Competency Item |
Action Item |
|
Student Checklist |
|
Access control policies |
|
1 |
|
|
|
Access controls – discretionary/mandatory |
|
2 |
|
|
|
Access privileges |
|
3 |
|
|
|
Accountability for sensitive data |
|
4 |
|
|
|
Accreditation |
|
5 |
|
|
|
Accreditation procedure |
|
6 |
|
|
|
Accreditation types |
|
7 |
|
|
|
Administrative security policies |
|
8 |
|
|
|
Approval to Operate (ATO) purpose and contents |
|
9 |
|
|
|
Assignment of individuals to perform information assurance functions |
|
10 |
|
|
|
Attacks |
|
11 |
|
|
|
Audit trail policy |
|
12 |
|
|
|
Auditable events |
|
13 |
|
|
|
Automated countermeasures/deterrents |
|
14 |
|
|
|
Automated security tools |
|
15 |
|
|
|
Availability (McCumber) |
|
16 |
|
|
|
Background investigations |
|
17 |
|
|
|
Backups |
|
18 |
|
|
|
Biometric policies |
|
19 |
|
|
|
Biometrics |
|
20 |
|
|
|
Budget |
|
21 |
|
|
|
Business recovery |
|
22 |
|
|
|
Certification |
|
23 |
|
|
|
Certification and Accreditation effort leading to Systems Security Authorization Agreement |
|
24 |
|
|
|
Certification and Accreditation process policy |
|
25 |
|
|
|
Certification procedure |
|
26 |
|
|
|
Certification roles |
|
27 |
|
|
|
Certification tools |
|
28 |
|
|
|
Certifiers understanding of mission |
|
29 |
|
|
|
Change control |
|
30 |
|
|
|
Clinger-Cohen Act |
|
31 |
|
|
|
Commercial proprietary information |
|
32 |
|
|
|
Commercial proprietary information protection |
|
33 |
|
|
|
Common Criteria (Product Assurance) role in acquiring systems |
|
34 |
|
|
|
Communications Security (COMSEC) materials |
|
35 |
|
|
|
Computer crime and the various methods |
|
36 |
|
|
|
Computer Fraud and Abuse Act as codified in 18 U.S.C.A. Section 1030 |
|
37 |
|
|
|
Concept of Operations (CONOPS) |
|
38 |
|
|
|
Confidentiality (McCumber) |
|
39 |
|
|
|
Configuration management |
|
40 |
|
|
|
Connected organizations |
|
41 |
|
|
|
Connectivity involved in communications |
|
42 |
|
|
|
Contingency planning |
|
43 |
|
|
|
Continuity of operations |
|
44 |
|
|
|
Contracting for security services |
|
45 |
|
|
|
Copyright Act of 1976 and Copyright Amendment Act of 1992 as codified in 17 U.S.C.A |
|
46 |
|
|
|
Copyright protection and license |
|
47 |
|
|
|
Countermeasures |
|
48 |
|
|
|
Countermeasures/deterrents – automated/technical |
|
49 |
|
|
|
Criminal prosecution |
|
50 |
|
|
|
Declassification of media |
|
51 |
|
|
|
Delegation of authority |
|
52 |
|
|
|
Disaster recovery |
|
53 |
|
|
|
Disposition of classified material |
|
54 |
|
|
|
Documentation |
|
55 |
|
|
|
Documentation policies |
|
56 |
|
|
|
Documentation role in reducing risk |
|
57 |
|
|
|
Downgrade of media |
|
58 |
|
|
|
Due diligence |
|
59 |
|
|
|
Education, training, and awareness as a countermeasure |
|
60 |
|
|
|
Electronic emanations |
|
61 |
|
|
|
Electronic records management |
|
62 |
|
|
|
Electronic-mail security |
|
63 |
|
|
|
Emergency destruction |
|
64 |
|
|
|
Emergency destruction procedures |
|
65 |
|
|
|
Emissions Security (EMSEC) |
|
66 |
|
|
|
Ethics |
|
67 |
|
|
|
Evidence collection |
|
68 |
|
|
|
Evidence collection policies |
|
69 |
|
|
|
Evidence preservation |
|
70 |
|
|
|
Evidence preservation policies |
|
71 |
|
|
|
Execution of memoranda of understanding |
|
72 |
|
|
|
Facilities planning |
|
73 |
|
|
|
Federal Information Security Management Act (FISMA) |
|
74 |
|
|
|
Federal Property and Administration Service Act |
|
75 |
|
|
|
Federal Records Act |
|
76 |
|
|
|
Fraud waste and abuse |
|
77 |
|
|
|
Freedom of Information Act (FOIA) and Electronic Freedom of Information Act (EFOIA) |
|
78 |
|
|
|
Government Information Security Reform Act (GISRA) |
|
79 |
|
|
|
Government Paperwork Elimination Act (GPEA) |
|
80 |
|
|
|
Importance and role of non-repudiation |
|
81 |
|
|
|
Importance and role of PKI |
|
82 |
|
|
|
Importance of Security Test and Evaluation (ST&E) as part of acquisition process |
|
83 |
|
|
|
Incident response |
|
84 |
|
|
|
Incident response policy |
|
85 |
|
|
|
Information assurance – SSM role |
|
86 |
|
|
|
Information Assurance (IA) |
|
87 |
|
|
|
Information assurance budget |
|
88 |
|
|
|
Information assurance business aspects |
|
89 |
|
|
|
Information assurance cost benefit analysis |
|
90 |
|
|
|
Information classification |
|
91 |
|
|
|
Information ownership |
|
92 |
|
|
|
Information security policy |
|
93 |
|
|
|
Interim authority to operate (IATO) |
|
94 |
|
|
|
Investigative authorities |
|
95 |
|
|
|
Justification for waiver |
|
96 |
|
|
|
Law enforcement interfaces |
|
97 |
|
|
|
Law enforcement policies |
|
98 |
|
|
|
Legal and liability issues as they apply to mission |
|
99 |
|
|
|
Legal issues and Information Assurance (IA) |
|
100 |
|
|
|
Legal issues which can affect Information Assurance (IA) |
|
101 |
|
|
|
Legal responsibilities of the SSM |
|
102 |
|
|
|
Liabilities associated with disclosure of sensitive information |
|
103 |
|
|
|
Licensing |
|
104 |
|
|
|
Life cycle management |
|
105 |
|
|
|
Life cycle security planning |
|
106 |
|
|
|
Life cycle system security planning |
|
107 |
|
|
|
Logging policies |
|
108 |
|
|
|
Marking classified/sensitive information |
|
109 |
|
|
|
Memorandum of Understanding/Agreement |
|
110 |
|
|
|
Methods of implementing risk mitigation strategies necessary to obtain ATO |
|
111 |
|
|
|
Millennium Copyright Act |
|
112 |
|
|
|
National Archives and Records Act |
|
113 |
|
|
|
Need-to-know controls |
|
114 |
|
|
|
Non-repudiation |
|
115 |
|
|
|
Operations Security |
|
116 |
|
|
|
Organizational – threats |
|
117 |
|
|
|
Organizational/agency information assurance emergency response team role |
|
118 |
|
|
|
Organizational/agency information assurance emergency response teams |
|
119 |
|
|
|
Paperwork Reduction Act as codified in 44 U.S.C.A. Section 3501 |
|
120 |
|
|
|
Personnel security |
|
121 |
|
|
|
Personnel security guidance |
|
122 |
|
|
|
Personnel security policies |
|
123 |
|
|
|
PKI |
|
124 |
|
|
|
Principles of aggregation |
|
125 |
|
|
|
Principles of information ownership |
|
126 |
|
|
|
Principles of risk |
|
127 |
|
|
|
Principles of system reconstitution |
|
128 |
|
|
|
Privacy Act |
|
129 |
|
|
|
Problems associated with disclosure of sensitive information |
|
130 |
|
|
|
Procedural/administrative countermeasures |
|
131 |
|
|
|
Protection profiles |
|
132 |
|
|
|
Purpose of Systems Security Authorization Agreement (SSAA) |
|
133 |
|
|
|
Recertification |
|
134 |
|
|
|
Recertification effort |
|
135 |
|
|
|
Recertification of systems characteristics that need review |
|
136 |
|
|
|
Recertification process |
|
137 |
|
|
|
Recertification purpose |
|
138 |
|
|
|
Reconstitution |
|
139 |
|
|
|
Recovery plan |
|
140 |
|
|
|
Remanence |
|
141 |
|
|
|
Residual risk |
|
142 |
|
|
|
Resources |
|
143 |
|
|
|
Responsibilities associated with accreditation |
|
144 |
|
|
|
Restoration |
|
145 |
|
|
|
Restoration and continuity of operation |
|
146 |
|
|
|
Restoration process |
|
147 |
|
|
|
Results of certification tools |
|
148 |
|
|
|
Risk |
|
149 |
|
|
|
Risk acceptance |
|
150 |
|
|
|
Risk acceptance process |
|
151 |
|
|
|
Risk analysis |
|
152 |
|
|
|
Risk assessment |
|
153 |
|
|
|
Risk assessment as it supports granting waiver |
|
154 |
|
|
|
Risk assessment supporting granting an IATO |
|
155 |
|
|
|
Risk in certification and accreditation |
|
156 |
|
|
|
Risk management |
|
157 |
|
|
|
Risk mitigation |
|
158 |
|
|
|
Risk mitigation strategies |
|
159 |
|
|
|
Risk mitigation strategies necessary to obtain IATO |
|
160 |
|
|
|
Risk reports |
|
161 |
|
|
|
Risks associated with portable wireless systems, viz PDAs etc. |
|
162. |
|
|
|
Risks from connectivity |
|
163 |
|
|
|
Role of risk analyst |
|
164 |
|
|
|
Security Test and Evaluation (ST&E) as part of acquisition process |
|
165 |
|
|
|
Separation of duties |
|
166 |
|
|
|
Service Provider Exemption to the Federal Wiretap Statute [18 U.S.C.A. Section 2511(2)(a)(i)-(ii)] |
|
167 |
|
|
|
Storage (McCumber) |
|
168 |
|
|
|
System accreditors role |
|
169 |
|
|
|
System architecture |
|
170 |
|
|
|
System certifiers role |
|
171 |
|
|
|
System disposition |
|
172 |
|
|
|
System reutilization |
|
173 |
|
|
|
System security architecture |
|
174 |
|
|
|
System security architecture support of continuity of operations (CONOPS) |
|
175 |
|
|
|
Systems Security Authorization Agreement (SSAA) |
|
176 |
|
|
|
TEMPEST failures |
|
177 |
|
|
|
TEMPEST requirements |
|
178 |
|
|
|
Test and evaluation |
|
179 |
|
|
|
Threat |
|
180 |
|
|
|
Threat analysis |
|
181 |
|
|
|
Threats – assessment/environmental/human/natural |
|
182 |
|
|
|
Threats from contracting for security services |
|
183 |
|
|
|
Threats to systems |
|
184 |
|
|
|
Transmission (McCumber) |
|
185 |
|
|
|
Types of contracts for security services |
|
186 |
|
|
|
Vulnerability |
|
187 |
|
|
|
Vulnerability – aggregation |
|
188 |
|
|
|
Vulnerability – connected systems |
|
189 |
|
|
|
Vulnerability – improper disposition |
|
190 |
|
|
|
Vulnerability – improper reutilization |
|
191 |
|
|
|
Vulnerability – network |
|
192 |
|
|
|
Vulnerability – technical |
|
193 |
|
|
|
Vulnerability – wireless technology |
|
194 |
|
|
|
Role of System Security Officer (ISSO) |
|
195 |
|
|
|
Key Resource Managers |
|
196 |
|
|
|