Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®

Table of contents

1. Cover
2. Half Title
3. Series Page
4. Title Page
5. Copyright Page
6. Dedication
7. Table of Contents
8. Preface
9. About the Author
10. ISSE Domain 1: Information Systems Security Engineering (ISSE)
    1. Overview
    2. Contributors and Reviewers
    3. 1 ISSE Introduction
       1. Introduction
       2. SE and ISSE Overview
          1. IEEE 1220 Overview
       3. The ISSE Model
          1. Basic SE and ISSE Principles
             1. Principle 1: Always keep the problem and the solution spaces separate
             2. Principle 2: The problem space is defined by the customer’s mission or business needs
             3. Principle 3: The systems engineer and information systems security engineer define the solution space driven by the problem space
       4. Life Cycle and ISSE
          1. NIST SP 800-27, Rev. A: Engineering Principles
       5. Risk Management
       6. Defense in Depth
          1. People
          2. Technology
          3. Operations
             1. Defense in Multiple Places
             2. Layered Defenses
             3. Security Robustness
             4. Deploy KMI/PKI
             5. Deploy Intrusion Detection Systems
       7. Summary
       8. References
    4. 2 ISSE Model Phase 1: Discover Information Protection Needs
       1. Introduction
       2. Systems Engineering Activity: Discover Needs
       3. ISSE Activity: Discover Information Protection Needs
          1. Task 1: Define the Customer’s Mission/Business Needs
          2. Task 2: Define the Information Management
             1. From Mission Needs to Information Management Needs
             2. Creating an Information Management Model (IMM)
             3. Step 1: Identify Processes
             4. Step 2: Identify the Information Being Processed
             5. FIPS 199
             6. NIST SP 800-60
             7. NIST SP 800-59
             8. DoD Mission Assurance Categories (MACs)
             9. Information Domains
             10. Step 3: Identify the Users of the Information and the Process
             11. Task 3: Define the Information Protection Policy (IPP)
             12. Conducting the Threat Analysis and Developing the Information Protection Policy
             13. Potential Harmful Events (PHEs)
             14. Harm to Information (HTI)
       4. Identifying Security Services and Developing the Information Protection Policy
       5. Security Services
          1. Access Control
          2. Confidentiality
          3. Integrity
          4. Availability
          5. Non-Repudiation
          6. Security Management
          7. Additional Security Controls
       6. Creating the Information Protection Policy (IPP)
       7. Creating the IPP Document
          1. Introduction
          2. General Policies
          3. Establish Roles and Responsibilities
          4. Identify Decision Makers
          5. Define Certification and Accreditation (C&A) Team Members and Procedures
          6. Identify Information Domains and Information Management
          7. Identify Security Service Requirements
          8. Signatures
       8. The Information Management Plan (IMP)
       9. Final Deliverable of Step 1
       10. Summary
       11. References
    5. 3 ISSE Model Phase 2: Define System Security Requirements
       1. Introduction
       2. System Engineering Activity: Defining System Requirements
          1. Defining the System Context
             1. IEEE 1220: 5.1.1.1 System Concept
          2. Define System Requirements
             1. Define Customer Expectations (Task 6.1.1)
             2. Define Constraints (Tasks 6.1.2 and 6.1.3)
             3. Define Operational Scenarios (Task 6.1.4)
             4. Define Measures of Effectiveness (MOEs) (Task 6.1.5)
             5. Define System Boundaries (Task 6.1.6)
             6. Define Interfaces (Task 6.1.7)
             7. Define Utilization Environments (Task 6.1.8)
             8. Define Life-Cycle Process Concepts (Task 6.1.9)
             9. Define Functional Requirements (Task 6.1.10)
             10. Define Performance Requirements (Task 6.1.11)
             11. Define Modes of Operations (Task 6.1.12)
             12. Define Technical Performance Measures (Task 6.1.13)
             13. Define Design Characteristics (Task 6.1.14)
             14. Define Human Factors (Task 6.1.15)
             15. Establish Requirements Baseline (Task 6.1.16)
          3. Define Design Constraints
          4. The Preliminary System Concept of Operations (CONOPS)
       3. ISSE Activity: Defining System Security Requirements
          1. Define the System Security Context
          2. Define System Security Requirements
          3. Define the Preliminary System Security CONOPS
       4. Final Deliverable of Step 2
       5. Summary
       6. References
    6. 4 ISSE Model Phase 3: Define System Security Architecture
       1. Introduction
       2. Defining System and Security Architecture
          1. Defining System Architecture
          2. Defining System Security Architecture
          3. Guidelines for Designing System Architectures from DoDAF and FEAF
             1. DoD Architectural Framework
             2. Federal Enterprise Architecture Framework (FEAF)
       3. System Engineering Activity: Designing System Architecture
          1. Perform Functional Analysis and Allocation
             1. Functional Analysis
             2. Functional Hierarchy Diagram
             3. Functional Flow Block Diagrams
             4. Timeline Analysis Diagram
             5. Functional Allocation
          2. Identifying and Allocating Components
          3. Describe the Relationship Between the CIs
          4. Trace Functions and Components to Requirements
       4. ISSE Activity: Define the Security Architecture
          1. Design System Security Architecture
             1. IATF Information Infrastructure
          2. Security Functional Analysis and Allocation
          3. Identify Security Components, Controls, or Technologies
          4. Additional Security Controls
          5. Requirements Traceability and the RTM
          6. Interface Identification and Security Architecture
          7. Trade-Off Analysis
          8. ISSE and Risk Management
          9. DoD Goal Security Architecture Example
             1. CN Security Allocation
             2. LSE Security Service Allocations
             3. End System and Relay System Security Service Allocations
             4. Security Management Security Service Allocations
             5. Transfer System Security Service Allocations
             6. Physical and Administrative Environment Security Service Allocations
       5. Final Deliverable of Designing System and Security Architectures
       6. Summary
       7. References
    7. 5 ISSE Model Phase 4: Develop Detailed Security Design
       1. Introduction
       2. Systems Engineering Activity: System Design
          1. Trade-Off Analysis
          2. System Synthesis (Design)
          3. System Specifications
             1. IEEE Systems Engineering Process: Design Phase
             2. System Definition Level
             3. Preliminary System Design
          4. Detailed System Design
          5. Fabrication, Assembly, Integration, and Test (FAIT) Stage
          6. Production and Customer Support Stages
          7. Component Reliability
          8. Prototyping
          9. System Design Review
          10. System Engineering Management Plan (SEMP)
       3. ISSE Activity: System Security Design
          1. Conducting the Security Trade-Off Analysis
          2. Security Synthesis
          3. ISSE Design Phases
             1. Preliminary Security Design Phase
             2. Detailed Security Design Phase
          4. Allocating Security Mechanisms
          5. Identifying COTS/GOTS/Custom Security Products
          6. Identifying Security Mechanism Interfaces
          7. Developing Specifications: Common Criteria Profiles
          8. Life-Cycle Security Approach and the System Security Design Document
          9. Configuration Management and the Life-Cycle Security Approach
          10. Software Design
          11. Security Design Validation
          12. Prototyping for the ISSE Process
       4. ISSE Design and Risk Management
       5. Final Deliverables of Step 4
       6. Summary
       7. References
       8. Web Sites
       9. Software Design and Development Bibliography
    8. 6 ISSE Model Phase 5: Implement System Security
       1. Introduction
       2. System Engineering Activity: System Implementation
          1. Constructing the System
             1. Creating the Acquisition Plan
             2. Developing the Installation Plan
             3. Constructing Programs
             4. Conducting Unit Testing
             5. Establishing the Construction Environment
             6. Establishing Development Baselines
             7. Developing the Transition Plan
             8. Generating Operating Documents
             9. Developing a Training Program Plan
          2. Integration and Testing Phase
             1. Conduct Integration Testing
             2. Conduct System Testing
             3. Initiate Acceptance Process
             4. Conduct Acceptance Test Team Training
             5. Develop Maintenance Plan
          3. System Delivery
          4. IEEE 1220 Perspective on System Implementation Activities
             1. Fabrication, Assembly, Integration, and Test (FAIT)
             2. Preparing the Customer and Users
          5. Is the System Really Ready?
       3. ISSE and System Security Implementation
          1. Acquire the Security Components
             1. NIST Special Publication (SP) 800-23
             2. NSTISSP, Number 11
          2. Secure Integration Efforts
          3. Secure System Configuration
          4. Security Test and Evaluation
          5. Accept the Security of the System
          6. System Security Documentation
          7. Training for Secure Operations
       4. ISSE and Risk Management
       5. Final Deliverable of Phase 5
       6. Summary
       7. References
       8. Web Sites
    9. 7 ISSE Model Phase 6: Assess Security Effectiveness
       1. Introduction
       2. System Engineering Activity: System Assessment
          1. Benchmarking
          2. Baldrige Criteria for Performance Excellence
          3. ISO 9001 (2000)
          4. Six Sigma
          5. Software Engineering Institute Capability Maturity Models (SEI-CMM)
          6. Benchmarking, Baldrige, ISO 9001, Six Sigma, and CMM
       3. ISSE and System Security Assessment
          1. Information Protection Effectiveness Activities
          2. System Security Profiling
          3. Six Categories of Information Assurances
             1. 1. Processes (can be obtained by the way the system is built)
             2. 2. Properties (can be obtained by the way the system is built)
             3. 3. Analysis (can be obtained by an analysis of system descriptions for conformance to requirements and vulnerabilities)
             4. 4. Testing (can be obtained by testing the system itself to determine operating characteristics and to find vulnerabilities)
             5. 5. Guidance (can be obtained by the way the system is built)
             6. 6. Fielded Systems Evaluation (can be obtained by the operational experience and field evaluation of the system)
          4. NIST SP 800-55
          5. NIST SP 800-26
          6. NIST SP 800-42
       4. ISSE and Risk Management
       5. Final Deliverable of Phase 6
       6. Summary
       7. References
       8. Web Sites
11. ISSE Domain 2: Certification and Accreditation
    1. Contributors and Reviewers
    2. 8 DITSCAP and NIACAP
       1. Introduction
       2. DITSCAP and NIACAP Overview
          1. DITSCAP Background
          2. NIACAP Background
       3. DITSCAP/NIACAP Definition
          1. Definitions
             1. Certification
             2. Accreditation
             3. Program Manager
             4. Designated Approving Authority (DAA)
             5. Security Manager
             6. Certification Agent (CA)
             7. User Representative
             8. System Security Authorization Agreement (SSAA)
       4. Phase 1: Definition
          1. Preparation Activity
          2. Registration Activity
             1. Registration Task 1: Prepare Business or Operational Functional Description and System Identification
             2. Registration Task 2: Inform the DAA, Certifier, and User Representative That the System Will Require C&A Support (Register the System)
             3. Registration Task 3: Prepare the Environment and Threat Description
             4. Registration Task 4: Prepare System Architecture Description and Describe the C&A Boundary
             5. Registration Task 5: Determine the System Security Requirements
          3. Security Requirements Traceability Matrix (RTM)
             1. Registration Task 6: Tailor the C&A Tasks, Determine the C&A Level of Effort, and Prepare a C&A Plan
             2. Registration Task 7: Identify Organizations That Will Be Involved in the C&A and Identify Resources Required
             3. Registration Task 8: Develop the Draft SSAA
          4. The Security System Authorization Agreement (SSAA)
          5. Negotiation Activity
             1. Negotiation Task 1: Conduct the Certification Requirements Review (CRR)
             2. Negotiation Task 2: Agree on the Security Requirements, Level of Effort, and Schedule
             3. Negotiation Task 3: Approve Final Phase 1 SSAA
       5. Phase 2: Verification
          1. SSAA Refinement Activity
          2. System Development and Integration Activity
          3. Initial Certification Analysis (ICA) Activity
             1. Initial Certification Analysis Task 1: System Architectural Analysis
             2. Initial Certification Analysis Task 2: Software, Hardware, and Firmware Design Analysis
             3. Initial Certification Analysis Task 3: Network Connection Rule Compliance Analysis
             4. Initial Certification Analysis Task 4: Integrity Analysis of Integrated Products
             5. Initial Certification Analysis Task 5: Life-Cycle Management Analysis
             6. Initial Certification Analysis Task 6: Security Requirements Validation Procedure Preparation
             7. Initial Certification Analysis Task 7: Vulnerability Assessment
          4. Analysis of the Certification Results Activity
       6. Phase 3: Validation
          1. SSAA Refinement Activity
          2. Certification Evaluation of the Integrated System Activity
             1. Certification Evaluation Task 1: Security Test and Evaluation (ST&E)
             2. Certification Evaluation Task 2: Penetration Testing
             3. Certification Evaluation Task 3: TEMPEST and RED-BLACK Verification
             4. Certification Evaluation Task 4: COMSEC Compliance Evaluation
             5. Certification Evaluation Task 5: System Management Analysis
             6. Certification Evaluation Task 6: Site Accreditation Survey
             7. Certification Evaluation Task 7: Contingency Plan Evaluation
             8. Certification Evaluation Task 8: Risk Management Review
          3. Recommendation to DAA Activity
          4. DAA Accreditation Decision Activity
       7. Phase 4: Post Accreditation
          1. System and Security Operation Activities
             1. System and Security Operation Task 1: SSAA Maintenance
             2. System and Security Operation Task 2: Physical, Personnel, and Management Control Review
             3. System and Security Operation Task 3: TEMPEST Evaluation
             4. System and Security Operation Task 4: COMSEC Compliance Evaluation
             5. System and Security Operation Task 5: Contingency Plan Maintenance
             6. System and Security Operation Task 6: Configuration Management
             7. System and Security Operation Task 7: System Security Management
             8. System and Security Operation Task 8: Risk Management Review
          2. Compliance Validation Activity
       8. Summary
    3. 9 C&A NIST SP 800-37
       1. Introduction
          1. Roles and Responsibilities
          2. Scope of C&A Activities
       2. The C&A Process
          1. System Development Life Cycle
       3. Phase 1: Initiation
          1. Preparation Activity
             1. Preparation Task 1: Information System Description
             2. Preparation Task 2: Security Categorization
             3. Preparation Task 3: Threat Identification
             4. Preparation Task 4: Vulnerability Identification
             5. Preparation Task 5: Security Control Identification
             6. Preparation Task 6: Initial Risk Determination
          2. Notification and Resource Identification Activity
             1. Notification Task 1: Notification
             2. Notification Task 2: Planning and Resources
          3. Security Plan Analysis, Update, and Acceptance Activity
             1. Security Plan Task 1: Security Categorization Review
             2. Security Plan Task 2: SSP Analysis
             3. Security Plan Task 3: SSP Update
             4. Security Plan Task 4: SSP Acceptance
       4. Phase 2: Security Certification
          1. Security Control Assessment Activity
             1. Security Control Assessment Task 1: Review Documentation and Supporting Materials
             2. Security Control Assessment Task 2: Develop Methods and Procedures
             3. Security Control Assessment Task 3: Conduct Security Assessment
             4. Security Control Assessment Task 4: Create Security Assessment Report
          2. Security Certification Documentation Activity
             1. Security Certification Document Task 1: Present Findings and Recommendations
             2. Security Certification Document Task 2: Update SSP
             3. Security Certification Document Task 3: Prepare Plan of Action and Milestones
             4. Security Certification Document Task 4: Assemble Accreditation Package
       5. Phase 3: Security Accreditation
          1. Security Accreditation Decision Activity
             1. Security Accreditation Decision Activity Task 1: Final Risk Determination
             2. Security Accreditation Decision Activity Task 1: Residual Risk Acceptability
          2. Security Accreditation Package Documentation Activity
             1. Security Accreditation Package Task 1: Security Accreditation Package Transmission
             2. Security Accreditation Package Task 2: SSP Update
       6. Phase 4: Continuous Monitoring
          1. Configuration Management and Control Activity
             1. Configuration Management Task 1: Documentation of Information System Changes
             2. Configuration Management Task 2: Security Impact Analysis
          2. Ongoing Security Control Verification Activity
             1. Ongoing Security Control Verification Task 1: Security Control Selection
             2. Ongoing Security Control Verification Task 2: Selected Security Control Assessment
          3. Status Reporting and Documentation Activity
             1. Status Reporting and Documentation Task 1: SSP Update
             2. Status Reporting and Documentation Task 2: Status Reporting
       7. Summary
       8. Domain 2 References
       9. Web Sites
       10. Acronyms
12. ISSE Domain 3: Technical Management
    1. Contributors and Reviewers
    2. 10 Technical Management
       1. Introduction
          1. Elements of Technical Management
       2. Planning the Effort
          1. Starting Off
          2. Goals
          3. Plan the Effort
             1. Task 1: Estimate Project Scope
             2. Task 2: Identify Resources and Availability
             3. Task 3: Identify Roles and Responsibilities
             4. Task 4: Estimate Project Costs
             5. Task 5: Develop Project Schedule
             6. Task 6: Identify Technical Activities
             7. Task 7: Identify Deliverables
             8. Task 8: Define Management Interfaces
             9. Task 9: Prepare Technical Management Plan
             10. Task 10: Review Project Management Plan
             11. Task 11: Obtain Customer Agreement
       3. Managing the Effort
          1. Task 1: Direct Technical Effort
          2. Task 2: Track Project Resources
          3. Task 3: Track Technical Parameters
          4. Task 4: Monitor Progress of Technical Activities
          5. Task 5: Ensure Quality of Deliverables
          6. Task 6: Manage Configuration Elements
          7. Task 7: Review Project Performance
          8. Task 8: Report Project Status
       4. Technical Roles and Responsibilities
       5. Technical Documentation
          1. System Engineering Management Plan (SEMP)
          2. Quality Management Plan
             1. The Concept of Quality
             2. Quality Management Plan
             3. Quality Control
             4. Total Quality Management
             5. Quality Management
             6. Quality Management in a Project — ISO 10006
          3. Configuration Management Plan
             1. Reasons for Change
             2. Implementation of Changes
             3. Evolution of Change
             4. Configuration Management as a System
             5. CM Management and Planning
             6. Configuration Identification
             7. Configuration Control
             8. Change Initiation
             9. The Review Process
             10. Configuration Status and Accounting
             11. Configuration Verification and Audit
          4. Risk Management Plan
          5. Statement of Work (SOW)
             1. Format
          6. Work Breakdown Structure (WBS)
             1. WBS and the Systems Security Engineering Process
             2. Types of WBS
             3. Level Identification
             4. Selecting WBS Elements
             5. WBS Dictionary
             6. What a WBS Is Not
             7. Other Work Breakdown Structures
          7. Milestones
          8. Development of Project Schedules
          9. Preparation of Cost Projections
       6. Technical Management Tools
          1. Scheduling Tools
          2. The Gantt Chart
          3. The PERT Chart
             1. PERT Example
             2. Key Events and Activities
             3. Defining Logical Relationships
             4. Assigning Durations
             5. Analyzing the Paths
             6. Impact of Change
             7. Software Tools
       7. Summary
       8. References
       9. Web Sites
13. ISSEP Domain 4: Introduction to United States Government Information Assurance Regulations
    1. Contributors and Reviewers
    2. 11 Information Assurance Organizations, Public Laws, and Public Policies
       1. Introduction
       2. Section 1: Federal Agencies and Organizations
          1. U.S. Congress
          2. White House
          3. Office of Management and Budget (OMB)
          4. Director of Central Intelligence/Director of National Intelligence
          5. National Security Agency (NSA)
             1. NSA Information Assurance Directorate (IAD)
          6. National Institute of Standards and Technology (NIST)
          7. Committee on National Security Systems (CNSS)
          8. National Information Assurance Partnership (NIAP)
       3. Section 2: Federal Laws, Executive Directives and Orders, and OMB Directives
          1. U.S. Congress: Federal Laws
             1. H.R.145 Public Law: 100-235 (01/08/1988)
             2. Chapter 35 of title 44, United States Code
             3. H.R. 2458-48, Chapter 35 of Title 44, United States Code TITLE III — Information Security §301 Information Security
             4. 10 USC 2315 Defense Program
             5. 5 USC § 552a, PL 93-579: The U.S. Federal Privacy Act of 1974
             6. Fraud and Related Activity in Connection with Computers
             7. 18 USC § 1030. P.L. 99-474: The Computer Fraud and Abuse Act of 1984, Amended in 1994 and 1996, Broadened in 2001
          2. Executive Orders
             1. Executive Order (EO) 13231: Critical Infrastructure Protection in the Information Age (October 18, 2001)
             2. Office of Management and Budget (OMB) Circulars and Memoranda
          3. Office of Management and Budget (OMB) Circular A-130
             1. History
             2. Circular No. A-130, Revised, Transmittal Memorandum No. 4 (November 2000)
             3. OMB M-99-18: Privacy Policies and Data Collection on Federal Web Sites (June 1999)
             4. OMB M-00-13: Privacy Policies and Data Collection on Federal Web Sites (June 2000)
             5. OMB M-00-07: Incorporating and Funding Security in Information Systems Investments (February 2000)
             6. OMB M-01-08: Guidance on Implementing the Government Information Security Reform Act (January 2001)
             7. OMB M-03-19: Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (August 6, 2003)
          4. Director of Central Intelligence Directive DCID 6/3
       4. Summary
       5. References
       6. Web Sites
    3. 12 Department of Defense (DoD) Information Assurance Organizations and Policies
       1. Introduction
          1. Background Information
             1. Communities of Interest
             2. Metadata
             3. GIG Enterprise Services (GES)
          2. Net-Centric Data Strategy
       2. Overview of DoD Policies
       3. DoD Information Assurance (IA) Organizations and Departments
          1. Defensewide Information Assurance Program (DIAP)
          2. Defense Information Systems Agency (DISA)
          3. Defense Technical Information Center (DTIC®)
          4. National Security Agency (NSA) Information Assurance Directorate (IAD)
          5. Networks and Information Integration (NII)
          6. Information Assurance Support Environment (IASE)
          7. Defense Advanced Research Projects Agency (DARPA)
       4. DoD Issuances
          1. DoD 8500.1 Information Assurance (IA) (October 2002/November 2003)
          2. DoD 8500.2 Information Assurance Implementation (February 2003)
             1. Robustness Levels
          3. DoD IA Policies and DITSCAP
             1. DITSCAP Phases
          4. DoD 8510.1-M DITSCAP (July 2000)
          5. DoD 8510.xx DIACAP
       5. Summary
       6. References
       7. Web Sites
    4. 13 Committee on National Security Systems
       1. Introduction
       2. Overview of CNSS and NSTISSC
          1. National Communication Security Committee (NCSC)
       3. CNSS and NSTISSC Issuances
       4. CNSS Policies
          1. NSTISSP No. 6, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems (April 1994)
          2. NSTISSP No. 7, National Policy on Secure Electronic Messaging Service (February 1995)
          3. NSTISSP No. 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products (Revision June 2003)
          4. NSTISSP No. 101, National Policy on Securing Voice Communications (September 1999)
          5. NSTISSP No. 200, National Policy on Controlled Access Protection (July 1987)
          6. CNSS Policy No. 14, National Policy Governing the Release of Information Assurance Products and Services to Authorized U.S. Persons or Activities That Are Not a Part of the Federal Government (November 2002), Superseded NCSC-2 (1983)
          7. NCSC-5, National Policy on Use of Cryptomaterial by Activities Operating in High Risk Environments (U) (January 1981)
       5. CNSS Directive
          1. NSTISSD-500, Information Systems Security (INFOSEC) Education, Training, and Awareness (February 1993)
       6. CNSS Instructions
          1. NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP) (April 2000)
          2. NSTISSI No. 4009, National Information System Security (INFOSEC) Glossary (Revised May 2003)
          3. CNSS (NSTISSI) Training Standards
          4. NSTISSI No. 4011, National Training Standard for INFOSEC Professionals (June 1994)
          5. CNSSI No. 4012 (June 2004), National Information Assurance Training Standard for Senior System Managers, Supersedes NSTISSI No. 4012, National Training Standard for Designated Approving Authority (DAA) (August 1997)
          6. CNSSI No. 4013 (March 2004), National Information Assurance Training Standard for System Administrators Supersedes NSTISSI No. 4013 National Training Standard for System Administrators (August 1997)
          7. CNSSI No. 4014 (April 2004), National Information Assurance Training Standard for Information Systems Security Officers (ISSO), Supersedes NSTISSI No. 4014, National Training Requirements for Information System Security Officers (August 1997)
          8. NSTISSI No. 4015, National Training Standard for System Certifiers (December 2000)
          9. NSTISSI No. 7003, Protected Distribution Systems (December 1996)
          10. NACSI-6002, Protection of Government Contractor Telecommunications (June 1984)
       7. CNSS Advisory Memoranda
          1. NSTISSAM COMPUSEC 1-98, The Role of Firewalls and Guards in Enclave Boundary Protection (December 1998)
          2. NSTISSAM COMPUSEC 1-99, Advisory Memorandum on the Transition from Trusted Computer System Evaluation Criteria to Evaluation Criteria (TCSEC) to the International Common Criteria (CC) for Information Security Technology Evaluation (March 1999)
          3. NSTISSAM INFOSEC/1-00, Advisory Memorandum for the Use of FIPS 140 Validated Cryptographic Modules in Protecting Unclassified National Security Systems (February 2000)
          4. NSTISSAM INFOSEC 2-00, Advisory Memorandum for the Strategy for Using National Information Assurance Partnership (NIAP) for the Evaluation of Commercial Off-the-Shelf (COTS) Security Enabled Information Technology Products (February 2000)
          5. CNSSAM 1-04, Advisory Memorandum for Information Assurance (IA) — Security through Product Diversity (July 2004)
       8. Summary
       9. References
       10. Web Sites
    5. 14 National Institute of Standards and Technology (NIST) Publications
       1. Introduction
       2. Federal Information Processing Standards (FIPS)
          1. FIPS 46-3, Data Encryption Standard (DES) (Reaffirmed October 1999)
             1. DES Background Information
          2. FIPS 81, DES Mode of Operation (December 1980)
             1. Electronic Codebook (ECB) Mode
             2. Cipher Block Chaining (CBC) Mode
             3. Cipher Feedback (CFB) Mode
             4. Output Feedback (OFB) Mode
          3. FIPS 102, Guidelines for Computer Security Certification and Accreditation (September 1983)
          4. FIPS 140-2, Security Requirement for Cryptographic Modules (May 2001; Supersedes FIPS 140-1, January 1994)
          5. The DES Challenge
          6. FIPS 197, Advance Encryption Standard (AES) (November 2001)
          7. FIPS 197 and CNSS Policy No. 15
       3. NIST Special Publications
          1. NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook (October 1995)
          2. NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996)
          3. NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems (December 1998)
             1. Developing an SSP
          4. NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication (October 2000)
          5. NIST SP 800-27 Rev. A, Engineering Principles for Information Technology Security: A Baseline for Achieving Security, Revision A (June 2004)
          6. NIST SP 800-30, Risk Management Guide for Information Technology Systems (January 2002)
             1. Overview of Risk Management
             2. Risk Assessment
             3. Risk Mitigation
             4. Evaluation and Assessment
          7. NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems (September 2002)
       4. Summary
       5. References
       6. Web Sites
    6. 15 National Information Assurance Partnership (NIAP) and Common Criteria (CC)
       1. Introduction
       2. Note to ISSEP: You are expected to know Common Criteria. Historical View of IT Security Evaluations
          1. Trusted Computer System Evaluation Criteria
          2. The Trusted Network Interpretation (TNI)
          3. Information Technology Security Evaluation Criteria (ITSEC)
          4. Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
       3. National Information Assurance Partnership (NIAP)
       4. The Common Criteria
          1. CC Part 1: Introduction and General Model
             1. Protection Profile (PP)
             2. Security Target (ST)
             3. Target of Evaluation (TOE)
             4. Evaluation
             5. Evaluation Assurance Level (EAL)
             6. Security Environment
             7. Security Objectives
             8. Security Requirements
             9. TOE Summary Specification
             10. TOE Implementation
             11. Protection Profile and Security Target Contents
             12. Protection Profile Contents
             13. Security Target Contents
          2. CC Part 2: Security Functional Requirements
          3. CC Part 3: Security Assurance Requirements
          4. Protection Profile (PP) and Security Target (ST) Evaluation Criteria
          5. Assurance Classes, Families, and Components
          6. Assurance Maintenance Class
          7. Evaluation Assurance Levels
       5. CC Scenario
          1. Phase 1: Mission/Business Need
          2. Phase 2: Identify Security Requirements
          3. Phase 3: Identify Security Architecture
          4. Phase 4: Develop Detailed Security Design
          5. Phase 5: Implement System Security
          6. Phase 6: Assess Security Effectiveness
       6. Summary
       7. References
       8. Web Sites
14. Appendix A: Linking ISSE Phases to SE Phases
15. Appendix B: Enterprise Architecture
16. Appendix C: Combining NIST SP 800-55 and SP 800-26
17. Appendix D: Common Criteria Security Assurance Requirements
18. Appendix E: ISSEP Sample Questions
19. Index