CAP Intro Flashcards

1
Q

NIST 800-37

A

Risk Management Framework - defining how to perform the Security Authorization of a Federal Information System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk mgmt vs Security Compliance

A

Risk mgmt - management of risks to operations, assets, individuals, other organizations, resulting from operation of system and includes:

  • Conduct of Risk Assessment
  • Implementation of risk mitigation strategy
  • Employment of techniques and procedures for the continuous monitoring of security controls

Compliance - standards that need to be followed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information security

A

protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CIA

A

Confidentiality - only authorized people have access

Integrity - unmodified data except by those authorized, you are who you say you are

Availability - ability to use information when needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Controls Assessment

A

testing controls (management, operational, and technical) to ensure they are implemented correctly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Authorization

A

management decisions to authorize operation of information system and explicitly accept the risk to agency operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Reciprocity

A

mutual agreement among organizations to accept each other’s security assessments in order to reuse resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information System

A

a set of resources organized for collection, processing, maintenance, use, sharing of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

GSS

A

general support system - an interconnected set of resources under the same direct mgmt control that shares common functionality. It includes hw, sw, information, data, applications, people

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Major Application

A

system that requires special management attention b/c of its importance to agency mission, it may have high development, operating, or maintenance costs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Minor Application

A

low risk, not devastating if system went down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Threat

A

event with potential impact to agency operations, assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Vulnerability

A

weakness in IS, procedures, controls, or implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk

A

level of impact on operations, assets, or individuals resulting from threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Assessment

A

process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional controls that would mitigate this impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Adequate Security

A

security that isn’t overbearing, where you’re spending too much money for too much security. it is security that is equal with the possible risks and harm

17
Q

Authorization Boundary

A

size and scope of the system we’re trying to protect - all components of IS to be authorized by AO

18
Q

Types of systems (3)

A

1) Subsystem - a smaller part of major information system
2) Dynamic Subsystem - not continually present during execution phase (always changing)
3) External Subsystem - system outside of direct control (i.e. call center, cloud computing)

19
Q

Information Types

A

different types of information needs different levels of protection, they all have different levels of impact

*High water mark - system is protected at the information type with the most impact

20
Q

Security Controls (3)

A

Management, Operational, Technical controls prescribed to a system to protect the CIA of the system and its information

1) Management - Policies, how we’re going to do things, management of risk
2) Operational - processes, controls primarily implemented and executed by people
3) Technical - controls implemented and executed by the system through HW SW FW