ISSO - Boot Camp - Informations Systems Security Officer

Summary

This course focuses on planning, identifying, implementing, enforcing and maintaining data center security, as well as integrating technical and non-technical solutions for securing critical information infrastructures and establishing the standards necessary to help protect the confidentiality, maintain the integrity and ensure the availability of sensitive data and critical organizational computing resources.

The ISSO Boot camp provides five days of comprehensive, non-technical, entry-level professional training to achieve the fundamental knowledge, skills, and abilities necessary to facilitate and integrate requisite system-level security policies, processes, practices, procedures and protocols.

Audience

Anyone currently holding an ISSO position; those earmarked for current or planned ISSO billets; security managers (corporate or departmental security officer staff) responsible for IS security, chief informatics office (CIO) staff, including technical support, system managers, configuration managers, etc. who have collateral IS security responsibilities.

 Course Objectives

• Information systems security is the protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.
• Learn the security planning and administrative security procedures for systems that process sensitive, classified and national intelligence data.
• Understand the implementation and enforcement of Information System Security Policies and Practices.
• Know the concerns and requirements that determine the administration and management of physical, system and data access controls based on the sensitivity of the data processed and the corresponding authorization requirements.
• Learn the identification, analysis, assessment and evaluation of information system threats and vulnerabilities and their impact on an organization’s critical information infrastructures.
• Be able to identify management, technical, personnel, operational, and physical security controls.
• Upon completion, understand the critical areas of knowledge required to step into any key information security position including Information Systems Security Officer.

Student Materials

The student kit includes a comprehensive workbook and other necessary materials for this class.

Course Outline

I.  Develop Certification and Accreditation Posture

a. Plan for Certification and Accreditation

• Planning
• Defense in depth
• Assets
• Threats
• Vulnerabilities
• Criticality
• Risk
• Conduct risk assessment
• Countermeasures
• Organizational/agency systems emergency/incident response team
• Education, training, & awareness (ETA)
• Residual risk
• Cost/benefit analysis

b.  Confidentiality, Integrity and Availability (CIA) Policy

• Contingency plans
• Concept of operations (CONOP)
• Continuity plans
• Legal plan
• Disposition of classified material & emergency destruction policy (EDP)
• Identification and authentication (I&A) policy
• Monitoring and auditing policy

c.  Control Systems Policies

• Configuration management policy
• Protective technology policy
• Intrusion detection policy
• Malicious code policy
• Access controls

d.  Culture and Ethics

• Policy
• Organization culture
• Basic/generic management issues
• Agency-specific security policies & procedures

e.       Incident Response

• Concept of operations (CONOP)
• Criminal activity preparedness planning
• Organizational/agency systems emergency/incident response team
• Malicious code

II.  Implement Site Security Policy

a.       Confidentiality, Integrity and Availability (CIA)

• Contingency plans
• Emergency destruction procedures (EDP)
• Continuity plans
• Disposition of classified material
• Monitoring and auditing
• Audit trail and logging, error/system logs
• Intrusion detection
• Investigation of security breaches
• Monitoring
• Configuration management
• Countermeasures

b.  Ensure Facility is Approved

• Facility Approval

c. Operations

• Security policy
• Agency/vendor cooperation/coordination
• Certification advocacy
• Conduct risk assessment
• Contracting for security services
• Ensure information system is approved
• Life cycle system security planning
• System security architecture study

d. General Principles

• Access control models
• Approval to operate
• Attack
• Business aspects of information security
• Common criteria
• Computer network attack
• Criminal prosecution
• Defense in depth
• Due care
• Education, training, & awareness
• Industrial security
• Information warfare (INFOWAR) concepts
• Intellectual property rights
• Interim approval to operate (IATO)
• Investigative authorities
• Knowledge of security laws
• Lattice model
• Law enforcement interfaces
• Multi-level security
• Need for system certification
• Operating security features
• Risk management
• Security awareness as a countermeasure
• Security education as a countermeasure
• Security training as a countermeasure
• Software licensing
• Software piracy
• Systems security authorization agreement (SSAA)
• Systems security plan (SSP)
• Standards of conduct
• ITSEC/common criteria
• Waive policy to continue operation

e. Security Management

• Electronic records management
• Records retention
• E-mail
• Non-repudiation
• Hardware asset management
• Software asset management

f.   Access Controls

• Human access
• Key management

g.  Incident Response

• Security investigation procedures

III. Enforce and Verify System Security Policy

a. Confidentiality, Integrity and Availability/Accountability (CIA)

• Planning
• Monitoring and auditing
• Environmental controls
• Filtered power
• Fire prevention
• Grounding
• Safety

b. Security management

• Electronic records management
• Records retention
• E-mail
• Non-repudiation
• Hardware asset management
• Software asset management

c.  Access Controls

• Human access
• Key management
• Configuration management
• Protective technology
• Media security
• Network assurance

d. Automated Security Tools

• Automated security tools
• Initiate protective and/or corrective measures

e. Handling Media

• Handling media
• Labeling
• Marking of media/information systems oversight office (ISOO) rules
• Marking of sensitive information
• Physical controls & accounting
• Remanence
• Transportation
• Disposition of classified material

f.  INCIDENT RESPONSE

• Criminal prosecution
• Evidence acceptability
• Evidence collection and preservation
• Legal and liability issues

IV.  Report on Site Security Status

a.  Security Continuity Reporting

• Contingency plans
• Continuity plans
• Disposition of classified material & emergency destruction procedures (EDP)
• Monitoring and auditing
• Identification & authentication
• Configuration management
• Testing

b.  Report Security Incidents

• Computer organizational/agency systems emergency/incident response team
• Security incidents
• Security violations reporting process (incident response)

c. Law

• Investigative authorities
• Law enforcement interfaces (LEI)
• Witness interviewing/interrogation
• Entrapment
• Disgruntled employees

d. Report Security Status of Information System as Required

• Administrative security policies and procedures
• Agency specific security policies
• Organizational/agency systems emergency/incident response team
• Automated systems security incident support team (ASSIST)
• Trade journals, bulletin board system (BBS) notices

e. Report to IG

• Inspector General (IG) (external) audit & assessments

V.  Support Certification and Accreditation

a.  Certification Function

• Assessments (e.g., surveys, inspections)
• Risk assessment
• Technical certification
• Verification and validation process

VI. Accreditation Function

a.  ISSO

• Managers
• System administrator (SA)

b. Respond to Requests

• Approval to operate
• Assessment methodology
• Certification statement
• Certification tools
• Identify security changes
• Interim approval to operate (IATO)
• Re-certification
• Security test & evaluation (ST&E)
• SSAA
• Type accreditation
•  Waive policy to continue operation