Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
42 Cards in this Set
- Front
- Back
|
|
|
|
Appendix III to OMB Circular No.A-130 Clinger-Cohen Act aka:
|
Appendix III to OMB Circular No.A-130 Clinger-Cohen Act aka Security of Federal Automated Information Resources
|
|
|
The purpose of Appendix III to OMB Circular No. A-130 Clinger-Cohen Act is to |
Purpose: •establishes a minimum set of controls to be included in Federal automated information security programs; •assigns Federal agency responsibilities for the security of automated information; and •links agency automated information security programs and agency management control systems ((1)minimum, (2) responsibility (3) link)
|
|
|
Application means
|
Application means the use of information resources (information and information technology) to satisfy a specific set of user requirements
|
|
|
General Support System or system means
|
General Support System or system means an interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware,software, information, data, applications, communications, and people
|
|
|
Major Application means
|
Major Application meansan application that requires special attention to security due to the risk andmagnitude of the harm resulting from the loss, misuse, or unauthorized accessto or modification of the information in the application.
|
|
|
•Asset–
|
•Asset– People, property, and information. •An asset is what we’re trying toprotect.
|
|
|
•Threat–
|
•Threat– Anything that can exploit avulnerability, intentionally or accidentally, and obtain, damage, or destroy anasset. •A threat is what we’re trying toprotect against.
|
|
|
•Vulnerability–
|
•Vulnerability– Weaknesses or gaps in a securityprogram that can be exploited by threats to gain unauthorized access to anasset. •A vulnerability is a weakness orgap in our protection efforts.
|
|
|
•Likelihood–
|
•Likelihood– The probabilitythat a potential vulnerabilitymay be exploited within the construct of the associated threatenvironment. •Determined by analyzing thethreats to an information system in conjunction with the potentialvulnerabilities and the controls in place.
|
|
|
•Risk–
|
•Risk– The potential for loss, damage ordestruction of an asset as a result of a threat exploiting a vulnerability. •Risk is the intersection ofassets, threats, and vulnerabilities.
|
|
|
•Risk Formula:
|
•Risk Formula: R = A + T + V
|
|
|
______is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk. .
|
Risk
|
|
|
•Impact–
|
•Impact– The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, and destruction of information, or the loss of information or the system availability.
|
|
|
Adequate Security means
|
Adequate Security means security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.
|
|
|
•Confidentiality –
|
•Confidentiality –prevents the disclosure of information to unauthorized individuals or systems. •Loss of confidentiality is the unauthorized disclosure ofinformation.
|
|
|
•Integrity -
|
•Integrity -prevents the unauthorized modification or destruction of information. •Loss of integrity is the unauthorized modification ofinformation.
|
|
|
•Availability -
|
•Availability -ensures timely and reliable access to and use of information. •Loss of availability is the disruption of access to or use ofinformation or an information system.
|
|
|
____ levels of impact should there be a breach of security (a loss of C.I.A)
|
3 levels of impact should there be a breach of security (a loss of C.I.A)
|
|
|
•Low –
|
•Low –event has a limited adverse effect on organizational operations, assets, or individuals. Minor •Minor harm to individuals •
|
|
|
•Moderate– event has a serious adverse effect on organizational operations, assets, or individuals. Significant •No loss of life or serious lifethreatening injuries
|
•Moderate– event has a serious adverse effect on organizational operations, assets, or individuals. Significant •No loss of life or serious lifethreatening injuries
|
|
|
•High–
|
•High– event has a severe or catastrophic adverse effect on organizational operations, assets, or individuals. Major •Loss of life or serious lifethreatening injuries
|
|
|
Security controls:
|
Security controls: Safeguards or countermeasures to avoid, counteract or minimize security risks.
|
|
|
Security Controls are classified by time of occurrence, relative to a security incident:
|
Security Controls are classified by time of occurrence, relative to a security incident: 1.Before the event - Preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders 2.During the event - Detective controls are intended to identify and characterize an incident in progress e.g. by sounding an alarm and alerting the security guards or police 3.Afterthe event - Correctivecontrols are intended to limit the extent of anydamage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible
|
|
|
Other Controls: 1.deterrent controls :2.Compensating controls:
|
Other Controls: 1.deterrent controls are controls that discourage security violations. For instance, the presence of security cameras might deter an employee from stealing equipment●2.Compensating controls are intended to reduce the risk of an existing or potential control weakness; or in place of a missing control. •Used frequently in real-world situations.
|
|
|
Data Classification is
|
Data Classification is the process of assigning a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted.
|
|
|
In data classification, the________ determines the extent to which the data needs to be controlled/ secured and is also indicative of its value in terms of Business Assets. •Typical sensitivity levels include: ØTopSecret ØSecret(Highly Confidential) ØConfidential(Proprietary) ØInternal Use Only ØPublic
|
•The sensitivity level determines the extent to which the data needs to be controlled/ secured and is also indicative of its value in terms of Business Assets. •Typical sensitivity levels include: ØTopSecret ØSecret(Highly Confidential) ØConfidential(Proprietary) ØInternal Use Only ØPublic
|
|
|
What is System Development Lifecycle(SDLC) ?
|
A typical SDLC includes 5 phases with a minimum set of security tasks needed to effectively incorporate security in the system development process.
|
|
|
A typical SDLC includes ______phases
|
A typical SDLC includes 5 phases with a minimum set of security tasks needed to effectively incorporate security in the system development process.
|
|
|
What are the benefits of Integrating Security into SDLC
|
•Early identification and mitigation of issues •Security vulnerabilities
•Lower cost of control implementation •Maximize security program ROI •Awareness of potential challenges •Mandatory security requirements •Identification of common and inherited items •Shared security services •Reuse of security strategies and tools •Facilitationof executive decision making •Comprehensive,timely risk management |
|
|
NIST Risk Management Framework NIST 800-37 rev 1. RMF-Based Characteristics ·Promotes:
|
RMF-Based Characteristics ·Promotes ◦Near real-time risk management and ongoing authorization using robust continuous monitoring processes ◦Use of automated support tools for decision making
•Integrates security with Enterprise Architecture and SDLC •Provides equal emphasis on phases of the RMF •Links risk management to all organization levels •Establishes Responsibility and Accountability |
|
|
What are the benefits of Tiers of Risk Management
|
•Multi-tier Organization-Wide Risk Management
•Implemented by the Risk Executive Function• Tightly coupled to Enterprise Architecture and Information Security Architecture •SystemDevelopment Lifecycle Focus •Discipline and Structure Process •Flexibleand Agile Implementation |
|
|
|
|
|
Risk management is a holistic activity that is fully integrated into
(A)Part of the organization (B)every aspect ofthe organization
|
(B) Riskmanagement is a holistic activity that is fully integrated into every aspect ofthe organization
|
|
|
|
|
Tier 1
|
Tier 1 •Addresses risk from the organizational perspective. •Develops a comprehensive governance structure and enterprise-wide risk management strategy
|
|
TIER 2 |
TIER 2 ·Addresses risk from a mission and business process perspective. ·It is guided by the risk management related decisions taken at Tier 1.
|
|
Tier 3
|
•Addresses risk from an information system perspective •Itis guided by the risk management decisions taken at Tier 2 •Definesystem-specific, hybrid, or common controls
|
|
|
NIST Risk Management Framework NISTRMF Steps include (only list 1st 3 steps):
|
•Step1 – Categorize Information System •Categorizethe system and identify security objectives
•Step2 – Select Security Controls •Selecta baseline of security controls based on the Security Categorization •Tailorand supplement the control baseline based on a risk assessment •Step3 – Implement Security Controls •Implementand describe how the controls are used within the system |
|
|
NIST Risk Management Framework what are steps 4 through 6 of the NIST RMF Steps
|
•Step4 – Assess Security Controls •Assess the controls to determine the extent to which they are implemented correctly,operating as intended and producing the desired outcome •Step5 – Authorize Information System •Authorizethe system based on the determination of acceptable risk to the organization •Step 6 – Monitor Security Controls •Continuously monitor system controls assessing effectiveness, documenting changes, andreporting the security posture to officials
|
|
NISTRisk Management Framework
|
|
|
|
|
