Information Protection (IP) Operations study1

Question 1

ACP 122(F)

Answer 1

ACP 122 (F) COMMUNICATIONS INSTRUCTIONS (SECURITY)

Question 2

AFH31-602

Answer 2

Industrial Security Program

1.2. Purpose. This instruction implement Executive Order 12829, National Industrial Security Program, DOD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), and DOD 5220.22-R, Industrial Security Regulation (ISR) and AFPD 31-6, Industrial Security.

***It assigns functional responsibilities and establishes a system of review that identifies outdated, inappropriate and unnecessary contractual security requirements. It outlines and provides guidance for establishing on-base integrated contractor visitor groups.

Question 3

AFI33-115

Answer 3

1. Purpose. This instruction defines AF IT Service Management and assigns responsibilities for the configuration, provisioning, maintenance, and management of AFIN using an IT Service Management (ITSM) framework to further integrate capabilities and maintain configuration control of AF networks and data servers. This instruction serves as the single reference for AF IT Service Management policy and applies to all personnel who manage, configure, operate, maintain, defend, or extend any portion of the AFIN or provide support within the AF for the DoDIN and the Joint Information Environment (JIE). 1.1. Procedural guidance supporting this AFI is contained in Methods and Procedures Technical Orders (MPTOs) directing standard processes for management, standardization, and maintenance of AF IT Services applicable to all AF personnel, see paragraph 7.3. 1.2. Cyberspace operational orders as defined in AFI 10-1701 (e.g., AF Cyber Tasking Orders, Cyber Control Orders, AF Time Compliance Network Orders) shall take precedence over information contained in this AFI and supporting MPTOs if there is a conflict.

Question 4

AFI33-200

Answer 4

Information Assurance (IA) Management

Question 5

AFI33-230

Answer 5

Information Assurance Assessmentand Assistance Program

Question 6

AFI33-332

Answer 6

Information Management

Question 7

Certification and Accreditation

Answer 7

A process for implementing information security. A systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system in in operation.

Question 8

What AFI is the Air Force Certification and Accreditation program defined in?

Answer 8

AFI 33-210

Question 9

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Answer 9

Certification

Question 10

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals based on the implementation of an agreed-upon set of security controls.

Answer 10

Accreditation

Question 11

Another factor of the cert and accreditation process which we must consider. Ensures continuity of operations as changes are validated, approved, and implemented on the Air Force Networks.

Answer 11

Change Management

Question 12

The process of verifying an identity that is bound to the person that asserts it.

Answer 12

Identification and Authentication

Question 13

The validation of a claimed identity.

Answer 13

Authentication

Question 14

Knowledge-Based, Possession-Based, Biometric-Based, Location-Based, Multi-Factor Authentication

Answer 14

Authenticators

Question 15

Require the user to provide a pre-established piece or several pieces of information in order to authenticate the presented identity.

Based on the on the concept that the user is the only one who knows what the information system expects and therefore is the person identified.

Examples: passwords, PINs

Answer 15

Knowledge-Based Authenticator

Question 16

Require the user to have physical possession of a specific item (called a token). The user presents the token or performs some action that could only be done if the user had physical possession of their token.

Token contains contains info physically, magnetifcally, or electrically.

Examples: Manual Keys, Challenge-Response Generators, Smart Cards (CAC)

Answer 16

Possession-Based Authenticator

Question 17

Relies on a unique physical characteristic to verify the identity of a user. Common identifiers include fingerprints, written signatures, voice patterns, typing patterns, retinal/iris scans, and hand geometry.

Tend to cost more that knowledge or possession based authenticators.

Answer 17

Biometric-Based Authenticator

Question 18

Relies on a physical location of the user to verify their identity. The auth succeeds if the location is a known area you are in, or where you live.

Examples include GPS on phones and credit cards.

Vulnerability in this method is when people who know you well, or researched you start to use your information

Answer 18

Location-Based Authenticator

Question 19

The combination of two or more of the authenticators used to increase Identification and Authentication to a system or network.

Answer 19

Multi-Factor Authentication

Question 20

The uses of prescribed safeguards and controls to prevent reconstruction of the magnetic image/data that would disclose sensitive information to persons who do not have the proper clearance or need to know for this information.

Answer 20

Remanence Security

Question 21

The magnetic image/data that is still left on recordable magnetic media (i.e. floppy disk, tape, hard drive, etc.) after it is erased, overwritten or degaussed (cleared) using an electromagnetic device to null or clear the magnetic pattern/image on the media.

Answer 21

Magnetic Remanence

Question 22

Procedures for sanitizing magnetic media must be developed in accordance with this technical order.

Answer 22

TO 00-35B-5008, Remanence Security for Information systems.

Question 23

Who must develop procedures for clearing, sanitizing and destroying media properly to practice remanence security?

Answer 23

Client System Technicians (CST), operators, and users.