Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
111 Cards in this Set
- Front
- Back
|
What is a System Life Cycle Process?
|
A process by which systems are developed, from pre-concept to deployment and disposal.
|
|
|
What are IA Objectives?
|
Objectives to achieve levels of confidentiality, integrity and availability commensurate with the type and value of data, mission requirements, support organization, etc..
|
|
|
What does the System life cycle include?
|
Initiation phase, Development\acquisition phase, implementation phase, operations\maintenance phase, and a disposal phase.
|
|
|
What is GASSP?
|
Generally Accepted System Security Principles (NIST SP 800-14)
|
|
|
What are the 8 principles of GASSP?
|
Support the mission, Integral element of sound management, Cost-effective, Responsibilities and accountability should be made explicit, Responsibilities outside their organization, Comprehensive and integrated approach, Periodically reassessed, Constrained by societal factors
|
|
|
What are the 14 practices of GASSP
|
Policies to enforce compliance, multiple levels administered by central oversight, Manage organizational risks by assessing threats, planning a systems life cycle, implement security practices to manage personnel, prepare for contingencies and disasters, Deploy a security incident response system, security awareness training, Apply security principles to all operational aspects, physical and environmental security, enforce effective user identification and authentication, Control logical access, Maintain audit trails, cryptography to protect sensitive data.
|
|
|
Who does the CIO report to?
|
Congress and OMB
|
|
|
What is DODAF?
|
DoD Architecture framework
|
|
|
What are the DoDAF AVs
|
Big picture
|
|
|
What are the DoDAF OVs?
|
Operational View
|
|
|
What are the DoDAF SVs
|
System Views
|
|
|
What are the DoDAF TVs
|
Technical views
|
|
|
Where would you find Data exchange?
|
OV3
|
|
|
What is ISSE?
|
The art and science of discovering users' information protection needs and then designing and making information systems, with economy and elegance, so that they can resist the forces to which they may be subjected.
|
|
|
What are the 6 elements of the ISSE process?
|
Discover needs, Refine requirements, Design architecture, Detailed Design, Implement System, Assess Effectiveness
|
|
|
What are the first 4 chapters of the IATF?
|
Main body - IA guidance, General guidelines
|
|
|
What are chapters 5 through appendix J of the IATF?
|
Technical Sections
|
|
|
What is appendix F of the IATF for?
|
Executive summaries - Security requirements for specific cases
|
|
|
What is appendix G of the IATF for?
|
Protection profiles - Common criteria, Define testable requirements
|
|
|
What is the key principle of the IATF?
|
Provides a technical process for developing systems with inherent IA services that focuses in 3 areas: - People Technology and operations.
|
|
|
What are the 3 focuses of the IATF?
|
People, Technology, Operations
|
|
|
What does the IATF do?
|
Provides an integrated process for developing and deploying IT systems with intrinsic and appropriate security measures in order to meet the organization's mission.
|
|
|
What does the IATF Defense in Depth strategy protect?
|
Computing environment, Enclave boundary, Network Infrastructure, Supporting infrastructures.
|
|
|
What are the Defense in Depth principles?
|
Defense in multiple places, Layered defenses, Security Robustness, Deploy KMI/PKI, Deploy intrusion detection systems.
|
|
|
What is a countermeasure?
|
Targeted control against a singular attack.
|
|
|
What is the longevity of a countermeasure?
|
Countermeasures are temporary.
|
|
|
What is an Information System?
|
Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.
|
|
|
What does a Security Engineer do?
|
Through engineering discipline and process helps build dependable systems in the face of malice, error, or mischance.
|
|
|
What is a threat?
|
The likelihood that the impact of an unwanted incident will be realized.
|
|
|
What is a vulnerability?
|
An inherent or intrinsic flaw or weakness in a system, its subsystems, or components that can be exploited by a threat.
|
|
|
Define Impact:
|
An adverse operational impairment or loss caused by the materialization of a threat.
|
|
|
Define Risk:
|
The quantification of: A- probability that a threat will materialize and cause impact; or B- the estimate of potential financial loss (exposure) an organizational unit might experience in a scenario.
|
|
|
Define Trust:
|
All protection mechanisms work cohesively to produce sensitive data for all authorized users and maintain the required level of protection.
|
|
|
Define Assurance:
|
Degree of confidence that the system will act in a correct and predictable manner in all possible computing situations. -- Known inputs will produce expected results through all states.
|
|
|
Define System:
|
A combination of elements designed to function as a unit to perform a function.
|
|
|
Define Structure:
|
Formulation of systems or processes to perform a function or achieve an objective.
|
|
|
Define Function:
|
A description of work that a system must perform to meet customer requirements.
|
|
|
Define Purpose:
|
Knowledge used to perform a function.
|
|
|
What policy describes the Risk Management Cycle?
|
NSTISSI-4009
|
|
|
What is the first phase of Risk Management?
|
Initiation - Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)
|
|
|
What is phase 2 of Risk Management?
|
Development/Acquisition - The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development.
|
|
|
What is phase 3 of Risk Management?
|
Implementation - The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation.
|
|
|
What is phase 4 of Risk Management?
|
Operation/Maintenance - Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (i.e. new system interfaces)
|
|
|
Who determines when reaccreditation is required?
|
CIO or AO
|
|
|
What is phase 5 of Risk Management?
|
Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner.
|
|
|
What NIST policy covers Risk Assessment?
|
SP 800-30
|
|
|
What are the 9 steps to a Risk Assessment?
|
System characterization, Vulnerability identification, Threat identification, Control analysis, Likelihood determination, Impact analysis, Risk determination, Control recommendations, Results documentation
|
|
|
What are the inputs to RA System Characterization?
|
Hardware, Software, System interfaces, Data and information, People, System mission
|
|
|
What are the outputs from RA System Characterization?
|
System boundary, System functions, System and data criticality, System and data sensitivity.
|
|
|
What are the inputs to RA Threat Identification?
|
History of system attacks, Data from intelligence agencies
|
|
|
What are the outputs from RA Threat Identification?
|
Threat Statement
|
|
|
What are the inputs to RA Vulnerability Identification?
|
Reports from prior RA's, Any audit comments, Security requirements, Security test results.
|
|
|
What are the outputs from RA Vulnerability Identification?
|
List of potential vulnerabilities.
|
|
|
What are the inputs to RA Control Analysis?
|
Current controls, planned controls.
|
|
|
What are the outputs from RA Control Analysis?
|
SSP, POA&M, List of current and planned controls.
|
|
|
What are the inputs to RA Likelihood Determination?
|
Threat-source motivation, Threat capacity, Nature of vulnerability, Current controls.
|
|
|
What are the outputs from RA Likelihood Determination?
|
Likelihood Rating - Capability + motivation.
|
|
|
What are the inputs to RA Impact Analysis?
|
Mission (Business) impact analysis, Asset criticality assessment, Data criticality, Data sensitivity.
|
|
|
What are the outputs from RA Impact Analysis?
|
Impact Rating - How much Damage
|
|
|
What are the inputs to RA Risk Determination?
|
Likelihood of threat exploitation, Magnitude of impact, Adequacy of planned or current controls.
|
|
|
What are the outputs from RA Risk Determination?
|
Risks and associated Risk Levels.
|
|
|
What are the outputs from RA Control Recommendations?
|
Recommended controls.
|
|
|
What are the outputs from RA Results Documentation?
|
Risk Assessment Report - RAR
|
|
|
What is the difference between a Risk Assessment and an Audit?
|
Assessment provides recommendations.
|
|
|
Two NIST documents cover Risk, what are they and what are the differences?
|
SP 800-30 discusses Risk Assessment as a 9 step process. SP 800-100 discusses Risk Assurance and combines the Control Analysis (4), Likelihood Determination (5), Impact Analysis (6), and Risk Determination (7), steps from 800-30 into a 6 step process.
|
|
|
What are the Risk Mitigation options?
|
Risk Assumption, Risk Avoidance, Risk Limitation, Research and Development, and Risk Transference?
|
|
|
What is Risk Assumption?
|
Accepting the potential risk and continue operations.
|
|
|
What is Risk Avoidance?
|
Elimination of the risk cause or consequence. - Add controls or remove system functions.
|
|
|
What is Risk Limitation?
|
Limit the risk by implementing controls that minimize the adverse impact of a threat's exercising a vulnerability (use of supporting, preventive detective controls) or by authorizing operation for a limited time during which additional risk mitigation by other means is being put into place.
|
|
|
What is Risk Transference?
|
To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
|
|
|
What are the Security Control Categories?
|
Management security controls - Administrative, Technical security controls - Logical, Operational security controls - Physical
|
|
|
What are Management (Administrative) security controls?
|
Policies, standards, baselines, guidance, procedures
|
|
|
What are Technical (Logical) security controls
|
Hardware, Software, Firmware components and devices
|
|
|
What are Operational (Physical) security controls?
|
Include leading industry practices and procedural guidance.
|
|
|
What policy mandates that the organization's senior management or the authorizing official, who are responsible for protecting the organization's IT asset and mission, must authorize (or accredit) the IT system to begin or continue to operate?
|
OMB Circular A-130
|
|
|
How often should re-accreditation occur?
|
At least every 3 years or when ever major changes are made to the IT system.
|
|
|
Define Security Engineering:
|
It is the application of traditional systems engineering processes to the specific problems and issues regarding assurance and security of systems and information.
|
|
|
What are the Goals of Security Engineering?
|
Understand security Risks, Establish security needs, Develop security Guidance, Determine Acceptable Risks, Establish Assurance
|
|
|
What are the 8 phases of the System Development Life Cycle (SDLC)?
|
Development, Manufacturing, Test, Distribution, Operations, Support, Training, Disposal
|
|
|
What are the 6 activities of the ISSE Process?
|
Discover Information Protection Needs, Define System Security Requirements, Design System Security Architecture, Develop Detailed System Security Design, Implement System Security, Assess Information Protection Effectiveness.
|
|
|
What is the major task required to meet the ISSE activity - Discover Information Protection Needs?
|
Ascertain why the system needs to be built - what needs the system must fulfill.
|
|
|
What is the major task required to meet the ISSE activity - Define System Security Requirements?
|
Define the system in terms of what the system needs to be able to do.
|
|
|
What is the major task required to meet the ISSE activity - Define System Security Architecture?
|
Use previously documented information to choose the types of security components that will perform specific security function.
|
|
|
What is the major task required to meet the ISSE activity - Develop Detailed Security Design?
|
Based on the security architecture, begin to design the system to be able to do what it needs to do.
|
|
|
What is the major task required to meet the ISSE activity - Implement System Security?
|
Build/Implement the system so it does what it is supposed to do.
|
|
|
What is the major task required to meet the ISSE activity - Assess Security Protection Effectiveness.
|
Assess the degree to which the system, as it is defined, designed, and implemented, meets the needs.
|
|
|
Which ISSE Activity is re-accomplished during all other activities?
|
Assess Information Protection Effectiveness spans the entire ISSE process, it is a component of each of the preceding five activities.
|
|
|
Not to be confused with the 6 ISSE Activities, what are the 5 Phases of the Life Cycle process?
|
Initiation, Develop/Acquire, Implement, Operations/Maintenance, Disposal
|
|
|
System Life Cycle Phase 1 - Initiation; What does the Conduct a Sensitivity Assessment accomplish?
|
The sensitivity assessment looks at the sensitivity of the information to be processed and the system it self. It looks at the priorities of C.I.A. and impact of loss or damage to CIA of the information.
|
|
|
What is the Information Management Model (IMM) used for?
|
It is used to determine the appropriate controls, regulations, directives, laws and policies for use in each of the customer's domains.
|
|
|
System Life Cycle Phase 2 - Development and Acquisition; What 3 steps should be considered during this phase?
|
Determine Security Requirements, Incorporate Security Requirements into Specifications. Obtain the System and Related Security Activities.
|
|
|
System Life Cycle Phase 3 - Implementation; What 3 items should be considered during Implementation?
|
Install/Turn-on Controls, Security Testing, Accreditation.
|
|
|
System Life Cycle Phase 4 - Operations and Maintenance; What 3 activities should be considered during this phase?
|
Security Operations and Administration, Operational Assurance, Audits and Monitoring.
|
|
|
When does a system move to Life Cycle Phase 4 - Operations and Maintenance?
|
After the ATO has been signed.
|
|
|
System Life Cycle Phase 5 - Disposal; What should be considered during this phase?
|
Information, Media Sanitization
|
|
|
Why was the SSE-CMM developed?
|
To advance security engineering as a defines, mature, and measurable discipline.
|
|
|
What is the Goal of the SSE-CMM?
|
Develop a mechanism to enable -Selection of appropriately qualified security engineering providers, -Focused investments in security engineering practices, -Capability-based assurance.
|
|
|
What does the CMM acronym mean
|
Capability Maturity Model
|
|
|
What are the 5 capability measures
|
1 -Performed Informally, 2 -Planned and Tracked, 3 -Well-defined, 4 -Quantitatively Controlled, 5 -Continuously Improving.
|
|
|
What are the SSE-CMM process categories?
|
Engineering Processes, Project Processes, Organizational Processes.
|
|
|
What are the 5 Classes of attacks?
|
Passive, Active, Close-in, Insider, Distribution
|
|
|
What is the First line of defense for a Passive attack?
|
Link and network layer and encryption and traffic flow security
|
|
|
What is the First line of defense for an Active attack?
|
Defend the enclave boundary
|
|
|
What is the First line of defense for an Insider attack?
|
Physical and personnel security
|
|
|
What is the First line of defense for a Close-in attack?
|
Physical and personnel security
|
|
|
What is the First line of defense for a Distribution attack?
|
Trusted software development and distribution.
|
|
|
What is the Second line of defense for a Passive attack?
|
Security-enabled applications
|
|
|
What is the Second line of defense for an Active attack?
|
Defend the computing environment
|
|
|
What is the Second line of defense for an Insider attack?
|
Authenticated access controls, audit
|
|
|
What is the Second line of defense for a Close-in attack?
|
Technical surveillance countermeasures
|
|
|
What is the Second line of defense for a Distribution attack?
|
Run time integrity controls
|
