The successful student in INFO 4416, 5516, 6616 demonstrates entry-level competency as they provide, discuss, identify, explain, assist, conduct, outline, determine, evaluate, define, describe, monitor, recommend, summarize, appraise, examine, list, team, use, analyze, apply, assess, build, interpret, apprise, characterize, develop, discriminate, ensure, influence, integrate, relate, report, review, support, understand, and verify the following terms via slide shows, modules, written or oral exams |
Action Item and Competency |
Student Checklist |
1. E - Adverse findings and affect on continued IT operations in a given mission environment |
|
2. E - Adverse system findings and halting mission support operations |
|
3. E - Agency/Local guidance |
|
4. E - Agency-Specific policies and procedures in relation to risk environment |
|
5. E - Agency-Specific system reutilization policies and procedures |
|
6. E - All component and overall risks inherent in system |
|
7. E - Alternative actions permitted on system |
|
8. E - Analysis of security safeguards of a system as they have been applied to an operational environment to determine security posture |
|
9. E - Analysis of threats, vulnerabilities, attacks, and consequences in relationship to risk assessment of a system |
|
10. E - Applicable IA laws, regulations, and policies |
|
11. E - Applicable national level policies |
|
12. E - Applicable organizational certification and accreditation processes |
|
13. E - Applied security evaluation and analysis |
|
14. E - Approaches to risk management |
|
15. E - Aspects of security in a vulnerability testing and evaluation plan |
|
16. E - Assessment of costs of data protection for a system versus cost of loss or compromise |
|
17. E - Audit mechanism processes used to collect, review, and/or examine system activities |
|
18. E - Audit trails and logging policies |
|
19. E - Building a compendium of relative threats, vulnerabilities, attacks, and consequences related to system |
|
20. E - Change control policies for incorporation in IA training |
|
21. E - Chronological record of system activities for reconstruction and examination of events and/or changes in an event |
|
22. E - Classification policies as part of risk management plan |
|
23. E - Communications security policy and guidance for incorporation into IT training |
|
24. E - Compendium of relative threats, vulnerabilities, attacks, and consequences related to a system (Common vulnerabilities and exploitations) |
|
25. E - Cost analysis of data protection versus cost of data lose or compromise |
|
26. E - Cost assessment for providing data protection versus cost of data loss or compromise |
|
27. E - Cost/Benefit of organization’s IA countermeasure plans |
|
28. E - Cost/Benefit of personnel supporting access control policies |
|
29. E - Countermeasures based on threat capabilities and motivations |
|
30. E - Critical database security pitfalls |
|
31. E - Criticality of applications security |
|
32. E - Current mission and role of information system in supporting mission |
|
33. E - Database best practices and pitfalls in database security |
|
34. E - Decision makers of existing countermeasure models, tools, and techniques |
|
35. E - Defining countermeasures directed at specific threats and vulnerabilities |
|
36. E - Definitions of security requirements |
|
37. E - Detailed evaluation of vulnerabilities, attack, threats, and consequences that may affect system |
|
38. E - Detailed examination and evaluation of impact of attacks |
|
39. E - Detailed examination and evaluation of possible actions to mitigate vulnerabilities |
|
40. E - Detailed examination and evaluation of sources and factors that can adversely impact system |
|
41. E - Detailed examination of vulnerabilities, attack, threats, and consequences that may affect system |
|
42. E - Development of ST&E plan and procedure for testing and evaluating a system |
|
43. E - Differences between security features and capabilities |
|
44. E - Discrimination with known and potential vulnerabilities based on test procedures |
|
45. E - EDPP for incorporation in IA training |
|
46. E - Effect of countermeasures on risk through the analysis of paired interaction of a defense |
|
47. E - Effectiveness of automated security tools that confirm validity of a transmission |
|
48. E - Effectiveness of automated security tools that verify an individual’s eligibility to receive specific categories of information |
|
49. E - Effects of mitigation derived from application of countermeasures to a system |
|
50. E - Elements of database security features |
|
51. E - Environment in relation to current threat |
|
52. E - Environmental and natural threats as part of security management plan |
|
53. E - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited |
|
54. E - Evaluation of threats, vulnerabilities, and countermeasures to determine residual risk |
|
55. E - Examination and evaluation of sources and factors that can adversely impact system |
|
56. E - Examination of vulnerabilities, attack, threats and consequences that may affect system |
|
57. E - Exploitable weaknesses in information system, security procedures, internal controls or implementations |
|
58. E - Files created by operating system for review of audit process |
|
59. E - Hardware or software flow that opens an information system to potential exploitation |
|
60. E - Hardware, firmware, communications, or software weaknesses that open an information system to exploitation |
|
61. E - Hostile intelligence sources as part of vulnerabilities and attack venues |
|
62. E - How certification process ensures security requirement implementation |
|
63. E - Identifying protections offered by security features in specific configurations |
|
64. E - Vulnerability assessment methodologies |
|
65. E - Impact of hostile agents seeking national security information which could potentially cause harm to national security |
|
66. E - Impact of security breaches and estimate an attacker’s probable response |
|
67. E - Impact of security on mission |
|
68. E - Information acquisition and review process for best use of resources to protect system |
|
69. E - Information system analysis in determining adequacy of security measures |
|
70. E - Information system support mission |
|
71. E - Jamming as a potential threat |
|
72. E - Known and hypothetical variable discrimination based on executed test procedures |
|
73. E - Known and hypothetical variables based on test procedures |
|
74. E - Weaknesses in system, system security procedures, and internal controls and implementation |
|
75. E - Known avenues of attack such as operating system bugs, network vulnerabilities, human threats, etc |
|
76. E - Level of threat based on its applicability to system |
|
77. E - Vulnerability analysis to determine adequacy of security measures, identify security deficiencies, and provide data to predict effectiveness of security measures |
|
78. E - Life cycle countermeasures based on assessment of threats, capabilities, and motivations to exploit vulnerability |
|
79. E - Life cycle management SCMB policies and procedures |
|
80. E - Life cycle operation and maintenance project milestones relating to risk |
|
81. E - Local application of IA laws, regulations, and policies |
|
82. E - Local policies and procedures implementing regulations, laws, and procedures in local environment |
|
83. E - Local policies and procedures to supplement and implement higher-level guidance |
|
84. E - Maintenance of accounting files, tools, user accounts, and system statistics |
|
85. E - Maintenance of user accounts |
|
86. E - Maintenance plans for protective measures to ensure tolerable level of risk |
|
87. E - Maintenance procedures concerning life cycle operations and analysis issues |
|
88. E - Means through which a threat agent can adversely affect information system, facility, or operation |
|
89. E - Methodologies used to evaluate system security safeguards |
|
90. E - Methods through which threat agent adversely affects information system, facility, or operation |
|
91. E - National and local level access control policies |
|
92. E - Organization IT security needs and relations to countermeasure requirements |
|
93. E - Organizational capability and ability to evaluate threats, and vulnerabilities |
|
94. E - Organizational mission in conjunction with vulnerabilities and attack venues |
|
95. E - Paired interaction of a vulnerability to an attack |
|
96. E - Paired interaction of system threats and vulnerabilities |
|
97. E - Payoff to and liabilities incurred by an attacker in a successful attack |
|
98. E - Performance measurement data in operations and maintenance examination of events and/or changes in an event |
|
99. E - Physical security requirements |
|
100. E - Policy, guidance and process for the capture, maintenance, and distribution of audit logs |
|
101. E - Potential vulnerabilities that may lead to defeat of security services |
|
102. E - Process for selecting and purchasing new information technology (IT) |
|
103. E - Process of analyzing paired interactions of system threats and vulnerabilities |
|
104. E - Process of formally evaluating degree of threat and describing nature of threat |
|
105. E - Process of selecting and purchasing IT designed to implement management risk process |
|
106. E - Process to determine underlying state of system |
|
107. E - Process to ensure that applications function according to specifications |
|
108. E - Processes for disposition of media and data |
|
109. E - Processes for timely deletion of accounts |
|
110. E - Processes for updating access |
|
111. E - Processes for verification of authorization prior to adding new account |
|
112. E - Program or user operations that can be performed during testing and Evaluation |
|
113. E - Protections offered by security features in specific configurations |
|
114. E - Purpose of using copies of backup files for later reconstruction of files |
|
115. E - Questions for determining countermeasures during C&A process |
|
116. E - Respective value of penetration testing post-testing actions, general information principles, and summary comparison of network testing techniques |
|
117. E - Results of certification tools during testing and evaluation |
|
118. E - Risk analysis examination and evaluation process to determine relationships among threats, vulnerabilities, and countermeasures |
|
119. E - Risk analysis processes used in development of life cycle functions |
|
120. E - Risk analyst concerns relating to life cycle system security planning |
|
121. E - Risk assessment methodology in relation to risk analyst function |
|
122. E - Risk management methodology in relation to system security |
|
123. E - Risk management methodology which includes evaluation of threats, vulnerabilities, and countermeasures |
|
124. E - Risk methodologies used to evaluate measures taken to protect system |
|
125. E - Risk mitigation decisions derived from analysis and review of physical security requirements |
|
126. E - Risk variables to build a compendium of relative threats, vulnerabilities, attacks, and consequences related to a system |
|
127. E - Risks associated with distributed systems security |
|
128. E - Role of formal methods in security design as part of risk management plan |
|
129. E - Role of personnel security policies and guidance as part of overall risk management plan |
|
130. E - Role of RA in certification and accreditation process |
|
131. E - Security and software countermeasures during design, implementation, and testing phases to achieve required level of confidence |
|
132. E - Security countermeasures in relation to vulnerabilities and attack venues |
|
133. E - Security features of system |
|
134. E - Security inspections conducted during C&A process |
|
135. E - Security laws applicable to certification/accreditation process |
|
136. E - Security policies and procedures implemented during risk analysis/assessment process |
|
137. E - Security requirements as potential countermeasures |
|
138. E - Security test and evaluation (ST&E) procedures, tools, and equipment |
|
139. E - Security with regard to confidentiality, integrity, authentication, availability, and non-repudiation |
|
140. E - Software test and evaluation results related to system restoration |
|
141. E - Solutions based on a set of static and variable factors of system |
|
142. E - State and vulnerabilities in network security software |
|
143. E - State of security features embedded in commercial-off-the-shelf (COTS) products in relation to risk management plan |
|
144. E - Strengths of alternative test and evaluation strategies |
|
145. E - Susceptibility of a system to attack after countermeasures have been applied |
|
146. E - Synthesis of all component and risks inherent in a system |
|
147. E - System IA design guidance |
|
148. E - System security policies |
|
149. E - System security safeguards established to determine system security posture |
|
150. E - Technical analysis of components, products, subsystems, or systems security that establishes whether or not component, product subsystem, or system meets a specific set of requirements independently and in |
|
151. E - Technical and non-technical results from testing and evaluation |
|
152. E - Technical knowledge required of personnel responsible for networks, servers, workstations, operating systems, etc |
|
153. E - Technical knowledge required of personnel responsible for operating and maintaining networks, servers, workstations, operating systems, etc |
|
154. E - Techniques and measures to detect and neutralize a wide variety of hostile penetration technologies |
|
155. E - Technology needed to mount an attack based on existing countermeasures |
|
156. E - Technology trends in context of future security management plan |
|
157. E - Test results that determine underlying state of system |
|
158. E - Testing of security features during testing and evaluation |
|
159. E - Testing roles and responsibilities |
|
160. E - Tests results |
|
161. E - That system acquisitions policies and procedures include assessment of risk management policies |
|
162. E - Threat analysis to determine vulnerabilities and attack venues |
|
163. E - Threat and vulnerability analyses input to C&A process |
|
164. E - Threat and/or risk assessment in determining vulnerabilities and attack venues |
|
165. E - Threat/Risk assessment methodology appropriate for use with system undergoing accreditation |
|
166. E - Threats and vulnerabilities |
|
167. E - Use of common criteria guidance to determine hardware and software assurance applications for simultaneous processing of a range of information classes |
|
168. E - Utilities used to determine vulnerabilities or configurations not within established limits/baselines |
|
169. E - Various categorization schemas |
|
170. E - Vulnerabilities associated with security processing modes |
|
171. E - Vulnerabilities, attacks, threats, and consequences assessment to determine vulnerabilities and attack avenues |
|
172. E - Vulnerability analysis process |
|
|
|
The successful student in CIS 4416 demonstrates intermediate-level competency as they discuss, explain, team, evaluate, define, assist, determine, recommend, identify, analyze, apply, compare, advise, incorporate, influence, interpret, provide, assess, conduct, consult, contrast, demonstrate, examine, give, integrate, justify, list, monitor, outline, research, and summarize the following concepts in case study workshops and hands-on exercises |
Student Checklist |
1. I - Acceptability of using federal information security practices in system design and protection |
|
2. I - Access permission granted to a subject in relation to an object |
|
3. I - Access permissions granted to users of system |
|
4. I - Accuracy and reliability of an information system’s data |
|
5. I - Actions, devices, procedures, techniques, or measures that reduce vulnerability or threat to a system |
|
6. I - Activities that support C&A process |
|
7. I - Adverse system findings and halting mission support operations |
|
8. I - Agency-Specific policies and procedures |
|
9. I - Agency-Specific policies and procedures integration into results of risk analysis report |
|
10. I - Allowable duration of system’s operations run time, beginning with identification of a need to place a system in operation; continuing through system design, development, implementation, and operation; and ending with the system’s deactivation |
|
11. I - Analysis of countermeasure effectiveness as applied to a given risk and probability of an occurrence |
|
12. I - Analysis of paired interaction of vulnerability to attack |
|
13. I - Analysis of vulnerabilities of an information system |
|
14. I - Analyzing, recommending and detailing alternative actions permitted on system |
|
15. I - Applicable national level and agency/local policies and guidance |
|
16. I - Approval process for operating system at a satisfactory level of risk |
|
17. I - Aspects of security for a system and cost incurred by an adversary to mount an attack |
|
18. I - Assessment of data protection costs versus loss or compromise of data |
|
19. I - Audit collection requirements implementation |
|
20. I - Audit trail and logging policy examples for training |
|
21. I - C&A providing assurance that controls are functioning effectively |
|
22. I - Certification/Accreditation process for vulnerabilities |
|
23. I - Characteristics that ensure computer resources operate correctly |
|
24. I - Characteristics that ensure data integrity |
|
25. I - Classification policies as part of risk management plan |
|
26. I - Collection of languages and tools that enforce methods of verification |
|
27. I - Collection of verification and validation tools and techniques |
|
28. I - Communications security policy and guidance for incorporation into IT training |
|
29. I - Control policies for incorporation in IA training |
|
30. I - Various methods for defining security requirements |
|
31. I - Controls and traceability of all changes made to system during testing and evaluation |
|
32. I - Controls to safeguard assets |
|
33. I - Cost/Benefits of IA plans to determine totality of sensitivity during development, procurement, and installation of system in terms of aggregation of risk |
|
34. I - Data that confirms effectiveness of security measures after security testing |
|
35. I - Data to predict effectiveness of a security measure testing |
|
36. I - Deductive reasoning and test results |
|
37. I - Development of agency-specific IA principles and practices |
|
38. I - Discriminate approach variables and constants based on test procedures to gain acceptance for joint system usage |
|
39. I - Disposition of media and data records |
|
40. I - EDPP for incorporation in IA training |
|
41. I - Effect of modification to existing access controls |
|
42. I - Effects of mitigation derived from application of countermeasures |
|
43. I - Effects of risk mitigation derived from system countermeasures |
|
44. I - Evaluation of technical and non-technical security features of system during testing and evaluation |
|
45. I - Examination and evaluation of potential alternative actions to mitigate risk |
|
46. I - Examples of lessons learned in ethical/unethical cyber behavior and relate to risk management plan |
|
47. I - Formal approval process and procedures for providing system access for authorized users |
|
48. I - Generation of a database of corrective measures to bring system into compliance of level for which being certified |
|
49. I - Hardware, software, firmware, communication flaw, circumstance, or event with potential to cause harm to a system or data |
|
50. I - Implementation of established policies and procedures ensuring that personnel have required authority and appropriate clearances |
|
51. I - Implementation policies |
|
52. I - Information system’s operational efficiency and promotion |
|
53. I - Input for recommending security features in specific configurations |
|
54. I - Integration of a variety of assessment methodologies into curricula |
|
55. I - Legal process for obtaining/maintaining ownership of information |
|
56. I - Life cycle analysis of security requirements and countermeasures based on assessment of threats capability and motivation to exploit a vulnerability |
|
57. I - Local policies and procedures that implement higher-level regulations, laws, and procedures |
|
58. I - Maintenance of accounting files, tools, user accounts, and system statistics |
|
59. I - Maintenance of user authentication data used to authenticate an identity or to authorize access to data |
|
60. I - Maintenance practices, procedures, and measures intended to ensure an acceptable level of risk |
|
61. I - Managerial policy adherence |
|
62. I - Method used for surveys and inspections in C&A process |
|
63. I - Offsets of adverse findings and decision to continue IT operation in current mission environment |
|
64. I - Operating and management procedures designed to detect or prevent unauthorized access to an information system |
|
65. I - Operating and management procedures enforcing access control |
|
66. I - Organizational certification and accreditation process with other agency certification and accreditation guidelines |
|
67. I - Physical security and domains and how they provide a useful approach for dealing with security and data protection in large-scale systems |
|
68. I - Adherence to prescribed managerial policies |
|
69. I - Physical security requirements |
|
70. I - Policies regarding audit data usage, management, and maintenance |
|
71. I - Policies regarding personnel access to audit records |
|
72. I - Process of selecting and purchasing new IT |
|
73. I - Process used to collect, review, and/or examine system activities |
|
74. I - Protection afforded information processed in a cryptographically-secured network |
|
75. I - Protection profiles for proposed system security countermeasures for a given attack analysis |
|
76. I - Protection schema of a distributed system that consists of workstations |
|
77. I - Records of system activities for chronological, analytical reconstruction, and maintenance of IA components in IT systems |
|
78. I - Relations between variety of disciplines employed in IA |
|
79. I - Relevant potential threat/vulnerability information gained from available intelligence and law enforcement agency sources |
|
80. I - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited |
|
81. I - Return on investment results of evaluation of means by which threats can act on vulnerabilities |
|
82. I - Risk acceptance process to include mitigation versus avoidance |
|
83. I - Risk associated with agency-specific policies and procedures for SCMB |
|
84. I - Risk management methodologies to evaluate threats, vulnerabilities, and countermeasures to determine residual risk |
|
85. I - Risk management methodologies to study of life cycle management policies and procedures |
|
86. I - Risk variables through compendium of threats, vulnerabilities, attacks and consequences |
|
87. I - Role of audit trails |
|
88. I - Role of information categorization schema as part of risk management plan |
|
89. I - Role of security awareness as part of risk management plan |
|
90. I - Roles and responsibilities of agency vendors as member of risk management team |
|
91. I - Rules and measures in place for implementing IA measures with industrial partners/contractors |
|
92. I - Security deficiencies |
|
93. I - Security inspections during C&A process |
|
94. I - Security laws and applicability to risk management plan |
|
95. I - Security policies that describe permitted actions that may have an adverse affect on system |
|
96. I - Security policies that describe permitted system actions |
|
97. I - Security policies that describe what system actions are prohibited |
|
98. I - Security policy that describes types of permitted and prohibited actions on system |
|
99. I - Security processes that ensure computer resources operate correctly and that data in databases are correct |
|
100. I - Security software designed to detect and prevent unauthorized system access |
|
101. I - Software options that control hardware and other software functions |
|
102. I - Specific security and software engineering applications during design, implementation, and testing phases |
|
103. I - System IA policy with regard to the acquisition and upgrade of software and hardware components and the laws and procedures that must be observed in their implementation |
|
104. I - Technical surveillance countermeasures |
|
105. I - Technology necessary to Mount Attack |
|
106. I - The implementation of laws, regulations and other public policies as they apply to an information system in a given operational environment |
|
107. I - The relative strengths of alternative test and evaluation strategies |
|
108. I - The risk of change proposals to authorized baselines |
|
109. I - Threats and vulnerabilities associated with remanence |
|
110. I - Types and details of actions permitted on systems |
|
111. I - Underlying state of system |
|
|
|
The successful student in CIS 4416 demonstrates advanced-level competency as they analyze, appraise, evaluate, interpret, team, recommend, determine, explain, perform, and provide the following terms in discussion seminars, readings, research papers or essays |
Student Checklist |
1. A - Affects of a risk assessment and certification/accreditation process on mission of a system |
|
2. A - Applicability of network tools, viz password cracking, log review, file integrity, virus detectors, war dialing, wireless LAN testing (war driving), etc. software |
|
3. A - Application of IA laws, regulations, and policies |
|
4. A - Changes to roles and responsibilities of agency vendors as member of risk management team |
|
5. A - Communications security policy and guidance for incorporation into IT training |
|
6. A - Cost/Benefit of standard certification tools to support countermeasure activities |
|
7. A - Countermeasures |
|
8. A - Development of IA principles and practices applied to coordination with OMB and with technical assistance from NSA |
|
9. A - Disposition and reutilization records for potential vulnerabilities |
|
10. A - Integrated logistics support cycle as it applies to IA |
|
11. A - Interpretation of strengths and weaknesses of assessment methodologies |
|
12. A - Paired interaction of defense for specific vulnerability related to probability of attack |
|
13. A - Potential applicability of network and vulnerability scanning tools |
|
14. A - Potential applicability of range of testing tools |
|
15. A - Process of evaluating degree of threat to an information system |
|
16. A - Process of evaluating nature of threat to an information system |
|
17. A - Risk management methodology changes to life cycle management policies and procedures plan |
|
18. A - System level access policies used to process information |
|
19. A - System vulnerabilities |
|
20. A - Threat/Risk assessment in support of C&A process |
|