CIS 612
Home Up Reports

Informatics Research Institute

Up

Fall                                                                                               1 credit

Dr. Corey Schou or James Frost with V Nestler                     Office location: Bldg 5, Rm. 415

Preferred email: Schou@mentor.net                                        Office Phone: 282-4893

Secondary email: Schou@cob.isu.edu                                    Office hours: By Appointment

 

Course Description

Develops the critical thinking skills necessary for Senior Management to analyze and evaluate submitted documentation for determination of the validity and reliability of a proposed information system to operate at a proposed level of trust. These skills will be developed by reviewing system architecture, system security measures, system operations policy, system security management plan, legal and ethical considerations, and provisions for system operator and end user training.

 

PREREQUISITES: CIS 611, CIS 613, CIS 614, CIS 519 (6 credits)

 

Targeted Standards

CNSSI 4012 Competencies for this course are found on this website.

Students should submit the competencies form for evaluation prior to the examinations.

 

Required Materials

CNNSSI 4012 (available at http://www.nstissc.gov/Assets/pdf/cnssi_4012.pdf)

 

Course Objectives

As a result of participation if CIS 612, the successful student will demonstrate an understanding of

bullet

Granting final approval to operate an IS or network in a specified security mode.
bullet

Reviewing the accreditation documentation to confirm that the residual risk is within acceptable limits for each network and/or IS.

bullet

Verifying that each information system complies with the information assurance (IA) requirements

bullet

Ensuring the establishment, administration, and coordination of security for systems that agency, service, or command personnel or contractors operate.
bullet

Ensuring that the Program Manager/Official defines the system security requirements for acquisitions.
bullet

Assigning Information Assurance (IA) responsibilities to the individuals reporting directly to the SSM.
bullet

Defining the criticality and classification/sensitivity levels of each IS and approving the classification level required for the applications implemented on them
bullet

Allocating resources to achieve an acceptable level of security and to remedy security deficiencies
bullet

Ensuring that when classified/sensitive information is exchanged between IS or networks (internal or external), the content of this communication is protected from unauthorized observation, manipulation, or denial.
bullet

Resolving issues regarding those systems requiring multiple or joint accreditation. This may require documentation of conditions or agreements in Memoranda of Agreement (MOA)

 

Advanced Masters courses and preliminary doctoral courses.

As part of the development of our advanced masters courses, we have decided to use the content structures from our undergraduate courses; however, these advanced courses will require either experience in the Information Systems field or a student must take the 400/500 level course as a prerequisite.  These courses will be research oriented rather than ‘book learning’ focused.  The students will be expected to perform both physical research, where appropriate, as well as literary review and analysis.

 

Grading Scale for CIS 612

Article Reviews

15%

Final Evaluation

30%

Participation

5%

Research Project Defense

50%

 

Grading Scale

A

93%

-

100%

A-

90%

-

92.9%

B+

87%

-

89.9%

B

83%

-

86.9%

B-

80%

-

82.9%

C+

77%

-

79.9%

C

73%

-

76.9%

F

0%

-

69.9%

 

Major Topics

Access Control Techniques
Administrative Techniques
Communications Security
Continuity Of Operations (Coop)
Legal Liabilities Issues
Life Cycle Management
Policy

Risk Management
Tempest, EMP, and Electronic Emanation
Threats And Incidents

 

CNSSI 4012 Competencies

Competency  Item

Action Item

 Complete

Access control policies

1

  

Access controls – discretionary/mandatory

2

  

Access privileges

3

  

Accountability for sensitive data

4

  

Accreditation

5

  

Accreditation procedure

6

  

Accreditation types

7

  

Administrative security policies

8

  

Approval to Operate (ATO) purpose and contents

9

  

Assignment of individuals to perform information assurance functions

10

  

Attacks

11

  

Audit trail policy

12

  

Auditable events

13

  

Automated countermeasures/deterrents

14

  

Automated security tools

15

  

Availability (McCumber)

16

  

Background investigations

17

  

Backups

18

  

Biometric policies

19

  

Biometrics

20

  

Budget

21

  

Business recovery

22

  

Certification

23

  

Certification and Accreditation effort leading to Systems Security Authorization Agreement

24

  

Certification and Accreditation process policy

25

  

Certification procedure

26

  

Certification roles

27

  

Certification tools

28

  

Certifiers understanding of mission

29

  

Change control

30

  

Clinger-Cohen Act

31

  

Commercial proprietary information

32

  

Commercial proprietary information protection

33

  

Common Criteria (Product Assurance) role in acquiring systems

34

  

Communications Security (COMSEC) materials

35

  

Computer crime and the various methods

36

  

Computer Fraud and Abuse Act as codified in 18 U.S.C.A. Section 1030

37

  

Concept of Operations (CONOPS)

38

  

Confidentiality (McCumber)

39

  

Configuration management

40

  

Connected organizations

41

  

Connectivity involved in communications

42

  

Contingency planning

43

  

Continuity of operations

44

  

Contracting for security services

45

  

Copyright Act of 1976 and Copyright Amendment Act of 1992 as codified in 17 U.S.C.A

46

  

Copyright protection and license

47

  

Countermeasures

48

  

Countermeasures/deterrents – automated/technical

49

  

Criminal prosecution

50

  

Declassification of media

51

  

Delegation of authority

52

  

Disaster recovery

53

  

Disposition of classified material

54

  

Documentation

55

  

Documentation policies

56

  

Documentation role in reducing risk

57

  

Downgrade of media

58

  

Due diligence

59

  

Education, training, and awareness as a countermeasure

60

  

Electronic emanations

61

  

Electronic records management

62

  

Electronic-mail security

63

  

Emergency destruction

64

  

Emergency destruction procedures

65

  

Emissions Security (EMSEC)

66

  

Ethics

67

  

Evidence collection

68

  

Evidence collection policies

69

  

Evidence preservation

70

  

Evidence preservation policies

71

  

Execution of memoranda of understanding

72

  

Facilities planning

73

  

Federal Information Security Management Act (FISMA)

74

  

Federal Property and Administration Service Act

75

  

Federal Records Act

76

  

Fraud waste and abuse

77

  

Freedom of Information Act (FOIA) and Electronic Freedom of Information Act (EFOIA)

78

  

Government Information Security Reform Act (GISRA)

79

  

Government Paperwork Elimination Act (GPEA)

80

  

Importance and role of non-repudiation

81

  

Importance and role of PKI

82

  

Importance of Security Test and Evaluation (ST&E) as part of acquisition process

83

  

Incident response

84

  

Incident response policy

85

  

Information assurance – SSM role

86

  

Information Assurance (IA)

87

  

Information assurance budget

88

  

Information assurance business aspects

89

  

Information assurance cost benefit analysis

90

  

Information classification

91

  

Information ownership

92

  

Information security policy

93

  

Interim authority  to operate (IATO)

94

  

Investigative authorities

95

  

Justification for waiver

96

  

Law enforcement interfaces

97

  

Law enforcement policies

98

  

Legal and liability issues as they apply to mission

99

  

Legal issues and Information Assurance (IA)

100

  

Legal issues which can affect Information Assurance (IA)

101

  

Legal responsibilities of the SSM

102

  

Liabilities associated with disclosure of sensitive information

103

  

Licensing

104

  

Life cycle management

105

  

Life cycle security planning

106

  

Life cycle system security planning

107

  

Logging policies

108

  

Marking classified/sensitive information

109

  

Memorandum of Understanding/Agreement

110

  

Methods of implementing risk mitigation strategies necessary to obtain ATO

111

  

Millennium Copyright Act

112

  

National Archives and Records Act

113

  

Need-to-know controls

114

  

Non-repudiation

115

  

Operations Security

116

  

Organizational – threats

117

  

Organizational/agency information assurance emergency response team role

118

  

Organizational/agency information assurance emergency response teams

119

  

Paperwork Reduction Act as codified in 44 U.S.C.A. Section 3501

120

  

Personnel security

121

  

Personnel security guidance

122

  

Personnel security policies

123

  

PKI

124

  

Principles of aggregation

125

  

Principles of information ownership

126

  

Principles of risk

127

  

Principles of system reconstitution

128

  

Privacy Act

129

  

Problems associated with disclosure of sensitive information

130

  

Procedural/administrative countermeasures

131

  

Protection profiles

132

  

Purpose of Systems Security Authorization Agreement (SSAA)

133

  

Recertification

134

  

Recertification effort

135

  

Recertification of systems characteristics that need review

136

  

Recertification process

137

  

Recertification purpose

138

  

Reconstitution

139

  

Recovery plan

140

  

Remanence

141

  

Residual risk

142

  

Resources

143

  

Responsibilities associated with accreditation

144

  

Restoration

145

  

Restoration and continuity of operation

146

  

Restoration process

147

  

Results of certification tools

148

  

Risk

149

  

Risk acceptance

150

  

Risk acceptance process

151

  

Risk analysis

152

  

Risk assessment

153

  

Risk assessment as it supports granting waiver

154

  

Risk assessment supporting granting an IATO

155

  

Risk in certification and accreditation

156

  

Risk management

157

  

Risk mitigation

158

  

Risk mitigation strategies

159

  

Risk mitigation strategies necessary to obtain IATO

160

  

Risk reports

161

  

Risks associated with portable wireless systems, viz  PDAs etc.

162.

  

Risks from connectivity

163

  

Role of risk analyst

164

  

Security Test and Evaluation (ST&E) as part of acquisition process

165

  

Separation of duties

166

  

Service Provider Exemption to the Federal Wiretap Statute [18 U.S.C.A. Section 2511(2)(a)(i)-(ii)]

167

  

Storage (McCumber)

168

  

System accreditors role

169

  

System architecture

170

  

System certifiers role

171

  

System disposition

172

  

System reutilization

173

  

System security architecture

174

  

System security architecture support of continuity of operations (CONOPS)

175

  

Systems Security Authorization Agreement (SSAA)

176

  

TEMPEST failures

177

  

TEMPEST requirements

178

  

Test and evaluation

179

  

Threat

180

  

Threat analysis

181

  

Threats – assessment/environmental/human/natural

182

  

Threats from contracting for security services

183

  

Threats to systems

184

  

Transmission (McCumber)

185

  

Types of contracts for security services

186

  

Vulnerability

187

  

Vulnerability – aggregation

188

  

Vulnerability – connected systems

189

  

Vulnerability – improper disposition

190

  

Vulnerability – improper reutilization

191

  

Vulnerability – network

192

  

Vulnerability – technical

193

  

Vulnerability – wireless technology

194

  
Role of System Security Officer (ISSO)

195

  
Key Resource Managers

196

  

All material on this site is copyright unless otherwise noted.
Please respect the authors rights by requesting permission for use and ensuring proper attribution and credit.