TEAM LinG
AU2341 half title 8/24/05 12:23 AM Page 1
OFFICIAL
(ISC)
2
®
GUIDE TO THE
CISSP
®
-ISSEP
®
CBK
®
TEAM LinG
Auerbach sec 6 7/21/05 10:07 AM Page 1
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail:
Asset Protection and Security Management
Handbook
POA Publishing
ISBN: 0-8493-1603-0
Building a Global Information Assurance
Program
Raymond J. Curts and Douglas E. Campbell
ISBN: 0-8493-1368-6
Building an Information Security Awareness
Program
Mark B. Desman
ISBN: 0-8493-0116-5

Critical Incident Management
Alan B. Sterneckert
ISBN: 0-8493-0010-X
Cyber Crime Investigator's Field Guide,
Second Edition
Bruce Middleton
ISBN: 0-8493-2768-7
Cyber Forensics: A Field Manual for Collecting,
Examining, and Preserving Evidence of
Computer Crimes
Albert J. Marcella, Jr. and Robert S. Greenfield
ISBN: 0-8493-0955-7
The Ethical Hack: A Framework for Business
Value Penetration Testing
James S. Tiller
ISBN: 0-8493-1609-X
The Hacker's Handbook: The Strategy Behind
Breaking into and Defending Networks
Susan Young and Dave Aitel
ISBN: 0-8493-0888-7
Information Security Architecture:
An Integrated Approach to Security in the
Organization
Jan Killmeyer Tudor
ISBN: 0-8493-9988-2
Information Security Fundamentals
Thomas R. Peltier
ISBN: 0-8493-1957-9
Information Security Management Handbook,
5th Edition

Harold F. Tipton and Micki Krause
ISBN: 0-8493-1997-8
Information Security Policies, Procedures, and
Standards: Guidelines for Effective Information
Security Management
Thomas R. Peltier
ISBN: 0-8493-1137-3
Information Security Risk Analysis
Thomas R. Peltier
ISBN: 0-8493-0880-1
Information Technology Control and Audit,
Second Edition
Fredrick Gallegos, Daniel Manson,
Sandra Allen-Senft, and Carol Gonzales
ISBN: 0-8493-2032-1
Investigator's Guide to Steganography
Gregory Kipper
0-8493-2433-5
Managing a Network Vulnerability Assessment
Thomas Peltier, Justin Peltier, and John A. Blackley
ISBN: 0-8493-1270-1
Network Perimeter Security: Building Defense
In-Depth
Cliff Riggs
ISBN: 0-8493-1628-6
The Practical Guide to HIPAA Privacy and
Security Compliance
Kevin Beaver and Rebecca Herold
ISBN: 0-8493-1953-6
A Practical Guide to Security Engineering and

Information Assurance
Debra S. Herrmann
ISBN: 0-8493-1163-2
The Privacy Papers: Managing Technology,
Consumer, Employee and Legislative Actions
Rebecca Herold
ISBN: 0-8493-1248-5
Public Key Infrastructure: Building Trusted
Applications and Web Services
John R. Vacca
ISBN: 0-8493-0822-4
Securing and Controlling Cisco Routers
Peter T. Davis
ISBN: 0-8493-1290-6
Strategic Information Security
John Wylder
ISBN: 0-8493-2041-0
Surviving Security: How to Integrate People,
Process, and Technology, Second Edition
Amanda Andress
ISBN: 0-8493-2042-9
A Technical Guide to IPSec Virtual
Private Networks
James S. Tiller
ISBN: 0-8493-0876-3
Using the Common Criteria for IT Security
Evaluation
Debra S. Herrmann
ISBN: 0-8493-1404-6
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH

TEAM LinG
AU2341-title 8/24/05 3:15 PM Page 1
Boca Raton New York
Susan Hansche, CISSP-ISSEP
OFFICIAL
(ISC)
2
®
GUIDE TO THE
CISSP
®
-ISSEP
®
CBK
®
TEAM LinG
(ISC)
2
, CISSP, ISSEP, and CBK are registered trademarks of the International Information Systems Security
Certification Consortium.
Published in 2006 by
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2006 by Taylor & Francis Group, LLC
Auerbach is an imprint of Taylor & Francis Group
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10987654321

International Standard Book Number-10: 0-8493-2341-X (Hardcover)
International Standard Book Number-13: 978-0-8493-2341-6 (Hardcover)
Library of Congress Card Number 2005041144
This book contains information obtained from authentic and highly regarded sources. Reprinted material is
quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts
have been made to publish reliable data and information, but the author and the publisher cannot assume
responsibility for the validity of all materials or for the consequences of their use.
No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic,
mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and
recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com
( or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive,
Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration
for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate
system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only
for identification and explanation without intent to infringe.
Library of Congress Cataloging-in-Publication Data
Hansche, Susan.
Official (ISC)2 guide to the CISSP-ISSEP CBK / Susan Hansche.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-2341-X (alk. paper)
1. Electronic data processing personnel Certification. 2. Computer security Examinations Study
guides. I. Title: Official ISC squared guide. II. Title.
QA76.3.H364 2005
005.8 dc22 2005041144
Visit the Taylor & Francis Web site at

and the Auerbach Publications Web site at


Taylor & Francis Group
is the Academic Division of T&F Informa plc.
AU2341_Discl.fm Page 1 Monday, August 29, 2005 11:04 AM
TEAM LinG

This book is dedicated to my late father, Sam Hansche, who
encouraged me to do my best and gave me confidence
to believe in myself, and my mother, Sandra Montgomery,
who showers me with love and support.
TEAM LinG
TEAM LinG

vii

Table of Contents

Preface xxv
About the Author xxix

ISSE Domain 1: Information Systems Security Engineering
(ISSE)

Overview 1
Contributors and Reviewers 4

1

ISSE Introduction 7


Introduction 7
SE and ISSE Overview 8
IEEE 1220 Overview 15
The ISSE Model 17
Basic SE and ISSE Principles 21
Principle 1: Always keep the problem and the solution
spaces separate 23
Principle 2: The problem space is defined by the customer’s
mission or business needs. 23
Principle 3: The systems engineer and information systems
security engineer define the solution space driven by the
problem space 25
Life Cycle and ISSE 27
NIST SP 800-27, Rev. A: Engineering Principles 28
Risk Management 29
Defense in Depth 34
People 35
Technology 35
Operations 36
Defense in Multiple Places 38
Layered Defenses 39
Security Robustness 40
TEAM LinG

viii

Ⅲ

Official (ISC)


2

®

Guide to the CISSP

®

–ISSEP

®



CBK

®

Deploy KMI/PKI 40
Deploy Intrusion Detection Systems 40
Summary 41
References 42

2

ISSE Model Phase 1: Discover Infor mation Pr otection
Needs 45

Introduction 45
Systems Engineering Activity: Discover Needs 48

ISSE Activity: Discover Information Protection Needs 49
Task 1: Define the Customer’s Mission/Business Needs 50
Task 2: Define the Information Management 53
From Mission Needs to Information Management Needs 53
Creating an Information Management Model (IMM) 54
Step 1: Identify Processes 56
Step 2: Identify the Information Being Processed 56
FIPS 199 56
NIST SP 800-60 62
NIST SP 800-59 66
DoD Mission Assurance Categories (MACs) 67
Information Domains 68
Step 3: Identify the Users of the Information and the Process 72
Task 3: Define the Information Protection Policy (IPP) 73
Conducting the Threat Analysis and Developing the Information
Protection Policy 73
Potential Harmful Events (PHEs) 75
Harm to Information (HTI) 84
Identifying Security Services and Developing the Information
Protection Policy 89
Security Services 90
Access Control 90
Confidentiality 91
Integrity 91
Availability 92
Non-Repudiation 93
Security Management 93
Additional Security Controls 95
Creating the Information Protection Policy (IPP) 98
Creating the IPP Document 99

Introduction 99
General Policies 100
Establish Roles and Responsibilities 100
Identify Decision Makers 100
Define Certification and Accreditation (C&A) Team Members
and Procedures 100
Identify Information Domains and Information Management 101
TEAM LinG

Table of Contents

Ⅲ

ix

Identify Security Service Requirements 101
Signatures 102
The Information Management Plan (IMP) 102
Final Deliverable of Step 1 103
Summary 103
References 104

3

ISSE Model Phase 2: Defi ne System Security Requir ements 107

Introduction 107
System Engineering Activity: Defining System Requirements 113
Defining the System Context 114
IEEE 1220: 5.1.1.1 System Concept 115

Define System Requirements 117
Define Customer Expectations (Task 6.1.1) 120
Define Constraints (Tasks 6.1.2 and 6.1.3) 120
Define Operational Scenarios (Task 6.1.4) 122
Define Measures of Effectiveness (MOEs) (Task 6.1.5) 122
Define System Boundaries (Task 6.1.6) 122
Define Interfaces (Task 6.1.7) 123
Define Utilization Environments (Task 6.1.8) 123
Define Life-Cycle Process Concepts (Task 6.1.9) 123
Define Functional Requirements (Task 6.1.10) 125
Define Performance Requirements (Task 6.1.11) 125
Define Modes of Operations (Task 6.1.12) 126
Define Technical Performance Measures (Task 6.1.13) 126
Define Design Characteristics (Task 6.1.14) 126
Define Human Factors (Task 6.1.15) 126
Establish Requirements Baseline (Task 6.1.16) 126
Define Design Constraints 127
The Preliminary System Concept of Operations (CONOPS) 128
ISSE Activity: Defining System Security Requirements 129
Define the System Security Context 129
Define System Security Requirements 131
Define the Preliminary System Security CONOPS 132
Final Deliverable of Step 2 134
Summary 134
References 136

4

ISSE Model Phase 3: Defi ne System Security Ar chitectur e 139


Introduction 139
Defining System and Security Architecture 142
Defining System Architecture 142
Defining System Security Architecture 144
Guidelines for Designing System Architectures from DoDAF and
FEAF 144
DoD Architectural Framework 145
Federal Enterprise Architecture Framework (FEAF) 150
TEAM LinG

x

Ⅲ

Official (ISC)

2

®

Guide to the CISSP

®

–ISSEP

®




CBK

®

System Engineering Activity: Designing System Architecture 152
Perform Functional Analysis and Allocation 153
Functional Analysis 153
Functional Hierarchy Diagram 155
Functional Flow Block Diagrams 156
Timeline Analysis Diagram 158
Functional Allocation 159
Identifying and Allocating Components 159
Describe the Relationship Between the CIs 159
Trace Functions and Components to Requirements 161
ISSE Activity: Define the Security Architecture 163
Design System Security Architecture 166
IATF Information Infrastructure 168
Security Functional Analysis and Allocation 173
Identify Security Components, Controls, or Technologies 175
Additional Security Controls 177
Requirements Traceability and the RTM 181
Interface Identification and Security Architecture 187
Trade-Off Analysis 189
ISSE and Risk Management 192
DoD Goal Security Architecture Example 194
CN Security Allocation 197
LSE Security Service Allocations 197
End System and Relay System Security Service Allocations 197
Security Management Security Service Allocations 199
Transfer System Security Service Allocations 200

Physical and Administrative Environment Security Service
Allocations 201
Final Deliverable of Designing System and Security Architectures 204
Summary 204
References 205

5

ISSE Model Phase 4: Develop Detailed Security Design 209

Introduction 209
Systems Engineering Activity: System Design 211
Trade-Off Analysis 214
System Synthesis (Design) 216
System Specifications 216
IEEE Systems Engineering Process: Design Phase 219
System Definition Level 219
Preliminary System Design 221
Detailed System Design 224
Fabrication, Assembly, Integration, and Test (FAIT) Stage 225
Production and Customer Support Stages 225
Component Reliability 226
TEAM LinG
Table of Contents Ⅲ xi
Prototyping 227
System Design Review 228
System Engineering Management Plan (SEMP) 229
ISSE Activity: System Security Design 229
Conducting the Security Trade-Off Analysis 231
Security Synthesis 232

ISSE Design Phases 234
Preliminary Security Design Phase 234
Detailed Security Design Phase 235
Allocating Security Mechanisms 236
Identifying COTS/GOTS/Custom Security Products 236
Identifying Security Mechanism Interfaces 237
Developing Specifications: Common Criteria Profiles 238
Life-Cycle Security Approach and the System Security Design
Document 242
Configuration Management and the Life-Cycle Security Approach 243
Software Design 244
Security Design Validation 247
Prototyping for the ISSE Process 251
ISSE Design and Risk Management 255
Final Deliverables of Step 4 255
Summary 256
References 258
Web Sites 259
Software Design and Development Bibliography 259
6 ISSE Model Phase 5: Implement System Security 263
Introduction 263
System Engineering Activity: System Implementation 265
Constructing the System 268
Creating the Acquisition Plan 268
Developing the Installation Plan 272
Constructing Programs 273
Conducting Unit Testing 273
Establishing the Construction Environment 274
Establishing Development Baselines 275
Developing the Transition Plan 275

Generating Operating Documents 286
Developing a Training Program Plan 278
Integration and Testing Phase 278
Conduct Integration Testing 280
Conduct System Testing 280
Initiate Acceptance Process 282
Conduct Acceptance Test Team Training 283
Develop Maintenance Plan 283
TEAM LinG
xii Ⅲ Official (ISC)
2®
Guide to the CISSP
®
–ISSEP
®
CBK
®
System Delivery 284
IEEE 1220 Perspective on System Implementation Activities 285
Fabrication, Assembly, Integration, and Test (FAIT) 285
Preparing the Customer and Users 287
Is the System Really Ready? 288
ISSE and System Security Implementation 288
Acquire the Security Components 290
NIST Special Publication (SP) 800-23 292
NSTISSP, Number 11 292
Secure Integration Efforts 296
Secure System Configuration 298
Security Test and Evaluation 299
Accept the Security of the System 302

System Security Documentation 303
Training for Secure Operations 304
ISSE and Risk Management 305
Final Deliverable of Phase 5 305
Summary 305
References 307
Web Sites 308
7 ISSE Model Phase 6: Assess Security Ef fectiveness 309
Introduction 309
System Engineering Activity: System Assessment 311
Benchmarking 312
Baldrige Criteria for Performance Excellence 314
ISO 9001 (2000) 316
Six Sigma 321
Software Engineering Institute Capability Maturity Models
(SEI-CMM) 323
Benchmarking, Baldrige, ISO 9001, Six Sigma, and CMM 326
ISSE and System Security Assessment 327
Information Protection Effectiveness Activities 327
System Security Profiling 329
Six Categories of Information Assurances 331
1. Processes (can be obtained by the way the system is built) 331
2. Properties (can be obtained by the way the system is built) 332
3. Analysis (can be obtained by an analysis of system descriptions
for conformance to requirements and vulnerabilities) 333
4. Testing (can be obtained by testing the system itself to
determine operating characteristics and to find vulnerabilities) 333
5. Guidance (can be obtained by the way the system is built) 333
6. Fielded Systems Evaluation (can be obtained by the
operational experience and field evaluation of the system) 333

NIST SP 800-55 334
NIST SP 800-26 338
NIST SP 800-42 340
TEAM LinG
Table of Contents Ⅲ xiii
ISSE and Risk Management 348
Final Deliverable of Phase 6 349
Summary 349
References 351
Web Sites 353
ISSE Domain 2: Certification and Accreditation
Contributors and Reviewers 356
8 DITSCAP and NIACAP 357
Introduction 357
DITSCAP and NIACAP Overview 359
DITSCAP Background 359
NIACAP Background 360
DITSCAP/NIACAP Definition 360
Definitions 362
Certification 362
Accreditation 362
Program Manager 362
Designated Approving Authority (DAA) 362
Security Manager 363
Certification Agent (CA) 363
User Representative 363
System Security Authorization Agreement (SSAA) 363
Phase 1: Definition 364
Preparation Activity 377
Registration Activity 377

Registration Task 1: Prepare Business or Operational Functional
Description and System Identification 368
Registration Task 2: Inform the DAA, Certifier, and User
Representative That the System Will Require C&A Support
(Register the System) 370
Registration Task 3: Prepare the Environment and Threat
Description 374
Registration Task 4: Prepare System Architecture Description
and Describe the C&A Boundary 374
Registration Task 5: Determine the System Security
Requirements 375
Security Requirements Traceability Matrix (RTM) 376
Registration Task 6: Tailor the C&A Tasks, Determine the C&A
Level of Effort, and Prepare a C&A Plan 377
Registration Task 7: Identify Organizations That Will Be Involved
in the C&A and Identify Resources Required 382
Registration Task 8: Develop the Draft SSAA 383
The Security System Authorization Agreement (SSAA) 383
Negotiation Activity 386
TEAM LinG
xiv Ⅲ Official (ISC)
2®
Guide to the CISSP
®
–ISSEP
®
CBK
®
Negotiation Task 1: Conduct the Certification Requirements
Review (CRR) 387

Negotiation Task 2: Agree on the Security Requirements, Level
of Effort, and Schedule 387
Negotiation Task 3: Approve Final Phase 1 SSAA 387
Phase 2: Verification 388
SSAA Refinement Activity 389
System Development and Integration Activity 390
Initial Certification Analysis (ICA) Activity 390
Initial Certification Analysis Task 1: System Architectural Analysis 391
Initial Certification Analysis Task 2: Software, Hardware, and
Firmware Design Analysis 391
Initial Certification Analysis Task 3: Network Connection Rule
Compliance Analysis 392
Initial Certification Analysis Task 4: Integrity Analysis of
Integrated Products 392
Initial Certification Analysis Task 5: Life-Cycle Management
Analysis 392
Initial Certification Analysis Task 6: Security Requirements
Validation Procedure Preparation 393
Initial Certification Analysis Task 7: Vulnerability Assessment 394
Analysis of the Certification Results Activity 396
Phase 3: Validation 397
SSAA Refinement Activity 398
Certification Evaluation of the Integrated System Activity 398
Certification Evaluation Task 1: Security Test and Evaluation
(ST&E) 399
Certification Evaluation Task 2: Penetration Testing 400
Certification Evaluation Task 3: TEMPEST and RED-BLACK
Verification 400
Certification Evaluation Task 4: COMSEC Compliance Evaluation 401
Certification Evaluation Task 5: System Management Analysis 401

Certification Evaluation Task 6: Site Accreditation Survey 402
Certification Evaluation Task 7: Contingency Plan Evaluation 402
Certification Evaluation Task 8: Risk Management Review 402
Recommendation to DAA Activity 403
DAA Accreditation Decision Activity 403
Phase 4: Post Accreditation 405
System and Security Operation Activities 405
System and Security Operation Task 1: SSAA Maintenance 407
System and Security Operation Task 2: Physical, Personnel, and
Management Control Review 407
System and Security Operation Task 3: TEMPEST Evaluation 407
System and Security Operation Task 4: COMSEC Compliance
Evaluation 408
TEAM LinG
Table of Contents Ⅲ xv
System and Security Operation Task 5: Contingency Plan
Maintenance 408
System and Security Operation Task 6: Configuration
Management 408
System and Security Operation Task 7: System Security
Management 409
System and Security Operation Task 8: Risk Management Review 409
Compliance Validation Activity 409
Summary 410
9 C&A NIST SP 800-37 415
Introduction 415
Roles and Responsibilities 418
Scope of C&A Activities 419
The C&A Process 421
System Development Life Cycle 423

Phase 1: Initiation 425
Preparation Activity 425
Preparation Task 1: Information System Description 427
Preparation Task 2: Security Categorization 427
Preparation Task 3: Threat Identification 427
Preparation Task 4: Vulnerability Identification 427
Preparation Task 5: Security Control Identification 427
Preparation Task 6: Initial Risk Determination 427
Notification and Resource Identification Activity 428
Notification Task 1: Notification 428
Notification Task 2: Planning and Resources 428
Security Plan Analysis, Update, and Acceptance Activity 428
Security Plan Task 1: Security Categorization Review 429
Security Plan Task 2: SSP Analysis 429
Security Plan Task 3: SSP Update 429
Security Plan Task 4: SSP Acceptance 429
Phase 2: Security Certification 430
Security Control Assessment Activity 431
Security Control Assessment Task 1: Review Documentation and
Supporting Materials 431
Security Control Assessment Task 2: Develop Methods and
Procedures 431
Security Control Assessment Task 3: Conduct Security
Assessment 432
Security Control Assessment Task 4: Create Security Assessment
Report 432
Security Certification Documentation Activity 432
Security Certification Document Task 1: Present Findings and
Recommendations 432
TEAM LinG

xvi Ⅲ Official (ISC)
2®
Guide to the CISSP
®
–ISSEP
®
CBK
®
Security Certification Document Task 2: Update SSP 432
Security Certification Document Task 3: Prepare Plan of Action
and Milestones 432
Security Certification Document Task 4: Assemble Accreditation
Package 433
Phase 3: Security Accreditation 434
Security Accreditation Decision Activity 436
Security Accreditation Decision Activity Task 1: Final Risk
Determination 436
Security Accreditation Decision Activity Task 1: Residual Risk
Acceptability 436
Security Accreditation Package Documentation Activity 436
Security Accreditation Package Task 1: Security Accreditation
Package Transmission 437
Security Accreditation Package Task 2: SSP Update 437
Phase 4: Continuous Monitoring 438
Configuration Management and Control Activity 438
Configuration Management Task 1: Documentation of Information
System Changes 440
Configuration Management Task 2: Security Impact Analysis 440
Ongoing Security Control Verification Activity 440
Ongoing Security Control Verification Task 1: Security Control

Selection 440
Ongoing Security Control Verification Task 2: Selected Security
Control Assessment 440
Status Reporting and Documentation Activity 440
Status Reporting and Documentation Task 1: SSP Update 441
Status Reporting and Documentation Task 2: Status Reporting 441
Summary 441
Domain 2 References 442
Web Sites 443
Acronyms 443
ISSE Domain 3: Technical Management
Contributors and Reviewers 447
10 Technical Management 449
Introduction 449
Elements of Technical Management 451
Planning the Effort 453
Starting Off 453
Goals 454
Plan the Effort 456
Task 1: Estimate Project Scope 456
Task 2: Identify Resources and Availability 457
Task 3: Identify Roles and Responsibilities 457
Task 4: Estimate Project Costs 458
TEAM LinG
Table of Contents Ⅲ xvii
Task 5: Develop Project Schedule 458
Task 6: Identify Technical Activities 458
Task 7: Identify Deliverables 458
Task 8: Define Management Interfaces 458
Task 9: Prepare Technical Management Plan 459

Task 10: Review Project Management Plan 460
Task 11: Obtain Customer Agreement 460
Managing the Effort 461
Task 1: Direct Technical Effort 461
Task 2: Track Project Resources 462
Task 3: Track Technical Parameters 462
Task 4: Monitor Progress of Technical Activities 462
Task 5: Ensure Quality of Deliverables 463
Task 6: Manage Configuration Elements 463
Task 7: Review Project Performance 463
Task 8: Report Project Status 464
Technical Roles and Responsibilities 464
Technical Documentation 468
System Engineering Management Plan (SEMP) 469
Quality Management Plan 474
The Concept of Quality 474
Quality Management Plan 476
Quality Control 476
Total Quality Management 478
Quality Management 478
Quality Management in a Project — ISO 10006 479
Configuration Management Plan 484
Reasons for Change 487
Implementation of Changes 487
Evolution of Change 488
Configuration Management as a System 489
CM Management and Planning 489
Configuration Identification 492
Configuration Control 494
Change Initiation 495

The Review Process 497
Configuration Status and Accounting 497
Configuration Verification and Audit 500
Risk Management Plan 501
Statement of Work (SOW) 503
Format 505
Work Breakdown Structure (WBS) 507
WBS and the Systems Security Engineering Process 508
Types of WBS 510
Level Identification 510
Selecting WBS Elements 511
WBS Dictionary 512
TEAM LinG
xviii Ⅲ Official (ISC)
2®
Guide to the CISSP
®
–ISSEP
®
CBK
®
What a WBS Is Not 512
Other Work Breakdown Structures 514
Milestones 514
Development of Project Schedules 514
Preparation of Cost Projections 515
Technical Management Tools 516
Scheduling Tools 517
The Gantt Chart 517
The PERT Chart 519

PERT Example 519
Key Events and Activities 520
Defining Logical Relationships 521
Assigning Durations 521
Analyzing the Paths 528
Impact of Change 529
Software Tools 529
Summary 530
References 531
Web Sites 533
ISSEP Domain 4: Introduction to United States Government
Information Assurance Regulations
Contributors and Reviewers 536
11 Infor mation Assurance Or ganizations, Public Laws, and
Public Policies 537
Introduction 537
Section 1: Federal Agencies and Organizations 538
U.S. Congress 539
White House 539
Office of Management and Budget (OMB) 540
Director of Central Intelligence/Director of National Intelligence 540
National Security Agency (NSA) 541
NSA Information Assurance Directorate (IAD) 541
National Institute of Standards and Technology (NIST) 542
Committee on National Security Systems (CNSS) 543
National Information Assurance Partnership (NIAP) 543
Section 2: Federal Laws, Executive Directives and Orders, and OMB
Directives 543
U.S. Congress: Federal Laws 543
H.R.145 Public Law: 100-235 (01/08/1988) 544

Chapter 35 of title 44, United States Code 544
H.R. 2458-48, Chapter 35 of Title 44, United States Code
TITLE III — Information Security §301 Information Security 546
10 USC 2315 Defense Program 548
5 USC § 552a, PL 93-579: The U.S. Federal Privacy Act of 1974 549
TEAM LinG
Table of Contents Ⅲ xix
Fraud and Related Activity in Connection with Computers 550
18 USC § 1030. P.L. 99-474: The Computer Fraud and Abuse Act
of 1984, Amended in 1994 and 1996, Broadened in 2001 551
Executive Orders 552
Executive Order (EO) 13231: Critical Infrastructure Protection in
the Information Age (October 18, 2001) 552
Office of Management and Budget (OMB) Circulars and
Memoranda 553
Office of Management and Budget (OMB) Circular A-130 553
History 554
Circular No. A-130, Revised, Transmittal Memorandum No. 4
(November 2000) 558
OMB M-99-18: Privacy Policies and Data Collection on Federal
Web Sites (June 1999) 560
OMB M-00-13: Privacy Policies and Data Collection on Federal
Web Sites (June 2000) 560
OMB M-00-07: Incorporating and Funding Security in
Information Systems Investments (February 2000) 561
OMB M-01-08: Guidance on Implementing the Government
Information Security Reform Act (January 2001) 563
OMB M-03-19: Reporting Instructions for the Federal Information
Security Management Act and Updated Guidance on Quarterly
IT Security Reporting (August 6, 2003) 564

Director of Central Intelligence Directive DCID 6/3 565
Summary 566
References 567
Web Sites 568
12 Department of Defense (DoD) Infor mation Assurance
Organizations and Policies 571
Introduction 571
Background Information 572
Communities of Interest 575
Metadata 575
GIG Enterprise Services (GES) 576
Net-Centric Data Strategy 576
Overview of DoD Policies 577
DoD Information Assurance (IA) Organizations and Departments 580
Defensewide Information Assurance Program (DIAP) 580
Defense Information Systems Agency (DISA) 580
Defense Technical Information Center (DTIC®) 581
National Security Agency (NSA) Information Assurance Directorate
(IAD) 582
Networks and Information Integration (NII) 582
Information Assurance Support Environment (IASE) 583
Defense Advanced Research Projects Agency (DARPA) 583
TEAM LinG
xx Ⅲ Official (ISC)
2®
Guide to the CISSP
®
–ISSEP
®
CBK

®
DoD Issuances 594
DoD 8500.1 Information Assurance (IA) (October 2002/November
2003) 585
DoD 8500.2 Information Assurance Implementation (February
2003) 589
Robustness Levels 590
DoD IA Policies and DITSCAP 592
DITSCAP Phases 594
DoD 8510.1-M DITSCAP (July 2000) 594
DoD 8510.xx DIACAP 595
Summary 595
References 596
Web Sites 596
13 Committee on National Security Systems 597
Introduction 597
Overview of CNSS and NSTISSC 599
National Communication Security Committee (NCSC) 601
CNSS and NSTISSC Issuances 601
CNSS Policies 601
NSTISSP No. 6, National Policy on Certification and Accreditation
of National Security Telecommunications and Information Systems
(April 1994) 602
NSTISSP No. 7, National Policy on Secure Electronic Messaging
Service (February 1995) 602
NSTISSP No. 11, National Policy Governing the Acquisition of
Information Assurance (IA) and IA-Enabled Information Technology
(IT) Products (Revision June 2003) 603
NSTISSP No. 101, National Policy on Securing Voice
Communications (September 1999) 605

NSTISSP No. 200, National Policy on Controlled Access Protection
(July 1987) 605
CNSS Policy No. 14, National Policy Governing the Release of
Information Assurance Products and Services to Authorized U.S.
Persons or Activities That Are Not a Part of the Federal
Government (November 2002), Superseded NCSC-2 (1983) 606
NCSC-5, National Policy on Use of Cryptomaterial by Activities
Operating in High Risk Environments (U) (January 1981) 608
CNSS Directive 608
NSTISSD-500, Information Systems Security (INFOSEC) Education,
Training, and Awareness (February 1993) 608
CNSS Instructions 609
NSTISSI No. 1000, National Information Assurance Certification
and Accreditation Process (NIACAP) (April 2000) 610
NSTISSI No. 4009, National Information System Security (INFOSEC)
Glossary (Revised May 2003) 610
CNSS (NSTISSI) Training Standards 610
TEAM LinG
Table of Contents Ⅲ xxi
NSTISSI No. 4011, National Training Standard for INFOSEC
Professionals (June 1994) 611
CNSSI No. 4012 (June 2004), National Information Assurance
Training Standard for Senior System Managers, Supersedes NSTISSI
No. 4012, National Training Standard for Designated Approving
Authority (DAA) (August 1997) 612
CNSSI No. 4013 (March 2004), National Information Assurance
Training Standard for System Administrators Supersedes NSTISSI
No. 4013 National Training Standard for System Administrators
(August 1997) 616
CNSSI No. 4014 (April 2004), National Information Assurance

Training Standard for Information Systems Security Officers (ISSO),
Supersedes NSTISSI No. 4014, National Training Requirements for
Information System Security Officers (August 1997) 617
NSTISSI No. 4015, National Training Standard for System
Certifiers (December 2000) 618
NSTISSI No. 7003, Protected Distribution Systems (December 1996) 622
NACSI-6002, Protection of Government Contractor
Telecommunications (June 1984) 623
CNSS Advisory Memoranda 624
NSTISSAM COMPUSEC 1-98, The Role of Firewalls and Guards in
Enclave Boundary Protection (December 1998) 624
NSTISSAM COMPUSEC 1-99, Advisory Memorandum on the
Transition from Trusted Computer System Evaluation Criteria to
Evaluation Criteria (TCSEC) to the International Common Criteria
(CC) for Information Security Technology Evaluation (March 1999) 627
NSTISSAM INFOSEC/1-00, Advisory Memorandum for the Use of
FIPS 140 Validated Cryptographic Modules in Protecting
Unclassified National Security Systems (February 2000) 627
NSTISSAM INFOSEC 2-00, Advisory Memorandum for the Strategy
for Using National Information Assurance Partnership (NIAP) for
the Evaluation of Commercial Off-the-Shelf (COTS) Security
Enabled Information Technology Products (February 2000) 628
CNSSAM 1-04, Advisory Memorandum for Information Assurance
(IA) — Security through Product Diversity (July 2004) 629
Summary 630
References 630
Web Sites 633
14 National Institute of Standar ds and T echnology (NIST)
Publications 635
Introduction 635

Federal Information Processing Standards (FIPS) 641
FIPS 46-3, Data Encryption Standard (DES) (Reaffirmed October
1999) 643
DES Background Information 645
FIPS 81, DES Mode of Operation (December 1980) 647
TEAM LinG
xxii Ⅲ Official (ISC)
2®
Guide to the CISSP
®
–ISSEP
®
CBK
®
Electronic Codebook (ECB) Mode 648
Cipher Block Chaining (CBC) Mode 650
Cipher Feedback (CFB) Mode 651
Output Feedback (OFB) Mode 652
FIPS 102, Guidelines for Computer Security Certification and
Accreditation (September 1983) 652
FIPS 140-2, Security Requirement for Cryptographic Modules
(May 2001; Supersedes FIPS 140-1, January 1994) 662
The DES Challenge 662
FIPS 197, Advance Encryption Standard (AES) (November 2001) 664
FIPS 197 and CNSS Policy No. 15 665
NIST Special Publications 666
NIST SP 800-12, An Introduction to Computer Security: The NIST
Handbook (October 1995) 666
NIST SP 800-14, Generally Accepted Principles and Practices for
Securing Information Technology Systems (September 1996) 669

NIST SP 800-18, Guide for Developing Security Plans for
Information Technology Systems (December 1998) 673
Developing an SSP 674
NIST SP 800-25, Federal Agency Use of Public Key Technology for
Digital Signatures and Authentication (October 2000) 679
NIST SP 800-27 Rev. A, Engineering Principles for Information
Technology Security: A Baseline for Achieving Security, Revision A
(June 2004) 680
NIST SP 800-30, Risk Management Guide for Information
Technology Systems (January 2002) 685
Overview of Risk Management 686
Risk Assessment 688
Risk Mitigation 700
Evaluation and Assessment 705
NIST SP 800-47, Security Guide for Interconnecting Information
Technology Systems (September 2002) 706
Summary 710
References 712
Web Sites 714
15 National Infor mation Assurance Partnership (NIAP) and
Common Criteria (CC) 715
Introduction 715
Note to ISSEP: You are expected to know Common Criteria.
Historical View of IT Security Evaluations 717
Trusted Computer System Evaluation Criteria 718
The Trusted Network Interpretation (TNI) 721
Information Technology Security Evaluation Criteria (ITSEC) 722
Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) 724
National Information Assurance Partnership (NIAP) 725
TEAM LinG

Table of Contents Ⅲ xxiii
The Common Criteria 726
CC Part 1: Introduction and General Model 729
Protection Profile (PP) 729
Security Target (ST) 729
Target of Evaluation (TOE) 730
Evaluation 730
Evaluation Assurance Level (EAL) 730
Security Environment 733
Security Objectives 735
Security Requirements 735
TOE Summary Specification 737
TOE Implementation 737
Protection Profile and Security Target Contents 737
Protection Profile Contents 737
Security Target Contents 739
CC Part 2: Security Functional Requirements 740
CC Part 3: Security Assurance Requirements 741
Protection Profile (PP) and Security Target (ST) Evaluation Criteria 745
Assurance Classes, Families, and Components 745
Assurance Maintenance Class 748
Evaluation Assurance Levels 749
CC Scenario 756
Phase 1: Mission/Business Need 756
Phase 2: Identify Security Requirements 756
Phase 3: Identify Security Architecture 757
Phase 4: Develop Detailed Security Design 757
Phase 5: Implement System Security 758
Phase 6: Assess Security Effectiveness 758
Summary 758

References 759
Web Sites 761
Appendix A: Linking ISSE Phases to SE Phases 763
Appendix B: Enterprise Architecture 777
Appendix C: Combining NIST SP 800-55 and SP 800-26 781
Appendix D: Common Criteria Security Assurance
Requirements 787
Appendix E: ISSEP Sample Questions 805
Index 947
TEAM LinG
TEAM LinG