CAP Intro

Question 1

NIST 800-37

Answer 1

Risk Management Framework - defining how to perform the Security Authorization of a Federal Information System

Question 2

Risk mgmt vs Security Compliance

Answer 2

Risk mgmt - management of risks to operations, assets, individuals, other organizations, resulting from operation of system and includes:

• Conduct of Risk Assessment
• Implementation of risk mitigation strategy
• Employment of techniques and procedures for the continuous monitoring of security controls

Compliance - standards that need to be followed

Question 3

Information security

Answer 3

protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA

Question 4

CIA

Answer 4

Confidentiality - only authorized people have access

Integrity - unmodified data except by those authorized, you are who you say you are

Availability - ability to use information when needed

Question 5

Security Controls Assessment

Answer 5

testing controls (management, operational, and technical) to ensure they are implemented correctly

Question 6

Authorization

Answer 6

management decisions to authorize operation of information system and explicitly accept the risk to agency operations

Question 7

Reciprocity

Answer 7

mutual agreement among organizations to accept each other’s security assessments in order to reuse resources

Question 8

Information System

Answer 8

a set of resources organized for collection, processing, maintenance, use, sharing of information

Question 9

GSS

Answer 9

general support system - an interconnected set of resources under the same direct mgmt control that shares common functionality. It includes hw, sw, information, data, applications, people

Question 10

Major Application

Answer 10

system that requires special management attention b/c of its importance to agency mission, it may have high development, operating, or maintenance costs

Question 11

Minor Application

Answer 11

low risk, not devastating if system went down

Question 12

Threat

Answer 12

event with potential impact to agency operations, assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or DoS

Question 13

Vulnerability

Answer 13

weakness in IS, procedures, controls, or implementation

Question 14

Risk

Answer 14

level of impact on operations, assets, or individuals resulting from threat

Question 15

Risk Assessment

Answer 15

process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional controls that would mitigate this impact

Question 16

Adequate Security

Answer 16

security that isn’t overbearing, where you’re spending too much money for too much security. it is security that is equal with the possible risks and harm

Question 17

Authorization Boundary

Answer 17

size and scope of the system we’re trying to protect - all components of IS to be authorized by AO

Question 18

Types of systems (3)

Answer 18

1) Subsystem - a smaller part of major information system
2) Dynamic Subsystem - not continually present during execution phase (always changing)
3) External Subsystem - system outside of direct control (i.e. call center, cloud computing)

Question 19

Information Types

Answer 19

different types of information needs different levels of protection, they all have different levels of impact

*High water mark - system is protected at the information type with the most impact

Question 20

Security Controls (3)

Answer 20

Management, Operational, Technical controls prescribed to a system to protect the CIA of the system and its information

1) Management - Policies, how we’re going to do things, management of risk
2) Operational - processes, controls primarily implemented and executed by people
3) Technical - controls implemented and executed by the system through HW SW FW