107 Information Assurance Flashcards
Define IA
Information Assurance- protect and defend data and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation
Certification
meets a set of specified security requirements
Accreditation
Formal declaration that an info system is approved to operate at an acceptable level of risk
DAA
Designated Approval Authority- official with authority to formally assume responsibility for operating a system at an acceptable level of risk
System Security Plan
formal document prepared by the information system owner that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements
System Security Authorization Agreement
a living document that represents the formal agreement between the DAA, the Certification Authority, the Program Manager, and the user representative
ATO
Approval to Operate- authorize operation of an information system and to explicitly accept the residual risk to agency operations
IATO
Interim Approval to Operate- temporary authorization
Configuration Management
identifies, controls, accounts for, and audits all changes to a site or information system during its design, development, and operational lifecycle
Performing cross-domain transfers
Interconnections between DoD information systems of different security domains or with other US Govt system of different security domains shall be employed only to meet compelling operational requirements
Risk Management
Process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting IT systems and data that support their organizations missions
Five attributes of IA
(CIANA) Confidentiality Integrity Availability Non-repudiation Authentication
9 categories of computer incidents
(RUDMUNRIE)
- Root Level Intrusion
- User Level Intrusion
- Denial of Service
- Malicious Code
- Unsuccessful Activity Attempt
- Non-compliance Activity
- Reconnaissance
- Investigating
- Explained Anomaly
Describe the DoN World Wide Web Security Policy
SECNAVINST 5720.47B
IAVA
IA Vulnerability Alerts- address severe network vulnerabilities resulting in immediate and potentially severe threats
IAVB
IA Vulnerability Bulletins- address new vulnerabilities that do not pose a immediate risk to DoN systems, but are significant enough that noncompliance with the corrective action could escalate the risk
IAVT
IA Vulnerability Technical Advisories- address new vulnerabilities that are generally categorized as low risk to DoN systems
CTO
Communications Tasking Orders- intended to direct the execution of specific actions in order to mitigate security threats to the GIG
NTD
Navy Telecommunications Directive- issued by COMNAVNETWARCOM to provide policies and guidance on specific security issues within the DoN
Service Pack
collection of updates, fixes, and/or enhancements to a software program delivered in the form of a single installable package
Vulnerability Assessment
a testing process used to evaluate the network infrastructure, software and users in order to identify known weaknesses
Vulnerability vs. Threat
Vulnerability- any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by threat
Threat- potential cause of an unwanted impact to a system or organization
Responsibilities of the IAM
Information Assurance Manager- responsible for the IA program within a command, site, system, or enclave
Define CCRI
Command Cyber Readiness Inspection- improves overall security posture of the GIG through a formal inspection process
NAVCYBERFOR’s role in a CCRI
Mission is to organize and prioritize manpower, training, modernization and maintenance requirements, and capabilities of command and control architecture and networks
