Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
96 Cards in this Set
- Front
- Back
Chief Information Officer (CIO) |
Overall responsibility for the execution of the org security program |
|
Chief Information Officer (CIO) |
Delegate’s authority to the CISO for management of the enterprise system authorization program. |
|
Chief Information Officer (CIO) |
Supports through oversight, maintaining visibility. |
|
Chief Information Officer (CIO) |
Assists senior agency officials with their security responsibly. |
|
Chief Information Officer (CIO) |
Develops and maintains information security policies, procedures, and control techniques to address system security planning |
|
Chief Information Officer (CIO) |
Manages the identification, implementation, and assessment of common security controls |
|
Chief Information Officer (CIO) |
Identifies and coordinates common security controls for the agency |
|
Chief information Security Officer (CISO) |
Serves as the senior information security officer (SISO) as required by FISMA. |
|
Chief information Security Officer (CISO) |
Primary responsibility is information security overall responsibility such as risk management, policy development and compliance monitoring, security awareness, incident investigation and reporting and contingency planning. |
|
Chief information Security Officer (CISO) |
Charged with responsibility for the enterprise wide system authorization program |
|
Chief information Security Officer (CISO) |
Should document a many system authorizations positions as possible |
|
Chief information Security Officer (CISO) |
Overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained |
|
Chief information Security Officer (CISO) |
Reporting annually to the head of the federal agency on the overall effectiveness of the organization’s information security program, including progress of remedial actions |
|
Chief information Security Officer (CISO) |
Information systems are covered by approved security plans and are authorized to operate |
|
Chief information Security Officer (CISO) |
There is centralized reporting of appropriate information security-related activities |
|
Chief information Security Officer (CISO) |
|
|
Senior Information Security Officer (SISO) |
Carrying out the chief information officer (CIO) security responsibilities under FISMA |
|
Senior Information Security Officer (SISO) |
Serving as the primary liaison for the chief information officer |
|
Senior Information Security Officer (SISO) |
Possesses professional qualifications, including training and experience, required to administer the information security program functions; |
|
Senior Information Security Officer (SISO) |
Maintains information security duties as a primary responsibility |
|
Senior Information Security Officer (SISO) |
Heads an office with the mission and resources to assist the organization in achieving more secure information and information systems in accordance with the requirements in FISMA. |
|
Information System Owner (ISO) |
Develops the system security plan |
|
Information System Owner (ISO) |
Responsibility for the security of an information system. |
|
Information System Owner (ISO) |
Establishes the sensitivity level |
|
Information System Owner (ISO) |
Establishes the basis for the kinds of controls needed to protect |
|
Information System Owner (ISO) |
Over the full life cycle of the system |
|
Information System Owner (ISO) |
Ensures controls are implemented, requests resources to ensure implementation is accomplished |
|
Information System Owner (ISO) |
Continued effective of day to day controls |
|
Information System Owner (ISO) |
Remediation of weaknesses |
|
Information System Owner (ISO) |
Initiates system authorization activities |
|
Information System Owner (ISO) |
Monitors preparation of the accreditation package |
|
Information System Owner (ISO) |
Relationship between owners of the major application and the General support system owners must be close and well defined. |
|
Information System Owner (ISO) |
serves as the focal point for the information system |
|
Information System Owner (ISO) |
Updates the system security plan whenever a significant change occurs |
|
Information System Owner (ISO) |
Ensures that system users and support personnel receive the requisite security training |
|
Information System Owner (ISO) |
Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements. |
|
Information System Security Officer (ISSO) |
Works in close collaboration with the information system owner. |
|
Information System Security Officer (ISSO) |
Responsible for securing the system and managing all security aspects of the system. |
|
Information System Security Officer (ISSO) |
monitors the effectiveness of the controls |
|
Information System Security Officer (ISSO) |
Serves as a principal advisor on all matters, technical and otherwise, involving the security |
|
Information System Security Officer (ISSO) |
Has the detailed knowledge and expertise required to manage the security aspects of an information system |
|
Information System Security Officer (ISSO) |
Controls security mechanisms, performs security activities and tasks, Develops and enforces security mechanisms, procedures for the system, follows up on incidents and advises the system owner of security related matters |
|
Information System Security Officer (ISSO) |
Plays the most important role in the certification of the system by being the POC for the certifying agent and assembling the security accreditation package. |
|
Information System Security Officer (ISSO) |
Assigned responsibility for the day-to-day security operations of a system |
|
Information System Security Officer (ISSO) |
Assists the senior agency information security officer in the identification, implementation, and assessment of the common security controls |
|
Information System Security Officer (ISSO) |
Plays an active role in developing and updating the system security plan as well as coordinating with the information system owner any changes to the system and assessing the security impact of those changes |
|
Security Control Assessor (SCA) |
Independent authority charged with assessing the security controls |
|
Security Control Assessor (SCA) |
Prior to initiating the security control assessment, an assessor conducts an assessment of the security plan |
|
Security Control Assessor (SCA) |
Determines if they are implemented correctly or operating as intended and produce outcome desired |
|
Security Control Assessor (SCA) |
Provides an assessment of the severity of weaknesses or deficiencies discovered and recommends corrective action to reduce or eliminate vulnerabilities to ensure independence |
|
Security Control Assessor (SCA) |
information system owner and common control provider rely on the security expertise and the technical judgment of the assessor |
|
Security Control Assessor (SCA) |
Prepare the final security assessment report containing the results and findings from the assessment. |
|
Authorizing Official (AO) |
Senior management official responsible for deciding if a system should be allowed receive an ATO. |
|
Authorizing Official (AO) |
Responsible for accepting any residual risks |
|
Authorizing Official (AO) |
Executive who has the authority and ability to evaluate a systems security risks |
|
Authorizing Official (AO) |
Oversight of the business process and required to determine the acceptable level of risk to the agency. |
|
Authorizing Official (AO) |
Typically have budgetary oversight for an information system or are responsible for the mission and/or business operations supported by the system |
|
Authorizing Official (AO) |
accountable for the security risks associated with information system operations |
|
Authorizing Official (AO) |
approve security plans, memorandums of agreement or understanding, and plans of action and milestones and determine whether significant changes in the information systems or environments of operation require reauthorization |
|
Authorizing Official (AO) |
coordinate their activities with interested parties during the security authorization process |
|
Approving Authority Designated Representative (AODR) |
Empowered to make decisions regarding the planning and resourcing of the effort, acceptance of the SSP. |
|
Approving Authority Designated Representative (AODR) |
Acts on behalf of an authorizing official to coordinate and conduct the required day-to-day activities associated with the security authorization process |
|
Approving Authority Designated Representative (AODR) |
may also be called upon to prepare the final authorization package |
|
Approving Authority Designated Representative (AODR) |
Determination of the risk to agency assets |
|
Approving Authority Designated Representative (AODR) |
Preparing accreditation decision memo |
|
Approving Authority Designated Representative (AODR) |
The only activity that cannot be delegated to the designated representative by the authorizing official is the authorization decision and signing of the associated authorization decision document |
|
Information Owner/Custodian/Steward |
Owner of the information processed by the information systems |
|
Information Owner/Custodian/Steward |
Ensures the system owner is aware of the requirements for protecting the system |
|
Information Owner/Custodian/Steward |
Most often information owner and system owner are the same person |
|
Information Owner/Custodian/Steward |
Provide input to information system owners regarding the security requirements and security controls for the systems where the information is processed, stored, or transmitted |
|
Information Owner/Custodian/Steward |
Organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal |
|
Information Owner/Custodian/Steward |
Establishes the rules for appropriate use and protection of the subject data/information (rules of behavior) |
|
Information Owner/Custodian/Steward |
Decides who has access to the information system and with what types of privileges or access rights |
|
Information Owner/Custodian/Steward |
Assists in the identification and assessment of the common security controls where the information resides |
|
Head of Agency of Chief Executive Officer |
Highest-level senior official responsible |
|
Head of Agency of Chief Executive Officer |
Ensures integration of information security management processes with strategic and operational planning processes |
|
Head of Agency of Chief Executive Officer |
Ensures there are sufficient trained personnel available to ensure compliance with internal and external security requirements |
|
Head of Agency of Chief Executive Officer |
Establishes appropriate accountability for information security and provides active support and oversight of monitoring and improvement for the information security program |
|
Head of Agency of Chief Executive Officer |
Senior leadership commitment to information security establishes a level of due diligence within the organization that promotes a climate for mission and business success |
|
Risk Executive (Function) |
Ensures risk for individual systems are considered from an organization –wide perspective, overall strategic goals and objectives |
|
Risk Executive (Function) |
Ensures that management of system related security risks is consistent across the organization |
|
Risk Executive (Function) |
Reflects the Orgs risk tolerance level |
|
Risk Executive (Function) |
Provide a comprehensive, organization-wide, holistic approach for addressing risk |
|
Risk Executive (Function) |
Develop a risk management strategy for the organization providing a strategic view |
|
Risk Executive (Function) |
Facilitate the sharing of risk-related information among authorizing officials |
|
Risk Executive (Function) |
Provide oversight for all risk management-related activities |
|
Risk Executive (Function) |
Ensure that authorization decisions consider all factors necessary for mission and business success |
|
Risk Executive (Function) |
Promote cooperation and collaboration among authorizing officials |
|
Common Control Provider (CCP) |
Responsible for the development, implementation, assessment, monitoring and documenting common controls |
|
Common Control Provider (CCP) |
Ensures assessors, document findings of assessment and maintain a plan of action and milestones for all controls with weaknesses. |
|
Information security Architect (ISA) |
Ensures information security requirements are properly address in the orgs enterprise architecture |
|
Information security Architect (ISA) |
Liaison between the enterprise architect and information system security engineer |
|
Information security Architect (ISA) |
Coordinates with other roles about the system boundary and on a range of security-related issues |
|
Information System Security Engineer (ISSE) |
Captures and refines information security requirements and ensures there are integrated in to information technology products and systems by means of architecture, design, development and configuration. |
|
Information System Security Engineer (ISSE) |
Supports development team activities, designed and development |
|
Common Control Provider (CCP) |
Make security documentation available to system owners whose systems inherit common controls |