ais finals lesson 2 Flashcards
responsible for ensuring that the IAP is developed and
implemented in accordance with regulatory and business requirements
Chief executive officer(CEO)
plays a crucial role in allocating resources and fostering commitment
to the IAP
Chief executive officer(CEO)
what does IAP stands for?
information assurance program
AO stands for?
authorizing official
ISO stands for?
Information system owner
is responsible for the execution of overall IT program and
delegate authority to the CISO for the management of the IAP.
Chief information officer (CIO)
is the
focal point for IT management and governance of IT portfolios
CIO
carries out the CIO’s security and privacy responsibilities
under FISMA and is responsible for managing the IAP
Chief information security officer
FISMA stands for?
Federal Information Security Management Act
responsible for:
* Ensuring information security management processes are integrated with
strategic and operational planning processes.
* Ensuring trained personnel sufficient to assist in complying with the
information assurance requirements in related legislation, policies, directives,
instructions, standards, and guidelines.
* Coordinating with senior management to report annually to the head of the
federal agency on the overall effectiveness of IAP, including progress of
remedial actions
CIO
is responsible for:
* Developing an organization-wide IAP that provides adequate security for
all information and information systems.
* Centralized reporting of information security-related activities.
* Developing and maintaining information security and privacy policies.
* Defining specific security requirements, tools, templates, and checklists to
support the IAP.
* Ensuring that personnel with significant system security responsibilities
are adequately trained.
CISO
s appointed by the CEO and is granted the authority to formally
assume responsibility for operating an information system at an acceptable level
of risk.
Authorizing official
has budgetary oversight for an information system and is
responsible for the mission/business operations supported by the system.
Authorizing official
approve systems security plans (SSPs), memorandums of agreement or
understanding (MOA/MOU), and plans of action and milestones (POA&Ms
Authorizing official
approve systems security plans (SSPs), memorandums of agreement or
understanding (MOA/MOU), and plans of action and milestones (POA&Ms
Authorizing official
is responsible for:
* Ensuring the security posture of the Agency’s information systems is
maintained.
* Reviewing security status reports and security documents and determining if
the risk to the Agency of operating the system remains acceptable.
* Reauthorizing information systems when required.
* Assisting in response to security incidents and privacy breaches.
* Appointing, when required, a designated representative to coordinate and
carry out system security responsibilities
Authorizing official
is appointed by the CEO and serves as the focal point for the information
system and is the central point of contact during the security authorization process.
Information system owner (ISO)
is responsible for:
* Coordinating data protection requirements with Information Owners (IOs) that have
information stored and processed in the system.
* Deciding, in coordination with the IO and Information System Security Officer
(ISSO), who has access to the system. Determining access privileges and rights to
the system.
* Ensuring that system users and support personnel receive the required security
training
(e.g., instruction in the Rules of Behavior).
* Ensuring that the system is compliant with the required security controls.
* Appointing an ISSO for the information system to carry out the day-to-day
security responsibilities.
* Reviewing system security documents (e.g., SSP, POA&M, etc.).
* Ensuring that system-specific security training is provided to the users and
administrators of the systems.
* Ensuring that remediation activities for the system are performed as
needed to maintain the authorization status.
* Appointing an Information System Security Manager (ISSM) to coordinate
system security task and provide oversight responsibilities to ensure security
activities are performed.
ISO
is an official with regulatory, management, or operational authority
for specified information and is responsible for establishing the policies and
procedures governing its generation, collection, processing, dissemination,
and disposal.
Information owner (IO)
responsible for:
* Providing input to ISOs regarding the security requirements and controls for
the systems where the information is processed, stored, or transmitted.
* Retaining information in accordance with the National Archives and
Records Administration (NARA) record schedule.
* Categorizing the sensitivity level5 of the information stored and
processed in the system.
* Establishing rules for appropriate use and protection of the information.
* Coordinating with the ISO when security requirements change.
* Assisting in the response to security incidents.
* Ensuring that the PII inventory is updated
IO
is appointed by the ISO and works closely with the ISO or ISSM to
ensure that the appropriate security posture is maintained for the information
system.
information system security officer(ISSO)
serves as a principal advisor on all the security related issues
of an information system.
ISSO
must have the detailed knowledge and
expertise required to manage the security aspects of an information system and
is responsible for the day-to-day security operations of a system
ISSO
responsible for:
* Ensuring system compliance with security policies and procedures.
* Managing and controlling changes to the system.
* Assessing the security impact of any changes.
* Monitoring the system and its environment.
* Developing and updating the SSP.
* Coordinating with and supporting the ISO with security responsibilities.
* Preparing or overseeing the preparation of system security documents7 and
security activities.
* Developing security policies and procedures that are consistent with IA policies.
* Performing or overseeing remediation activities to maintain the authorization status.
* Assisting the ISO assemble the security authorization package for submission to
the AO.
* Assisting in the investigation of security incidents.
ISSO
responsible for:
* Monitoring compliance with Federal requirement and IA policies.
* Providing guidance on the implementation of IA policies.
* Providing security and privacy training.
* Investigating system security and privacy incidents.
* Providing support for audits and reviews.
* Managing the vulnerability management program.
IAM
serves as the primary liaison for the CISO to individuals with
security and privacy responsibilities and supports activities at the IAP level.
Information assurance manager(IAM)
coordinates system security task and provide
oversight responsibilities to ensure security activities are performed and serves
as the liaison between the Information System Security Officer (ISSO) and the
Information System Owner (ISO)
information system security manager (ISSM)
responsible for:
* Providing oversight of system security activities performed by the ISSO.
* Acting as the liaison between the IAM and the ISSO.
* Monitoring system compliance with Information Assurance policies and federal
guidance
ISSM
is nominated by the Agency and assists the Contracting Officer (CO)
Contacting officer’s repesentative
responsible for:
Acting as a technical liaison between the CO and the contractor.
* Providing technical assistance.
* Performing onboarding and off boarding activities for the contractors assigned to the
contract.
* Ensuring that contractors have the proper background investigations before
accessing information or systems.
* Ensuring that contractors properly maintain information and information systems in
accordance with the IAP.
COR
conducts assessments of the security controls employed within
or inherited by an information system to determine the overall effectiveness
of the controls
security assessment team (SAT)
responsible for:
* Developing a security assessment plan for each subset of security controls
that will be assessed.
* Submitting the security assessment plan for approval prior to conducting the
assessment.
* Conducting the assessment of security controls as defined in the
security assessment plan.
* Providing an assessment of the severity of weaknesses or deficiencies
discovered in the information system.
* Recommending corrective actions to address identified vulnerabilities.
* Preparing the final security assessment report containing the results
and findings from the assessment
SAT
It is standard on boarding policy for new employees.
AUP
stipulates the constraints and practices that an employee using
organizational IT assets must agree to in order to access to the corporate
network or the internet
acceptable use policy (AUP)
outlines the access available to employees in regards to an
organization’s data and information systems.
Access control policy (ACP)
items covered in this policy are
standards for user access, network access controls, operating system software
controls and the complexity of corporate passwords.
ACP
Additional supplementary
items often outlined include methods for monitoring how corporate systems are
accessed and used; how unattended workstations should be secured; and how
access is removed when an employee leaves the organization.
ACP
example that is available for fair use
can be found at this policy is?
SANS
An excellent
example of this policy is available at IAPP
ACP
refers to a formal process for making
changes to IT, software development and security services/operations.
change management policy
The
goal of this program is to increase the awareness and
understanding of proposed changes across an organization, and to ensure
that all changes are conducted methodically to minimize any adverse impact
on services and customers
Change management policy
typically high-level
policies that can cover a large number of security controls.
information security policy
It is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization, or its networks, comply with its stated rules and guidelines.
information security policy
This
policy is designed for employees to recognize that there are rules that they will
be held accountable to with regard to the sensitivity of the corporate
information and IT assets
information security policy
is an organized approach to how the company will manage an
incident and remediate the impact to operations
incident response policy
It’s the one policy CISOs hope to never have to
use.
Incident response policy
the goal of this policy is to describe the process of handling an incident with
respect to limiting the damage to business operations, customers and reducing recovery time and
costs.
incident response policy
a document which outlines and defines acceptable methods of
remotely connecting to an organization’s internal networks.
remote access policy
This policy is a requirement for organizations
that have dispersed networks with the ability to extend into insecure network locations, such as
the local coffee house or unmanaged home networks
remote access policy
a document that is used to formally outline how
employees can use the business’ chosen electronic communication medium.
email/communication policy
The primary
goal of this policy is to provide guidelines to employees on what is considered the
acceptable and unacceptable use of any corporate communication technology
email/communication policy
generally include both cybersecurity
and IT teams’ input and will be developed as part of the larger business continuity plan
disaster recovery plan
will coordinate efforts across the organization and will
use the disaster recovery plan to restore hardware, applications and data
deemed essential for business continuity
business continuity plan (BCP)
are unique to each
business because they describe how the organization will operate in an
emergency
BCP
it can be as broad as you want it to be from everything related to IT
security and the security of related physical assets, but enforceable in its full scope.
information assurance policy
the purpose of this policy is to Create an overall approach to information security.
information assurance policy
the purpose of this policy is to detect and preempt information security breaches such as misuse of networks, data,
applications, and computer systems
information assurance policy
the purpose of this policy is to maintain the reputation of the organization, and uphold ethical and legal responsibilities.
information assurance policy
the purpose of this policy is to respect customer rights, including how to react to inquiries and complaints about noncompliance.
information assurance policy
what are the three main objective of information security?
confidentiality
integrity
availability
only individuals with authorization can should access data and
information assets
confidentiality
data should be intact, accurate and complete, and IT systems must be kept
operational
integrity
users should be able to access information or systems when needed
availability
—a senior manager may have the authority to decide
what data can be shared and with whom.
hierarchical pattern
users are only able to access company networks and servers via unique logins that demand authentication, including
passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts
network security policy
The policy should classify data into categories, which may include “top
secret”, “secret”, “confidential” and “public”. Your objective in classifying
data is:
* To ensure that sensitive data cannot be accessed by individuals with
lower clearance levels.
* To protect highly important data, and avoid needless security
measures for unimportant data.
read
systems that store personal data, or other sensitive data, must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and antimalware protection
data protection regulations
encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage.
Data back up
only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network.
movement of data
place a special emphasis on the dangers of social engineering
attacks (such as phishing emails). Make employees responsible for noticing, preventing
and reporting such attacks.
Social engineering
—secure laptops with a cable lock. Shred documents that are no
longer needed. Keep printer areas clean so documents do not fall into the wrong hands.
clean desk policy
9 Best Practices for Drafting Information Security Policies
. Information and data classification
. IT operations and administration
. Security incident response plan
SaaS and cloud policy
Acceptable use policies (AUPs)
Identity and access management (IAM) regulations
Data security policy—
Privacy regulations—
Personal and mobile devices—