Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
19 Cards in this Set
- Front
- Back
What are the nine documents intended to provide a structured, yet flexible framework for selecting, specifying, employing, evaluating, and monitoring the security controls in Federal information systems -- and thus, makes a significant contribution toward satisfying the requirements of the Federal Information Security Management Act (FISMA) of 2002?
|
FIPS 199
FIPS 200 NIST SP 800-30 NIST SP 800-37 NIST SP 800-39 NIST SP 800-53 NIST SP 800-53 A NIST SP 800-59 |
|
What does Appendix A of NIST 800-60 cover?
|
It is a glossary
|
|
What does Appendix B of NIST 800-60 cover?
|
It is a list of references
|
|
What does Appendix C of NIST 800-60 cover?
|
Provisional security impact level assignments and supporting rationale for management and support.
|
|
What does Appendix D of NIST 800-60 cover?
|
Provisional security impact level assignments and supporting rationale fro mission based information.
|
|
What does Appendix E of NIST 800-60 cover?
|
Legislative and executive sources that specify sensitivity/critical properties
|
|
Agencies support the ________ process by establishing mission-based information types for the organization.
|
Categorization Process
|
|
_______ _____ provides a vital step in integrating security into the government agency's business and information technology management functions
|
Security Categorization
|
|
(T/F) Security categorization establishes the foundation for security standardization amongst their information systems.
|
True
|
|
What is the value of information security categorization?
|
To enable agencies to proactively inplement appropriate information security controls based on the assessed potential impact to information confidentiality, integrity, and availability, and in turn, support their mission in a cost effective manner
|
|
SDLC
|
System Development Life Cycle
|
|
Security Categorization is a prerequisite for what process?
|
Certification and Accreditation (C&A) Process
|
|
How often should categorization be revisited?
|
At least every three years or whenever there is a significant change that occurs to the system or supporting business lines
|
|
Why is Security Categorization the key first step in the Risk Management Framework (RMF)?
|
Because of it's effect on all the other steps in the frame work from selection of security controls to the level of effort in assessing security control effectiveness.
|
|
What is the second step in the RMF?
|
Select an initial set of security controls for the information system based on FIPS 199 security categorization & apply tailoring guidance as appropriate, to obtain a starting point for required controls as specified in FIPS 200
|
|
What is the third step in the RMF?
|
Implement the security controls in the information system
|
|
In this step one must assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
|
Step 4 of the RMF system
|
|
In which step would you authorize an information system operation based based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable as specified in NIST 800-37
|
Step 5 of the RMF System
|
|
How would step 6 of the RMF cycle be defined?
|
Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to an appropriate organizational officials on a regular basis
|