Download System Authorization and Risk Management: A CAP Overview and more Exams Business Administration in PDF only on Docsity!
Certified Authorization Professional (CAP) System Authorization correct answer Risk management process that helps in assessing risk associated with a system and takes steps to mitigate the vulnerabilities to reduce risk to an acceptable level. System authorization was formerly known as Certification and Accreditation used to ensure that security controls are established for an information system. Risk Management correct answer A process of identifying, controlling, and extenuating IT system related risk. It includes risk assessment, analysis of cost benefit, selection, implementation, test and measurement of security controls. Certification and Accreditation correct answer The process of implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. C&A is extensively used in the Federal Government. Four New Process Models correct answer - Frame
- Assess
- Respond
- Monitor What are the 6 RMF Steps correct answer Step 1 - Categorize Step 2 - Select Step 3 - Implement Step 4 - Assess Step 5 - Authorize Step 6 - Monitor Benefits of system authorization correct answer System authorization provides benefits to organizations, some of which are as follows: •It helps in maintaining the visibility of the information technology security program by drawing attention to it at multiple organization levels.
•It allows management to prove that it is doing the right thing in protecting its assets, and providing a process for meeting requirements and managing risk. •It provides a means for integrating security across all of its computer systems, allowing consistency in the implementation of security controls. •It ensures that minimum security control requirements are met. •It saves effort and resources by consolidating individual processes into an integrated program. Elements of an enterprise system authorization program correct answer A system authorization program consists of a wide variety of people, processes, and technologies. Each of these various elements is important. The key elements of an enterprise system authorization program are as follows: •The Business Case: A strong business case is required for the establishment of an enterprise system authorization program. The business case describes the reasons why the program is required for the organization. •Goal Setting: Goals and objectives for the program must be established and effectively communicated across the enterprise. •Tasks and Milestones: It is very important that the program manager of the SISO establish tasks that need to be performed and a schedule for their completion. •Program Oversight: The execution of the system authorization program must be regularly measured to ensure that it is being implemented effectively. It is also important to ensure that established program requirements are being met. •Visibility: The system authorization program requires visibility of the SISO. The SISO needs to work hard to maintain management support by discussing frequent updates on program status, needs, and benefits. •Resources: Funds play a vital role in an effective system authorization plan. It is important to revise the budget of system authorization plan as per the requirement. System Authorization Plan correct answer The creation of System Authorization Plan (SAP) is mandated by System Authorization. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. It consists of four phases: •Phase 1 - Pre-certification •Phase 2 - Certification
It addresses risks from the mission and business process perspective. It is guided by the risk decisions at Tier 1. The various Tier 2 activities are as follows: •It defines the core missions and business processes for the organization. •It also prioritizes missions and business processes, with respect to the goals and objectives of the organization. •It defines the types of information that an organization requires, to successfully execute the stated missions and business processes. •It helps in developing an organization-wide information protection strategy and incorporating high-level information security requirements. •It specifies the degree of autonomy for the subordinate organizations. Multitiered Risk Management - Tier 3 correct answer The information system level is Tier 3. It addresses risks from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of requisite safeguards. This also has an impact on the countermeasures at the information system level. The RMF primarily operates at tier 3, but it can also have interactions at Tiers 1 and 2. Risk Management Framework (RMF) correct answer The Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle, primarily at Tier 3. It can also have interactions at Tiers 1 and 2. The RMF is operated in the risk management hierarchy. It has six steps: 1.Categorize: Security Categorization is the first step of the Risk Management Framework. This step affects all other steps in the framework right from the selection of security controls to the level of efforts in assessing security control effectiveness. 2.Select: Select security controls is the second step of the NIST Risk Management Framework. This step involves selecting an initial set of security controls for the information system based on FIPS 199 security categorization. This step applies tailoring guidance to obtain a starting point for the required controls. 3.Implement: Implement Security Controls in the information system is the third step of the NIST Risk Management Framework. In this step, security controls are implemented in the risk management framework.
4.Assess: Assess the security controls is the fourth step of the NIST Risk Management Framework. It uses appropriate methods and procedures to determine the extent to which the controls are implemented correctly. 5.Authorize: Authorize information system is the fifth step of the NIST Risk Management Framework. It is based on the determination of risks to organizational operations, organizational assets, or to individuals resulting from the operation of the information system. 6.Monitor: Monitor security state is the sixth step of the NIST Risk Management Framework. This step monitors and assesses selected security controls in the information system on a continuous basis, including documenting changes to the system. This step is Characteristics of the Risk Management Framework (RMF) correct answer The following are the characteristics of the Risk Management Framework (RMF): •It promotes the concept of real-time risk management and ongoing information system authorization by implementing robust continuous monitoring processes. •It encourages the use of automation to provide to the seniors the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems. •It integrates information security into the enterprise architecture and system development life cycle. •It provides emphasis on the selection, implementation, assessment, and monitoring of security controls. •It establishes the responsibility and accountability for security controls deployed within organizational information systems. Objectives of risk management correct answer Risk management is used to identify, assess, and control risks. It includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. The objectives of risk management are as follows: •Enable organizations to accomplish their missions by securing the IT systems that store, process, or transmit organizational information. •Enable management to make well-informed risk management decisions to justify expenses that are part of the IT budget. •Assist management in authorizing (or accrediting) the IT systems.
increases. The compliance process enables organizations to make compliance repeatable and hence enables them to sustain it on an ongoing basis at a lower cost. System inventory process correct answer It is important that a reliable and complete system inventory be created and maintained. The system inventory process is one of the most important steps in system authorization. The objective of the system inventory process is to provide assurance that systems requiring protection have been identified and is included in security planning and oversight. It is not easy to establish and maintain a centralized systems inventory program. This task becomes easy once it has been established. There are three critical success factors to build an effective program: a well-constructed implementation plan, clearly documented guidance, and continuing management support. Inventory information correct answer It is necessary to collect information regarding the system using the system inventory form and process. The required information includes name of the system, description of the system, environment, and status of the system. Inventory tools correct answer There are three tools required to manage the inventory program: the inventory form, an inventory change form, and an organization inventory summary. These three tools can be combined into an integrated inventory tool with controlled access. RMF Roles and responsibilities IAW 800-37 correct answer -Common Control Provider - Head of Agency/CEO
- Information System Owner - Risk Executive (function)
- Information System Architect - Chief Information Officer
- Information System Sec Engineer - Information System Sec Officer
- Security Control Assessor - Information Owner/Steward
- Authorizing Official (AO) - Auth. Official Designated Rep.
What is FITSAF correct answer FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. It provides an approach for federal agencies. It determines how federal agencies are meeting existing policy and establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of Management and Budget (OMB). It also addresses the guidelines provided by the National Institute of Standards and Technology (NIST). Five levels in which FITSAF is divided, depending on SEI's Capability Maturity Model correct answer •Level 1: The first level reflects that an asset has documented a security policy. •Level 2: The second level shows that the asset has documented procedures and controls to implement the policy.
- Level 3: The third level indicates that these procedures and controls have been implemented. •Level 4: The fourth level shows that the procedures and controls are tested and reviewed. •Level 5: The fifth level is the final level and shows that the asset has procedures and controls fully integrated into a comprehensive program. What is System Security Authorization Agreement correct answer System Security Authorization Agreement (SSAA) is an information security document used in the United States Department of Defense (DoD) to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process, or DITSCAP. The DoD instruction (issues in December 1997, which describes DITSCAP and provides an outline for the SSAA document, is DODI 5200.40. The DITSCAP application manual (DoD 8510.1-M), published in July 2000, provides additional details. Federal Information Security Management Act correct answer FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.
NIST's Risk Management Framework correct answer The RMF, updated in NIST SP 800- (Revision 1), provides a structured process to fully integrate information security and risk management activities into the SDLC in a disciplined fashion. The six steps of the RMF are as follows: •Categorize •Select •Implement •Assess •Authorize •Monitor Tasks of the RMF step 1 correct answer Categorizing the information system is the RMF Step 1 of NIST SP 800-37. The following are the tasks of this step: •The first task of the RMF step 1 is to categorize the information system and document the results of security categorization in the security plan. •The second task is to describe the information system. It also documents the description in the security plan. •The last task of this step is to register the information system with an appropriate organizational program. Tasks of the RMF step 2 correct answer The RMF step 2, also known as Select Security Controls, includes the following tasks: 1.The first task is to identify the security controls that are provided by the organization as common controls. It helps to document these controls in a security plan. 2.The second task is to select the security controls for the information system, and also to document these controls in the security plan. 3.The third task is to develop a strategy for the continuous monitoring of security control effectiveness. 4.The fourth task is to review and approve the security plan.
Tasks of the RMF step 3 correct answer The RMF step 3 is also known as Implement Security Controls. The various tasks of this step are as follows: 1.The first task of this step is to implement the security controls that are specified in the security plan. 2.The second, and the last task of this step, is to document implementation of the security control, and to provide a functional description of the control implementation in the security plan. Tasks of the RMF step 4 correct answer The RMF step 4, also known as the Assess Security Controls, has the following tasks to perform: 1.The first task is to develop, review, and approve a plan to assess the security controls. 2.The second task is to assess the security controls in accordance with the assessment procedures defined in the security assessment plan. 3.The third task is to prepare a security assessment report, documenting the issues, findings, and recommendations from security control assessment. 4.The fourth task is to conduct initial remediation actions on the security controls based on recommendations of the security assessment report. Tasks of the RMF step 5 correct answer The RMF step 5 is also known as Authorize Information System. The various tasks of this step are as follows: 1.The first task is to prepare the Plan of Action and Milestones (POAM) document. The POAM document is based on the findings and recommendations of the security assessment report. 2.The second task is to assemble the security authorization package and submit the package to the authorizing official for adjudication. 3.The third task is to determine the risks to the organizational operations, assets, etc. 4.The fourth task is to determine whether the risks to the organizational operations, organizational assets, individuals, other organizations, or the Nation are acceptable or not. Tasks of the RMF step 6 correct answer The RMF step 6, also known as monitor security controls, performs the following tasks:
•Phase 4: Phase 4 of the SDLC is known as operation or maintenance. This phase describes that the system should be modified on a regular basis through the addition of hardware and software. •Phase 5: Phase 5 of the SDLC is known as disposal. This phase involves disposition of information, hardware, and software. Chief Executive Officer correct answer The Chief Executive Officer is the highest ranking executive in an organization whose main responsibilities are as follows: •Develops and implements high-level strategies •Makes major corporate decisions •Manages the overall operations and resources of a company •Acts as the main point of communication between the board of directors and the corporate operations The Chief Executive Officer (CEO) has responsibilities which are set by the organization's board of directors or other authority. Typically, the CEO/MD has responsibilities as a director, decision maker, leader, manager, and executor. The CEO/MD as a leader of the company, advises the board of directors, motivates employees, modifies rules & regulations and drives change within the organization and as a manager, the CEO/MD presides over the organization's day-to-day operations. Chief Risk Officer correct answer A Chief Risk Officer (CRO) is also known as the Chief Risk Management Officer (CRMO). The Chief Risk Officer, or Chief Risk Management Officer of a corporation, is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CRO's are accountable to the Executive Committee and the Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. Risk Executive correct answer A Risk Executive plays the role of an overseer. The responsibilities of a Risk Executive are as follows: •Provides oversight to the risk management process to ensure organizational risk for business success
•Provides an organization-wide forum to consider all sources of risk •Promotes collaboration and cooperation among organizational entities •Facilitates the sharing of security risk-related information among authorizing officials Chief Information Officer correct answer A Chief Information Officer (CIO) plays the role of an overseer. The responsibilities of a Chief Information Officer are as follows: •Establishes an effective continuous monitoring program for the organization •Facilitates a continuous monitoring process for the organizations •Preserves high-level communications and working group relationships in an organization •Confirms that information systems are covered by a permitted security plan and monitored throughout the System Development Life Cycle (SDLC) •Manages and delegates decisions to employees in large enterprises •Proposes the information technology needed by an enterprise to achieve its goals and then works within a budget to implement the plan Information owner/steward correct answer An information owner/steward is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) in the information-sharing environments. They have some other responsibilities such as establishing the policies and procedures, and governing its generation, collection, processing, dissemination, and disposal. It contains all the above responsibilities even when the information is shared with or provided to other organizations. A single information system may contain information from multiple information owners/stewards. Information owners/stewards provide input to information system owners regarding the security requirements and security controls for the systems where the information is processed, stored, or transmitted. Senior Information Security Officer correct answer A Senior Information Security Officer (SISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets are adequately protected. The SISO directs staff in identifying, developing, implementing, and maintaining processes across the organization to reduce Information Technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures. The SISO is also usually responsible for information- related compliance. The responsibilities of a SISO are as follows:
