CAP Intro Flashcards
NIST 800-37
Risk Management Framework - defining how to perform the Security Authorization of a Federal Information System
Risk mgmt vs Security Compliance
Risk mgmt - management of risks to operations, assets, individuals, other organizations, resulting from operation of system and includes:
- Conduct of Risk Assessment
- Implementation of risk mitigation strategy
- Employment of techniques and procedures for the continuous monitoring of security controls
Compliance - standards that need to be followed
Information security
protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA
CIA
Confidentiality - only authorized people have access
Integrity - unmodified data except by those authorized, you are who you say you are
Availability - ability to use information when needed
Security Controls Assessment
testing controls (management, operational, and technical) to ensure they are implemented correctly
Authorization
management decisions to authorize operation of information system and explicitly accept the risk to agency operations
Reciprocity
mutual agreement among organizations to accept each other’s security assessments in order to reuse resources
Information System
a set of resources organized for collection, processing, maintenance, use, sharing of information
GSS
general support system - an interconnected set of resources under the same direct mgmt control that shares common functionality. It includes hw, sw, information, data, applications, people
Major Application
system that requires special management attention b/c of its importance to agency mission, it may have high development, operating, or maintenance costs
Minor Application
low risk, not devastating if system went down
Threat
event with potential impact to agency operations, assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or DoS
Vulnerability
weakness in IS, procedures, controls, or implementation
Risk
level of impact on operations, assets, or individuals resulting from threat
Risk Assessment
process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional controls that would mitigate this impact
Adequate Security
security that isn’t overbearing, where you’re spending too much money for too much security. it is security that is equal with the possible risks and harm
Authorization Boundary
size and scope of the system we’re trying to protect - all components of IS to be authorized by AO
Types of systems (3)
1) Subsystem - a smaller part of major information system
2) Dynamic Subsystem - not continually present during execution phase (always changing)
3) External Subsystem - system outside of direct control (i.e. call center, cloud computing)
Information Types
different types of information needs different levels of protection, they all have different levels of impact
*High water mark - system is protected at the information type with the most impact
Security Controls (3)
Management, Operational, Technical controls prescribed to a system to protect the CIA of the system and its information
1) Management - Policies, how we’re going to do things, management of risk
2) Operational - processes, controls primarily implemented and executed by people
3) Technical - controls implemented and executed by the system through HW SW FW
