policies and procedures implemented during risk analysis/assessment process  
137. E  - Security requirements as potential countermeasures  
138. E  - Security test and evaluation (ST&E) procedures, tools, and equipment  
139. E  - Security with regard to confidentiality, integrity, authentication, availability, and non-repudiation  
140. E  - Software test and evaluation results related to system restoration  
141. E  - Solutions based on a set of static and variable factors of system  
142. E  - State and vulnerabilities in network security software  
143. E  - State of security features embedded in commercial-off-the-shelf (COTS) products in relation to risk management plan  
144. E  - Strengths of alternative test and evaluation strategies  
145. E  - Susceptibility of a system to attack after countermeasures have been applied  
146. E  - Synthesis of all component and risks inherent in a system  
147. E  - System IA design guidance  
148. E  - System security policies  
149. E  - System security safeguards established to determine system security posture  
150. E  - Technical analysis of components, products, subsystems, or systems security that establishes whether or not component, product subsystem, or system meets a specific set of requirements independently and in  
151. E  - Technical and non-technical results from testing and evaluation  
152. E  - Technical knowledge required of personnel responsible for networks, servers, workstations, operating systems, etc  
153. E  - Technical knowledge required of personnel responsible for operating and maintaining networks, servers, workstations, operating systems, etc  
154. E  - Techniques and measures to detect and neutralize a wide variety of hostile penetration technologies  
155. E  - Technology needed to mount an attack based on existing countermeasures  
156. E  - Technology trends in context of future security management plan  
157. E  - Test results that determine underlying state of system  
158. E  - Testing of security features during testing and evaluation  
159. E  - Testing roles and responsibilities  
160. E  - Tests results  
161. E  - That system acquisitions policies and procedures include assessment of risk management policies  
162. E  - Threat analysis to determine vulnerabilities and attack venues  
163. E  - Threat and vulnerability analyses input to C&A process  
164. E  - Threat and/or risk assessment in determining vulnerabilities and attack venues  
165. E  - Threat/Risk assessment methodology appropriate for use with system undergoing accreditation  
166. E  - Threats and vulnerabilities  
167. E  - Use of common criteria guidance to determine hardware and software assurance applications for simultaneous processing of a range of information classes  
168. E  - Utilities used to determine vulnerabilities or configurations not within established limits/baselines  
169. E  - Various categorization schemas  
170. E  - Vulnerabilities associated with security processing modes  
171. E  - Vulnerabilities, attacks, threats, and consequences assessment to determine vulnerabilities and attack avenues  
172. E  - Vulnerability analysis process  
   
The successful student in CIS 4416 demonstrates intermediate-level competency as they discuss, explain, team, evaluate, define, assist, determine, recommend, identify, analyze, apply, compare, advise, incorporate, influence, interpret, provide, assess, conduct, consult, contrast, demonstrate, examine, give, integrate, justify, list, monitor, outline, research, and summarize the following concepts in case study workshops and hands-on exercises Student Checklist
1. I  - Acceptability of using federal information security practices in system design and protection  
2. I  - Access permission granted to a subject in relation to an object  
3. I  - Access permissions granted to users of system  
4. I  - Accuracy and reliability of an information system’s data  
5. I  - Actions, devices, procedures, techniques, or measures that reduce vulnerability or threat to a system  
6. I  - Activities that support C&A process  
7. I  - Adverse system findings and halting mission support operations  
8. I  - Agency-Specific policies and procedures  
9. I  - Agency-Specific policies and procedures integration into results of risk analysis report  
10. I  - Allowable duration of system’s operations run time, beginning with identification of a need to place a system in operation; continuing through system design, development, implementation, and operation; and ending with the system’s deactivation  
11. I  - Analysis of countermeasure effectiveness as applied to a given risk and probability of an occurrence  
12. I  - Analysis of paired interaction of vulnerability to attack  
13. I  - Analysis of vulnerabilities of an information system  
14. I  - Analyzing, recommending and detailing alternative actions permitted on system  
15. I  - Applicable national level and agency/local policies and guidance  
16. I  - Approval process for operating system at a satisfactory level of risk  
17. I  - Aspects of security for a system and cost incurred by an adversary to mount an attack  
18. I  - Assessment of data protection costs versus loss or compromise of data  
19. I  - Audit collection requirements implementation  
20. I  - Audit trail and logging policy examples for training  
21. I  - C&A providing assurance that controls are functioning effectively  
22. I  - Certification/Accreditation process for vulnerabilities  
23. I  - Characteristics that ensure computer resources operate correctly  
24. I  - Characteristics that ensure data integrity  
25. I  - Classification policies as part of risk management plan  
26. I  - Collection of languages and tools that enforce methods of verification  
27. I  - Collection of verification and validation tools and techniques  
28. I  - Communications security policy and guidance for incorporation into IT training  
29. I  - Control policies for incorporation in IA training  
30. I  - Various methods for defining security requirements  
31. I  - Controls and traceability of all changes made to system during testing and evaluation  
32. I  - Controls to safeguard assets  
33. I  - Cost/Benefits of IA plans to determine totality of sensitivity during development, procurement, and installation of system in terms of aggregation of risk  
34. I  - Data that confirms effectiveness of security measures after security testing  
35. I  - Data to predict effectiveness of a security measure testing  
36. I  - Deductive reasoning and test results  
37. I  - Development of agency-specific IA principles and practices  
38. I  - Discriminate approach variables and constants based on test procedures to gain acceptance for joint system usage  
39. I  - Disposition of media and data records  
40. I  - EDPP for incorporation in IA training  
41. I  - Effect of modification to existing access controls  
42. I  - Effects of mitigation derived from application of countermeasures  
43. I  - Effects of risk mitigation derived from system countermeasures  
44. I  - Evaluation of technical and non-technical security features of system during testing and evaluation  
45. I  - Examination and evaluation of potential alternative actions to mitigate risk  
46. I  - Examples of lessons learned in ethical/unethical cyber behavior and relate to risk management plan  
47. I  - Formal approval process and procedures for providing system access for authorized users  
48. I  - Generation of a database of corrective measures to bring system into compliance of level for which being certified  
49. I  - Hardware, software, firmware, communication flaw, circumstance, or event with potential to cause harm to a system or data  
50. I  - Implementation of established policies and procedures ensuring that personnel have required authority and appropriate clearances  
51. I  - Implementation policies  
52. I  - Information system’s operational efficiency and promotion  
53. I  - Input for recommending security features in specific configurations  
54. I  - Integration of a variety of assessment methodologies into curricula  
55. I  - Legal process for obtaining/maintaining ownership of information  
56. I  - Life cycle analysis of security requirements and countermeasures based on assessment of threats capability and motivation to exploit a vulnerability  
57. I  - Local policies and procedures that implement higher-level regulations, laws, and procedures  
58. I  - Maintenance of accounting files, tools, user accounts, and system statistics  
59. I  - Maintenance of user authentication data used to authenticate an identity or to authorize access to data  
60. I  - Maintenance practices, procedures, and measures intended to ensure an acceptable level of risk  
61. I  - Managerial policy adherence  
62. I  - Method used for surveys and inspections in C&A process  
63. I  - Offsets of adverse findings and decision to continue IT operation in current mission environment  
64. I  - Operating and management procedures designed to detect or prevent unauthorized access to an information system  
65. I  - Operating and management procedures enforcing access control  
66. I  - Organizational certification and accreditation process with other agency certification and accreditation guidelines  
67. I  - Physical security and domains and how they provide a useful approach for dealing with security and data protection in large-scale systems  
68. I  - Adherence to prescribed managerial policies  
69. I  - Physical security requirements  
70. I  - Policies regarding audit data usage, management, and maintenance  
71. I  - Policies regarding personnel access to audit records  
72. I  - Process of selecting and purchasing new IT  
73. I  - Process used to collect, review, and/or examine system activities  
74. I  - Protection afforded information processed in a cryptographically-secured network  
75. I  - Protection profiles for proposed system security countermeasures for a given attack analysis  
76. I  - Protection schema of a distributed system that consists of workstations  
77. I  - Records of system activities for chronological, analytical reconstruction, and maintenance of IA components in IT systems  
78. I  - Relations between variety of disciplines employed in IA  
79. I  - Relevant potential threat/vulnerability information gained from available intelligence and law enforcement agency sources  
80. I  - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited  
81. I  - Return on investment results of evaluation of means by which threats can act on vulnerabilities  
82. I  - Risk acceptance process to include mitigation versus avoidance  
83. I  - Risk associated with agency-specific policies and procedures for SCMB  
84. I  - Risk management methodologies to evaluate threats, vulnerabilities, and countermeasures to determine residual risk  
85. I  - Risk management methodologies to study of life cycle management policies and procedures  
86. I  - Risk variables through compendium of threats, vulnerabilities, attacks and consequences  
87. I  - Role of audit trails  
88. I  - Role of information categorization schema as part of risk management plan  
89. I  - Role of security awareness as part of risk management plan  
90. I  - Roles and responsibilities of agency vendors as member of risk management team  
91. I  - Rules and measures in place for implementing IA measures with industrial partners/contractors  
92. I  - Security deficiencies  
93. I  - Security inspections during C&A process  
94. I  - Security laws and applicability to risk management plan  
95. I  - Security policies that describe permitted actions that may have an adverse affect on system  
96. I  - Security policies that describe permitted system actions  
97. I  - Security policies that describe what system actions are prohibited  
98. I  - Security policy that describes types of permitted and prohibited actions on system  
99. I  - Security processes that ensure computer resources operate correctly and that data in databases are correct  
100. I  - Security software designed to detect and prevent unauthorized system access  
101. I  - Software options that control hardware and other software functions  
102. I  - Specific security and software engineering applications during design, implementation, and testing phases  
103. I  - System IA policy with regard to the acquisition and upgrade of software and hardware components and the laws and procedures that must be observed in their implementation  
104. I  - Technical surveillance countermeasures  
105. I  - Technology necessary to Mount Attack  
106. I  - The implementation of laws, regulations and other public policies as they apply to an information system in a given operational environment  
107. I  - The relative strengths of alternative test and evaluation strategies  
108. I  - The risk of change proposals to authorized baselines  
109. I  - Threats and vulnerabilities associated with remanence  
110. I  - Types and details of actions permitted on systems  
111. I  - Underlying state of system  
   
The successful student in CIS 4416 demonstrates advanced-level competency as they  analyze, appraise, evaluate, interpret, team, recommend, determine, explain, perform, and provide the following terms in discussion seminars, readings, research papers or essays Student Checklist
1. A  - Affects of a risk assessment and certification/accreditation process on mission of a system  
2. A  - Applicability of network tools, viz password cracking, log review, file integrity, virus detectors, war dialing, wireless LAN testing (war driving), etc. software   
3. A  - Application of IA laws, regulations, and policies  
4. A  - Changes to roles and responsibilities of agency vendors as member of risk management team  
5. A  - Communications security policy and guidance for incorporation into IT training  
6. A  - Cost/Benefit of standard certification tools to support countermeasure activities  
7. A  - Countermeasures  
8. A  - Development of IA principles and practices applied to coordination with OMB and with technical assistance from NSA  
9. A  - Disposition and reutilization records for potential vulnerabilities  
10. A  - Integrated logistics support cycle as it applies to IA  
11. A  - Interpretation of strengths and weaknesses of assessment methodologies  
12. A  - Paired interaction of defense for specific vulnerability related to probability of attack  
13. A  - Potential applicability of network and vulnerability scanning tools  
14. A  - Potential applicability of range of testing tools  
15. A  - Process of evaluating degree of threat to an information system  
16. A  - Process of evaluating nature of threat to an information system  
17. A  - Risk management methodology changes to life cycle management policies and procedures plan  
18. A  - System level access policies used to process information  
19. A  - System vulnerabilities  
20. A  - Threat/Risk assessment in support of C&A process  
NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service