Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
76 Cards in this Set
- Front
- Back
|
Categorized and Document the information system |
Categorization must consider organization wide activities, including enterprise architecture |
|
|
Categorized and Document the information system
|
System owner may decompose the system in to multiple subsystems, the may include categorizing each identified subsystem (including dynamic subsystems) |
|
|
Categorized and Document the information system
|
Separate categorization of each subsystem does not change the overall categorization of the system
|
|
|
Categorized and Document the information system
|
Document security categorization information in the system identification in the SSP
|
|
|
Categorized and Document the information system
|
Risk Executive (function) provides advice and relevant information to AO
|
|
|
Describe the System
|
Level of detail is determined by the organization
|
|
|
Describe the System
|
Information can be added as it becomes available during the SDLC
|
|
|
Describe the System
|
Descriptive information about the information system is documented in the system identification section of the security plan
|
|
|
Describe the System
|
System Description may include Unique system number, ISO, AO, owning ORG, location, version number, purpose, function and capabilities, mission/business processes supported how the information system is integrated into the enterprise architecture and information security architecture, SDLC status.
|
|
|
Describe the System (title)
|
Describe the information system to include the system boundary and document the description in the SSP
|
|
|
Categorized and Document the information system (title)
|
Categorize the information system and document the results of the security categorization in the security plan.
|
|
|
Register the Information System (title) |
Register the system with the appropriate organizational program/management offices
|
|
|
Register the Information System
|
The registration process begins by identifying the information system (and subsystems, if appropriate) in the system inventory and establishes a relationship between the information system and the parent or governing organization that owns, manages, and/or controls the system.
|
|
|
Register the Information System
|
Dynamic subsystems may not be present throughout all phases of the SDLC and must be registered either as a subset or a defined stemming.
|
|
|
Register the Information System
|
Provides effective Management/tracking tool that supports status reporting required by laws.
|
|
|
Common Controls Identification (Title)
|
Common controls are identified
Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document). |
|
|
Common Controls Identification
|
If Common Controls are not sufficient, System Owners supplement them with System Specific or hybrid controls
|
|
|
Common Controls Identification
|
ISO help Identify
|
|
|
Common Controls Identification
|
CCP’s may double as ISO if the common control reside within an information system
|
|
|
Common Controls Identification
|
Common controls are security controls that are inherited by one or more organizational information systems.
|
|
|
Common Controls Identification
|
System Owners can either document common controls or make reference to the SSP of the CCPs
|
|
|
Common Controls Identification
|
Common control identification may be deferred until a later phase in the SDLC
|
|
|
Common Controls Identification
|
CCP’s are responsible for documenting common controls
|
|
|
Common Controls Identification
|
Documentation will be made available to system owners who inherits the controls
|
|
|
Common Controls Identification
|
CCP’s must keep security documentation current
|
|
|
Common Controls Identification
|
AO will use documentation for common controls to make RBDs in the authorization process |
|
|
Common Controls Identification
|
CCP’s must be able to communicate rapidly changes
|
|
|
Security Controls Selection (title)
|
Select the security controls for the information system and document the controls in the security plan.
|
|
|
Security Controls Selection
|
The security controls are selected based on the security categorization of the information system.
|
|
|
Security Controls Selection
|
Process begins by choosing a set of baseline controls
|
|
|
Security Controls Selection
|
Controls are tailored by applying scoping, parameterization and compensating control guidance
|
|
|
Security Controls Selection
|
Followed by supplementing the tailored with additional controls or enhancements
|
|
|
Security Controls Selection
|
Final requirement of control selection is to specify minimum assurance requirements
|
|
|
Security Controls Selection
|
System owner must document in the SSP
|
|
|
Security Controls Selection
|
Security plan must provide an overview of the security requirements
|
|
|
Security Controls Selection
|
Plan must describe each control in detail to allow them to be implemented
|
|
|
Security Controls Selection
|
System Owners should begin planning for continuous monitoring
|
|
|
Security Controls Selection
|
Include in the SSP description of the subsystems
|
|
|
Security Controls Selection
|
System Owner must consider that a complex information system with multiple subsystems may have common vulnerabilities that permit exploitation by a common threat source
|
|
|
Security Controls Selection
|
Impact resulting from security incident in one subsystem might also have an impact on other subsystems of a complex information system.
|
|
|
Monitoring Strategy (Title)
|
Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.
|
|
|
Monitoring Strategy
|
A critical aspect of risk management is the ongoing monitoring of security controls employed within or inherited by the information system.
|
|
|
Monitoring Strategy
|
Strategy should stress use of automated tools to facilitate near real time risk Management
|
|
|
Monitoring Strategy
|
An effective monitoring strategy is developed early in the system development life cycle
|
|
|
Monitoring Strategy
|
Strategy includes monitoring of inherited controls; configuration management, security impact analysis of proposed changes; assessment of selected controls employed and security status reporting to management officials
|
|
|
Monitoring Strategy
|
Identifies security controls to be monitored; frequency and assessment approach
|
|
|
Monitoring Strategy
|
Defines how changes are monitored; how impact analyses are conducted and reporting
|
|
|
Monitoring Strategy
|
Prioritize monitoring on controls that are volatile, critical or listed in the POAM
|
|
|
Monitoring Strategy
|
Frequency for monitoring inherited controls; risk assessment can be used to select controls
|
|
|
Monitoring Strategy
|
AO or AODR approves strategy usually a part of the plan approval
|
|
|
Monitoring Strategy
|
Control monitoring strategy is required throughout the system’s life cycle
|
|
|
Monitoring Strategy
|
Monitoring strategy for dynamic subsystems balances risk by not requiring the reauthorization of the system each time a new subsystem is added or removed
|
|
|
Monitoring Strategy
|
An effective monitoring program includes:
(i) configuration management and control processes; (ii) security impact analyses on proposed or actual changes to the information system and its environment of operation; (iii) assessment of selected security controls employed within and inherited by the information system (including controls in dynamic subsystems); and (iv) Security status reporting to appropriate organizational officials. |
|
|
Security Plan Approval (Title)
|
Review and approve the security plan
|
|
|
Security Plan Approval
|
Acceptance of the plan is an important milestone in the risk management process and SDLC
|
|
|
Security Plan Approval
|
If deemed unacceptable, returned to the system owner or CCP for corrective action
If acceptable, AO approves plan |
|
|
Security Plan Approval
|
Review may result in recommended for changes
|
|
|
Security Plan Approval
|
AO approval of the plan
o serves as agreement to the all controls o completes the controls selection in the RMF o Establishes the level of effort required to complete the remaining steps in the RMF o Provides specification for acquisition of the information system, subsystems or components |
|
|
Implement Security Controls (Title)
|
Implement the security controls specified in the security plan
|
|
|
Implement Security Controls
|
Implementation must be consistent with the organization’s enterprise architecture and information security architecture
|
|
|
Implement Security Controls
|
Information system security engineers must adhere to a sound security engineering process
|
|
|
Implement Security Controls
|
Implementation effort must address integrate of common system specific controls and interfaces between them
|
|
|
Implement Security Controls
|
Information system security engineers and ISSO’s must coordinate with CCP’s to determine the most appropriate way to apply common controls to the system
|
|
|
Implement Security Controls
|
When the system owner has deferred the selection of Common Controls this should be revisited during the control implementation to determine if they’re appropriate at this point in the SDLC
|
|
|
Implement Security Controls
|
System Owners MUST
o Identify compensating or supplementary controls, if common controls do meet the requirement o Ensure mandatory configuration setting are implemented o Satisfy minimum assurance requirement in the control implementation o Additional assurance measure should be considered for high–value systems o May begin conducting initial security control assessments during system development and implementation |
|
|
Implement Security Controls
|
Conducting security control assessments during the development and implementation phases of the SDLC permits early detection of deficiencies and provides a cost effective approach for corrective action
|
|
|
Implement Security Controls
|
Initial security control assessment results should be used later in system authorization to save time and avoid repeating some assessment activities
|
|
|
Security Control Documentation (Title)
|
Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs)
|
|
|
Security Control Documentation
|
Security control documentation describes how system–specific, hybrid, and common controls are implemented.
|
|
|
Security Control Documentation
|
Functional description of security control implementation must include planned inputs, expected behavior and expected outputs primarily as related to technical controls employed in the system
|
|
|
Security Control Documentation
|
Documenting the implementation of controls should include a record of decisions made prior to and following system deployment
|
|
|
Security Control Documentation
|
Level of Effort should commensurate with the sensitivity and criticality of the system
|
|
|
Security Control Documentation
|
Increase the overall efficiency and cost effectiveness of documenting control implementation, system owner should reference existing documentation
|
|
|
Security Control Documentation
|
Documentation must describe how a security requirement is met by the control in sufficient detail to permit assessment
|
|
|
Security Control Documentation
|
System owners |
|
|
Security Control Documentation |
Documentation of controls implementation should record how orgs requirements reflecting in the enterprise architecture and information security architecture have been satisfied. |
