CAP Intro Flashcards
NIST 800-37
Risk Management Framework - defining how to perform the Security Authorization of a Federal Information System
Risk mgmt vs Security Compliance
Risk mgmt - management of risks to operations, assets, individuals, other organizations, resulting from operation of system and includes:
- Conduct of Risk Assessment
- Implementation of risk mitigation strategy
- Employment of techniques and procedures for the continuous monitoring of security controls
Compliance - standards that need to be followed
Information security
protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA
CIA
Confidentiality - only authorized people have access
Integrity - unmodified data except by those authorized, you are who you say you are
Availability - ability to use information when needed
Security Controls Assessment
testing controls (management, operational, and technical) to ensure they are implemented correctly
Authorization
management decisions to authorize operation of information system and explicitly accept the risk to agency operations
Reciprocity
mutual agreement among organizations to accept each other’s security assessments in order to reuse resources
Information System
a set of resources organized for collection, processing, maintenance, use, sharing of information
GSS
general support system - an interconnected set of resources under the same direct mgmt control that shares common functionality. It includes hw, sw, information, data, applications, people
Major Application
system that requires special management attention b/c of its importance to agency mission, it may have high development, operating, or maintenance costs
Minor Application
low risk, not devastating if system went down
Threat
event with potential impact to agency operations, assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or DoS
Vulnerability
weakness in IS, procedures, controls, or implementation
Risk
level of impact on operations, assets, or individuals resulting from threat
Risk Assessment
process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional controls that would mitigate this impact