Competency Item |
Action Item |
Student Checklist |
Access control policies |
1 |
|
Access controls – discretionary/mandatory |
2 |
|
Access privileges |
3 |
|
Accountability for sensitive data |
4 |
|
Accreditation |
5 |
|
Accreditation procedure |
6 |
|
Accreditation types |
7 |
|
Administrative security policies |
8 |
|
Approval to Operate (ATO) purpose and contents |
9 |
|
Assignment of individuals to perform information assurance functions |
10 |
|
Attacks |
11 |
|
Audit trail policy |
12 |
|
Auditable events |
13 |
|
Automated countermeasures/deterrents |
14 |
|
Automated security tools |
15 |
|
Availability (McCumber) |
16 |
|
Background investigations |
17 |
|
Backups |
18 |
|
Biometric policies |
19 |
|
Biometrics |
20 |
|
Budget |
21 |
|
Business recovery |
22 |
|
Certification |
23 |
|
Certification and Accreditation effort leading to Systems Security Authorization Agreement |
24 |
|
Certification and Accreditation process policy |
25 |
|
Certification procedure |
26 |
|
Certification roles |
27 |
|
Certification tools |
28 |
|
Certifiers understanding of mission |
29 |
|
Change control |
30 |
|
Clinger-Cohen Act |
31 |
|
Commercial proprietary information |
32 |
|
Commercial proprietary information protection |
33 |
|
Common Criteria (Product Assurance) role in acquiring systems |
34 |
|
Communications Security (COMSEC) materials |
35 |
|
Computer crime and the various methods |
36 |
|
Computer Fraud and Abuse Act as codified in 18 U.S.C.A. Section 1030 |
37 |
|
Concept of Operations (CONOPS) |
38 |
|
Confidentiality (McCumber) |
39 |
|
Configuration management |
40 |
|
Connected organizations |
41 |
|
Connectivity involved in communications |
42 |
|
Contingency planning |
43 |
|
Continuity of operations |
44 |
|
Contracting for security services |
45 |
|
Copyright Act of 1976 and Copyright Amendment Act of 1992 as codified in 17 U.S.C.A |
46 |
|
Copyright protection and license |
47 |
|
Countermeasures |
48 |
|
Countermeasures/deterrents – automated/technical |
49 |
|
Criminal prosecution |
50 |
|
Declassification of media |
51 |
|
Delegation of authority |
52 |
|
Disaster recovery |
53 |
|
Disposition of classified material |
54 |
|
Documentation |
55 |
|
Documentation policies |
56 |
|
Documentation role in reducing risk |
57 |
|
Downgrade of media |
58 |
|
Due diligence |
59 |
|
Education, training, and awareness as a countermeasure |
60 |
|
Electronic emanations |
61 |
|
Electronic records management |
62 |
|
Electronic-mail security |
63 |
|
Emergency destruction |
64 |
|
Emergency destruction procedures |
65 |
|
Emissions Security (EMSEC) |
66 |
|
Ethics |
67 |
|
Evidence collection |
68 |
|
Evidence collection policies |
69 |
|
Evidence preservation |
70 |
|
Evidence preservation policies |
71 |
|
Execution of memoranda of understanding |
72 |
|
Facilities planning |
73 |
|
Federal Information Security Management Act (FISMA) |
74 |
|
Federal Property and Administration Service Act |
75 |
|
Federal Records Act |
76 |
|
Fraud waste and abuse |
77 |
|
Freedom of Information Act (FOIA) and Electronic Freedom of Information Act (EFOIA) |
78 |
|
Government Information Security Reform Act (GISRA) |
79 |
|
Government Paperwork Elimination Act (GPEA) |
80 |
|
Importance and role of non-repudiation |
81 |
|
Importance and role of PKI |
82 |
|
Importance of Security Test and Evaluation (ST&E) as part of acquisition process |
83 |
|
Incident response |
84 |
|
Incident response policy |
85 |
|
Information assurance – SSM role |
86 |
|
Information Assurance (IA) |
87 |
|
Information assurance budget |
88 |
|
Information assurance business aspects |
89 |
|
Information assurance cost benefit analysis |
90 |
|
Information classification |
91 |
|
Information ownership |
92 |
|
Information security policy |
93 |
|
Interim authority to operate (IATO) |
94 |
|
Investigative authorities |
95 |
|
Justification for waiver |
96 |
|
Law enforcement interfaces |
97 |
|
Law enforcement policies |
98 |
|
Legal and liability issues as they apply to mission |
99 |
|
Legal issues and Information Assurance (IA) |
100 |
|
Legal issues which can affect Information Assurance (IA) |
101 |
|
Legal responsibilities of the SSM |
102 |
|
Liabilities associated with disclosure of sensitive information |
103 |
|
Licensing |
104 |
|
Life cycle management |
105 |
|
Life cycle security planning |
106 |
|
Life cycle system security planning |
107 |
|
Logging policies |
108 |
|
Marking classified/sensitive information |
109 |
|
Memorandum of Understanding/Agreement |
110 |
|
Methods of implementing risk mitigation strategies necessary to obtain ATO |
111 |
|
Millennium Copyright Act |
112 |
|
National Archives and Records Act |
113 |
|
Need-to-know controls |
114 |
|
Non-repudiation |
115 |
|
Operations Security |
116 |
|
Organizational – threats |
117 |
|
Organizational/agency information assurance emergency response team role |
118 |
|
Organizational/agency information assurance emergency response teams |
119 |
|
Paperwork Reduction Act as codified in 44 U.S.C.A. Section 3501 |
120 |
|
Personnel security |
121 |
|
Personnel security guidance |
122 |
|
Personnel security policies |
123 |
|
PKI |
124 |
|
Principles of aggregation |
125 |
|
Principles of information ownership |
126 |
|
Principles of risk |
127 |
|
Principles of system reconstitution |
128 |
|
Privacy Act |
129 |
|
Problems associated with disclosure of sensitive information |
130 |
|
Procedural/administrative countermeasures |
131 |
|
Protection profiles |
132 |
|
Purpose of Systems Security Authorization Agreement (SSAA) |
133 |
|
Recertification |
134 |
|
Recertification effort |
135 |
|
Recertification of systems characteristics that need review |
136 |
|
Recertification process |
137 |
|
Recertification purpose |
138 |
|
Reconstitution |
139 |
|
Recovery plan |
140 |
|
Remanence |
141 |
|
Residual risk |
142 |
|
Resources |
143 |
|
Responsibilities associated with accreditation |
144 |
|
Restoration |
145 |
|
Restoration and continuity of operation |
146 |
|
Restoration process |
147 |
|
Results of certification tools |
148 |
|
Risk |
149 |
|
Risk acceptance |
150 |
|
Risk acceptance process |
151 |
|
Risk analysis |
152 |
|
Risk assessment |
153 |
|
Risk assessment as it supports granting waiver |
154 |
|
Risk assessment supporting granting an IATO |
155 |
|
Risk in certification and accreditation |
156 |
|
Risk management |
157 |
|
Risk mitigation |
158 |
|
Risk mitigation strategies |
159 |
|
Risk mitigation strategies necessary to obtain IATO |
160 |
|
Risk reports |
161 |
|
Risks associated with portable wireless systems, viz PDAs etc. |
162. |
|
Risks from connectivity |
163 |
|
Role of risk analyst |
164 |
|
Security Test and Evaluation (ST&E) as part of acquisition process |
165 |
|
Separation of duties |
166 |
|
Service Provider Exemption to the Federal Wiretap Statute [18 U.S.C.A. Section 2511(2)(a)(i)-(ii)] |
167 |
|
Storage (McCumber) |
168 |
|
System accreditors role |
169 |
|
System architecture |
170 |
|
System certifiers role |
171 |
|
System disposition |
172 |
|
System reutilization |
173 |
|
System security architecture |
174 |
|
System security architecture support of continuity of operations (CONOPS) |
175 |
|
Systems Security Authorization Agreement (SSAA) |
176 |
|
TEMPEST failures |
177 |
|
TEMPEST requirements |
178 |
|
Test and evaluation |
179 |
|
Threat |
180 |
|
Threat analysis |
181 |
|
Threats – assessment/environmental/human/natural |
182 |
|
Threats from contracting for security services |
183 |
|
Threats to systems |
184 |
|
Transmission (McCumber) |
185 |
|
Types of contracts for security services |
186 |
|
Vulnerability |
187 |
|
Vulnerability – aggregation |
188 |
|
Vulnerability – connected systems |
189 |
|
Vulnerability – improper disposition |
190 |
|
Vulnerability – improper reutilization |
191 |
|
Vulnerability – network |
192 |
|
Vulnerability – technical |
193 |
|
Vulnerability – wireless technology |
194 |
|
Role of System Security Officer (ISSO) |
195 |
|
Key Resource Managers |
196 |
|