Ch. 1 - Prepare Flashcards
Definition
Security protection commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, ingegrity and availability protections through the application of cost-effective security controls.
A. Security Category
B. Information Security
C. Adequiate Security
D. Security Controls
C. Adequate Security
Definition
The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (Ex: router, server, remote sensor).
A. Allocation
B. Authorization Boundary
C. Organization
D. Confidentiality
A. Allocation
Definition
The individual, group or organization responsible for conducting a security or privacy assessment.
A. Adequiate Security
B. Assessor
C. Confidentiality
D. Privacy Architect
B. Assessor
Definition
System and subsystem components that must be protected, including but not limited to: all hardware, software, data, personnel, supporting physical environment and environmental systems, administrative support and supplies.
A. Authorization Boundary
B. Asset
C. Enterprise
D. Risk
B. Asset
All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.
A. Authorization Boundary
B. System Component
C. Authorizing Official (AO)
D. System Boundary
A. Authorization Boundary
A senior federal official or executive with the authority to authorize (assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image or reputation), agency assets, individuals, other organizations and the nation.
A. Authorizing Official
B. Organization
C. Risk Executive (Function)
D. Authorizing Official Designated Representative (AO DR)
A. Authorizing Official (AO)
An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with the authorization process.
A. Authorizing Official (AO)
B. Authorizing Official Designated Representative (AO DR)
C. system Boundary
D. Either the AO or the AO DR
A. Authorizing Official Designated Representative (AO DR)
Definition
A combination of mutually reinforcing controls implemented by technical means, physical means and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.
A. Vulnerability
B. Capability
C. Integrity
D. Availability
B. Capability
The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities including the reduction of information collection burdens on the public.
A. Senior Agency Official for Privacy
B. Authorizing Official (AO)
C. Project Manager
D. Chief Information Officer (CIO)
D. Chief Information Officer (CIO)
Definition
A software program hosted by an information system.
A. Application
B. Information
C. Enterprise
D. Organization
A. Application
Definition
Ensuring timely and reliable access to and use of information.
A. Confidentiality
B. Integrity
C. Assessor
D. Availability
D. Availability
See Senior Agency Information Security Officer.
A. System Boundary
B. Chief Information Security Officer (CISO)
C. Designated Approval Authority (DAA)
D. Senior Agency Official for Privacy
B. Chief Information Security Officer (CISO)
A security or privacy control that is inherited by multiple information systems or programs.
A. Continuous Monitoring
B. Common Control (CC)
C. Information Owner or Steward
D. Residual Risk
B. Common Control (CC)
An organizational official responsible for the development, implementation, assessment and monitoring of common controls (i.e., controls inheritable by organizational systems).
A. Information Owner
B. Control Assessor
C. Risk Executive (Function)
D. Common Control Provider (CCP)
D. Common Control Provider (CCP)
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
A. Confidentiality
B. Allocation
C. Availability
D. Integrity
A. Confidentiality
Maintaining ongoing awareness to support organizational risk decisions.
A. Risk Mitigation
B. Continuous Monitoring
C. Residual Risk
D. Security Certification
B. Continuous Monitoring
A program established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls. Note: Privacy and security continuous monitoring strategies and programs can be the same or different strategies and programs.
A. Privacy Requirement
B. Information Life Cycle
C. Continuous Monitoring Program
D. Privacy Plan
C. Continuous Monitoring Program
An organizational official responsible for the development, implementation, assessment and monitoring of common controls (i.e., controls inheritable by organizational systems).
A. Risk Executive (Function)
B. Common Control Provider (CCP)
C. Information Owner
D. Control Assessor
B. Common Control Provider (CCP)
See security control and privacy control.
A. Vulnerability
B. Integrity
C. Security Objective
D. Control
D. Control
The individual, group or organization responsible for conducting a control assessment. See assessor.
A. System Security Officer
B. Privacy Control
C. Control Assessor
D. Security Risk
C. Control Assessor
An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, as well as systems, information and mission management. See organization.
A. Management Information
B. Organization
C. Application
D. Enterprise
D. Enterprise
A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.
A. Information Security Architecture
B. Allocation
C. Enterprise Architecture
D. Security Requirement
C. Enterprise Architecture
The physical surroundings in which an information system processes, stores and transmits information.
A. Environment of Operation
B. Enterprise Architecture
C. Information
D. Security Controls
A. Environment of Operation
A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented and market-based.
A. System Boundary
B. Federal Information System
C. Federal Enterprise Architecture (FEA)
D. The Open Group Architecture Framework (TOGAF)
C. Federal Enterprise Architecture (FEA)
An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.
A. Federal Information System
B. System Component
C. Information Owner
D. Information Security Management System (ISMS)
A. Federal Information System
With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations or the nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system. With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.
A. Threat
B. Vulnerability
C. Impact
D. Risk
C. Impact
Any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic or audiovisual forms.
A. Application
B. Information
C. Organization
D. Control
B. Information
The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage and disposition, to include destruction and deletion. “Life cycle” typically appears as two words in NIST publications, but as one word in ISO standards.
A. Impact Assessment
B. Information Steward
C. Information Life Cycle
D. Term of Agreement
C. Information Life Cycle
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.
A. Information Owner
B. Authorizing Official (AO)
C. Confidentiality
D. Senior Agency Official for Privacy
A. Information Owner
See Information Owner and Information Steward.
A. Information Owner or Steward
B. Information Security
C. Mission or Business Owner
D. Security or Privacy Architect
A. Information Owner or Steward