1
Q
Assessment Object
A
AIMS
- Activity
- Individual
- Mechanism
- Specification
2
Q
Assessment Objective Methods
A
TIE
- Test
- Interview
- Examine
3
Q
Assessment Objective Security Control Classes
A
MOT
- Management
- Operations
- Technical
4
Q
An Information System containing what cannot have an confidentiality impact level below moderate?
A
- Privacy Information
- Trade Secrets
5
Q
6 Steps of the Tailoring Guidance
A
- Identifying and Designating Common Controls
- Applying Scoping Considerations
- Selecting Compensating Controls
- Assigning Security Control Parameter Values
- Supplementing Baseline Security Controls
- Providing Additional Specification Information for Implementation
6
Q
Tiered Roles
A
Tier 1:
- Organization (Governance)
- Head/CEO, CIO, SISO, RE
Tier 1/2:
- CCP, ISO, SCA
Tier 2:
- Mission/Business Process (Information Flow)
- AO, AODR
Tier 3:
- Information System (Environment of Operations)
- ISO, IO, ISSO, ISSE
7
Q
Organizational Risk Frame
determines Risk Assessment Model
A
- Risk Assumptions
- Risk Constraints
- Priorities and Tradeoffs
- Risk Tolerance
- Uncertainty
8
Q
NIST 800-60 Process
A
- Step 1: Identify Information Type
- Step 2: Select Provisional Impact Level
- Step 3: Review Provisional Impact Level and Adjust/Finalize Provisional Impact Level
- Step 4: Assign System Security Category
- Leads to Security Categorization and Security Control Selection
Low = Minor/Limited Moderate = Serious High = Severe/Catastrophic
9
Q
Risk Assessment Methodology
determined by Organizational Risk Frame
A
- Risk Assessment Process
- Risk Model
- Assessment Approach
- Analysis Approach
10
Q
Risk Management Process; what is it, where is it from?
A
- NIST SP 800-39
- Frame
- Assess
- Respond
- Monitor
11
Q
Risk Assessment Process; what is it, where is it from?
A
- NIST SP 800-39
- Prepare
- Conduct
- Communicating
- Maintaining
12
Q
What are the criteria for a National Security System? Where is it from?
A
- NIST SP 800-59
- Intelligence Activities
- Cryptographic Information
- Command and Control of Military Forces
- Weapon/ Weapon System
- Military or Intelligence Missions
- Processes Classified Information
13
Q
What is the standard wording for an effective control?
A
Implemented correctly, operating as intended and producing the desired outcome
14
Q
Risk = ?
A
Likelihood x Impact
Threat and Vulnerability feed into Likelihood and Impact
Threat Source - initiates - Threat Event - exploits - Vulnerability - causing - Adverse Impact - producing - Organizational Risk
15
Q
Enterprise Architechture
A
People
Process
Technology
16
Q
Architecture Description Inputs
A
- Architecture Reference Models
- Segment and Solution Architectures
- Mission and Business Processes
- Information System Boundaries
17
Q
Organization Inputs
A
- Laws, Directives, Policy Guidance
- Strategic Goals and Objectives
- Priorities and Resource Availability
- Supply Chain Considerations
18
Q
CIO
A
- Will use words like “ensure a program does…”
- Primarily administrative
- Makes sure the ISCM program exists
- Ensures resources are available to support
- High level
- Inherently government function
19
Q
SCA
A
- Will use words like “assessment” a lot
- Updates the SSP and SAR
- Submits the SAP for approval
- Has to be an engineer (technically competent)
20
Q
SISO
A
- Responsible for developing and implementing the ISCM program
- Looks at initial monitoring strategy put together by the ISO and CCP
- Tracks and analyzes POAMs
21
Q
CCP
A
- Only really involved a lot if some common controls need updating/remediation
22
Q
RE
A
- Oversees strategy and program
- Matrix position
- Collaborates and shares news with everyone
- Uses words like: Shared, Communicated, Collaborated
- Inherently government position
23
Q
AO
A
- Ensures security posture of the program is acceptable
- Makes authorization decisions
24
Q
ISO
A
- Does the grunt work
- Ensures operational impacts are being done
- Conducts assessments
- Reports back to AO/SCA
- Updates documentation
- Only one who registers anything
25
ISSO
- Assists the ISO
26
Safeguards v Countermeasures
Safeguards are designed into a system to prevent risk
Countermeasures are reactive and added after the risk assessment
27
RTO
Recovery Time Objective
Amount of time a system is allowable to be down; no impacts
28
MTD
Maximum Tolerable Downtime
Maximum amount of time a system can be down
29
RPO
Recovery Point Objective
Point to which you want to be able to restore to
30
Boxes and Knowledge
- Basic (Black Box) - Zero Knowledge
- Focused (Grey Box) - Partial Knowledge
- Comprehensive (White Box) - Full Knowledge, Explicit and substantial
31
Forms of Authorization
- Single Authorization
- Traditional
- One AO
- Joint Authorization
- Multiple AOs (maybe different services)
- Have to agree on everything
- Leveraged Authorization
- Use an existing ATO and create your own ATO
- Have to be willing to accept the risk or make changes (when able if it's not your system)
- ie: Cross service
32
Cleaning v. Purging
Cleaning is erasing, but data can be recovered using forensic capabilities (overwriting)
Purging is erasing, but the data cannot be recovered using forensic capabilities (degaussing)
Purging: Rendering sanitized data unrecoverable by laboratory attack methods
33
Continuous Monitoring Process
```
Define/Monitor
Establish
Implement
Analyze
Respond
Review
```
34
Risk Assessment and Risk Determination, in order
Threats
Vulnerabilities
Probability
Impact
35
Types of Assessment Approaches
Quantitative
Qualitative
Semi-Quantitative
36
Information Type
A specific category of information, defined by an organization or a specific law
37
Subsystems in a service-oriented architecture (SOA) or net-centric architecture are registered in RMF Task 1-3 by:
- Establishing a separate registration process
- As a subset of systems or registered separately as a dynamic subsystem
- Proper identification during system categorization
38
What is an Overlay?
A specification that may be more or less stringent than the original criteria for security controls, control enhancements, supplemental guidance and other supporting information employed during the tailoring process, and is intended to complement (and further refine) security control baselines.
39
What is Baseline Security?
The minimum security controls required for safeguarding an information technology system based on its identified impact levels for confidentiality, integrity and availability.
40
What types of security are the two fundamental components that affect the trustworthiness of information systems?
Functionality-related (does it work?)
Assurance-related (can I prove it?)
(cited in NIST SP 800-53)
41
What is a PIA?
Privacy Impact Assessment
Established by the E-Government Act of 2002
- Ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
- Determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic IS
- Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks
42
Configuration Management has the following benefits:
- Reliance
- Quality Control
- Risk Control
43
What is a hybrid control?
A control determined partly by the organization and partly system-specific
44
Contingency Planning Process (per NIST 800-34)
1. Develop the contingency planning statement
2. Conduct the Business Impact Analysis (BIA)
3. Identify preventative controls
4. Create contingency strategies
5. Develop an information system contingency plan
6. Ensure plan test, training and exercise
7. Ensure plan maintenance
45
Backup/Recovery Strategy for each Impact Level
Low
- Back up: Tape backup
- Strategy: Relocate or Cold site
Moderate
- Backup: Optical backup, WAN/LAN replication
- Strategy: Cold or Warm site
High
- Backup: Mirrored systems and disc replication
- Strategy: Hot site
46
Partial assessments can be performed and are reusable if:
the assessor is deemed to be independent and technically competent. Additionally, the security control must be under configuration or version management.
47
Logical flow for conducting security control assessments?
Assessment procedures, assessment objectives and assessment objects, all of which are evaluated using assessment methods
48
RMF Step 4 primary documents
- NIST 800-37
- NIST 800- 53A
- NIST 800- 115
49
Security control assessments provide:
- Evidence about the effectiveness of security controls
- Information about the strengths and weaknesses of IS which are supporting organizational and business functions
- An indication of the quality of the risk management process employed within the organization
50
What documents form the Security Authorization Package?
- SSP for the system to be authorized
- SAR for the system to be authorized
- POAMs for the system to be authorized
- Same documents for all common control systems that are used to mitigate risks
51
Sanitization
Process to remove information from media such that information recovery is not possible. Includes removing all labels, markings and activity logs.
52
The security control analysis results and recommended changes are contained in the:
Security Assessment Report (SAR)
53
The structure for POAMs is determined by:
The Office of Management and Budget (OMB)
54
The pillars of continuous monitoring are:
- Ongoing authorization
| - Near real-time risk management
55
Continuous Monitoring Strategy ensures that:
1. Items on the POAM receive adequate oversight
2. Controls with greater volatility or importance are assessed more frequently
3. Control implementations that have changed since the last assessment are reevaluated
56
Primary reference documents for RMF Step 6?
NIST SP 800-37
| NIST SP 800-53A
57
Before a rescission letter, the AO consults with:
SISO and RE
58
Per NIST 800-55, performance management criteria translate into KPI using what evaluation criteria?
- Measures of effectiveness
- Measures of efficiency
- Impact measures
59
Compliance Management is:
A collection of processes employed to ensure that an agency conforms to the legal, policy and associated regulatory mandates that apply to a system
60
Adequate security
Security commensurate with the risk and magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information
61
Baseline security
The minimum security controls required for safeguarding an information technology system based on its identified impact levels for Confidentiality, Integrity and Availability
62
System of Records Notice
An official notice of an organization's system(s) of records, as required by the Privacy Act of 1974 that identifies:
- the purpose for the system of records
- the individuals covered by information in the system of records
- the categories of records maintained about individuals
- the ways in which the information is shared
63
Information System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information
64
Threat Source
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability
65
Threat Scenario
A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time
66
Threat Event
An event or situation that has the potential for causing undesirable consequences or impact
67
NIST 800-37 Steps
1. Categorize the IS
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize the IS
6. Monitor Security Controls
68
Organizational Risk Management Strategy includes
- SORN
- Strategic Goals and Objectives
- Organizational Culture and Infrastructure
- Investment Strategies?
69
Risk Response options:
Risk Acceptance
Risk Avoidance
Risk Transfer/Sharing
Risk Mitigation
Combination of above
70
Interconnecting system phases
From NIST SP 800-47
Plan
Establish
Maintain
Disconnect
71
Incident Response Phases
- Prepare
- Detect and Analyze
- Containment, Eradication and Recovery
- Post-Incidence Activity
72
Security Configuration Management Process
- Planning
- Identifying and Implementing Configurations
- Controlling Configuration Changes
- Monitor
73
Inherently government roles
- CIO
- RE
- SISO
- AO/DR
- IO/Steward
- CEO (no primary roles)
74
Depth means ?
| Coverage means ?
```
Depth = Rigor
Coverage = Scope
```
75
Risk assessment incorporates
threat and vulnerability analysis and considers mitigations
76
NIST 800-60 Exceptions/Key Statements
- Aggregation
- Privacy and Trade Secrets require minimum Moderate Confidentiality impact value
- PIA must exist before developing systems with PII
- The system categorization process, including determination of impact values, is reused during development of a BIA
- System categorization contributes and provides inputs into capital planning and investments processes
- Info sharing and system interconnection agreements should use aggregated and individual security categorization when assessing interconnection agreements
- Specific guidance is provided related to critical infrastructure programs (CIP) and the relationship to Homeland Security Presidential Directive 7
77
Defense-in-Depth
| Defense-in-Breadth
Defense-in-Depth:
Strategy to establish visible barriers across multiple layers and dimensions
Defense-in-Breadth:
Set of activities that seeks to identify, manage and reduce risk of exploitable vulnerabilities at every stage of the system
CAP
flashcards
Decks in class (4)
# Cards
