Chapter 2 Flashcards
(172 cards)
1
Q
Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.
A
Accreditation
2
Q
Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging.
A
Accreditation Boundary
3
Q
For the purposes of identifying the protection level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system.
A
Accreditation Boundary
4
Q
Product comprised of a system security plan (SSP) and a report documenting the basis for the accreditation decision.
A
Accreditation Package
5
Q
The designated accrediting authority (DAA)
A
Accrediting Authority
6
Q
An attack on the authentication protocol where the attack transmits data to a claimant, credential service provider, verifier, or relaying party.
A
Active Attack
7
Q
Examples of this attack include MitM, impersonation, and session hijacking.
A
Active Attack
8
Q
An adversary with sophisticated levels of expertise and significant resources who is able to use multiple different attack vectors (e,g., cyber, physical, and deception) to achieve its objectives.
A
APT
9
Q
Its objectives are typically to establish and extend footholds within the information technology infrastructure of organizations in order to continually exfiltrate information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future.
A
APT
10
Q
Pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.
A
APT
11
Q
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
A
Adversary
12
Q
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
A
Attack
13
Q
A branching hierarchical data structure that represents a set of potential approaches to achieving an event in which system security is penetrated or compromised in a specific way.
A
Attack Tree
14
Q
Ensuring timely and reliable access to and use of information.
A
Availability
15
Q
Timely, reliable access to data and information services for authorized users.
A
Availability
16
Q
The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers.
A
Blue Team
17
Q
Must defend against real or simulated attacks (i) over a significant period of time, (ii) in a representative operational context (e.g., as part of an operational exercise), and (iii) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise.
A
Blue Team
18
Q
A security control that is inherited by one or more organizational information systems.
A
Common Control
19
Q
An organizational official responsible for the development, implementation, assessment, and monitoring of common controls.
A
Common Control Provider
20
Q
The security controls employed in lieu of the recommended controls in the security control baselines described in NIST SP 800-53 and CNSS Instruction 1253 that provide equivalent or comparable protection for an information system or organization.
A
Compensating Security Control
21
Q
Disclosure to information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.
A
Compromise
22
Q
Disclosure of classified data to persons not authorized to receive that data.
A
Compromise
23
Q
A violation of the security policy of a system such that an unauthorized disclosure, modification, or destruction of sensitive information has occurred.
A
Compromise
24
Q
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
A
Confidentiality
25
Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications prior to, during, and after system implementation.
Configuration Control
26
Maintaining ongoing awareness to support organizational risk decisions.
Continuous Monitoring
27
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system.
Countermeasures
28
A time-phased or situation-dependent combination of risk response measures.
Course of Action (COA)
29
Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein.
Cyber Incident
30
The prevention of authorized access to resources or the delaying of time-critical operations.
Denial of Service (DOS)
31
An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risk and performance.
Enterprise
32
May consist of all or some of the following business aspects: acquisition, program management, financial management, human resources, security, and information systems, information, and mission management.
Enterprise
33
A strategic asset baseline that defines the mission, the information necessary to perform them mission, and the transitional process for implementing new technologies in response to changing mission needs.
Enterprise Architecture (EA)
34
Includes a baseline architecture, target architecture, and sequencing plan.
Enterprise Architecture
35
The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions.
Enterprise Risk Management
36
Involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.
Enterprise Risk Management
37
An observable occurrence in a network or system.
Event
38
Unauthorized user who attempts or gains access to an information system.
Hacker
39
The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, or the national security interests of the Nation.
High Impact
40
Causes one or more of the following: (i) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced, (ii) results in major damage to organizational assets, (iii) results in major financial loss, and (iv) results in severe or catastrophic harm to individuals involving loss of life or serious life threating injuries.
High Impact
41
An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of high.
High-impact System
42
The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation of a loss of confidentiality, integrity, or availability of information or an information system.
Impact
43
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, unauthorized modification, unauthorized destruction, or loss of information or information system availability.
Impact Level
44
An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security policies, or acceptable use policies.
Incident
45
The mitigation of violations of security policies and recommended practices.
Incident Handling
46
The mitigation of violations of security practices and recommended practices.
Incident Response
47
Facts and ideas, which can be represented (encoded) as various forms of data.
Information
48
Knowledge--e.g., data, instructions--in any medium or form that can be communicated between system entities.
Information
49
Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security
50
A process to: (i) define an ISCM strategy, (ii) establish an ISCM program, (iii) implement an ISCM program, (iv) analyze data and report findings, (v) respond to findings, and (vi) review and update the ISCM strategy and program.
Information Security Continuous Monitoring (ISCM) Process
51
The risk to organizational operations, organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
Information Security Risk
52
A qualitative measure of the importance of the information based upon factors such as the level of robustness of the information assurance (IA) controls allocated to the protection of information.
Information Value
53
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or resource without having authorization to do so.
Intrusion
54
Causes one or more of the following: (i) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced, (ii) results in minor damage to organizational assets, (iii) results in minor financial loss, and (iv) results in minor harm to individuals.
Low Impact
55
The loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, or the national security interests of the Nation.
Low Impact
56
Elements of organizations describing mission areas, common/shared business services, and organization-wide services.
Mission/Business Segment
57
Can be identified with one or more information systems that collectively support a mission/business process.
Mission/Business Segment
58
Causes one or more of the following: (i) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced, (ii) results in significant damage to organizational assets, (iii) results in significant financial loss, and (iv) results in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.
Moderate Impact
59
The loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, or the national security interests of the Nation.
Moderate Impact
60
An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of moderate and no security objective is assigned a FIPS PUB 199 potential impact value of high.
Moderate-impact System
61
An attack that does not alter systems or data.
Passive Attack
62
The loss of confidentiality, integrity, or availability that could be expected to have a limited (low), serious (moderate), or a severe or catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.
Potential Impact
63
A right granted to an individual, program, or process.
Privilege
64
A group of people authorized an organized to emulate potential adversary's attack or exploitation capabilities against an enterprise's security posture.
Red Team
65
Objective is to improve enterprise cybersecurity by demonstrating the impacts to successful attacks and by demonstrating what works for defenders (i.e., Blue Team) in an operational environment.
Red Team
66
The act or mitigating a vulnerability or a threat.
Remediation
67
Portion of risk remaining after security measures have been applied.
Residual Risk
68
A measure of the extent to which an entity is threatened by a potential circumstance or event.
Risk
69
A function of: (i) the adverse impacts that would arise if the circumstance or event occurs, and (ii) the likelihood of occurrence.
Risk
70
The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation that would results from the operation of an information system.
Risk Assessment
71
Incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.
Risk Assessment
72
Report that contains the results of performing a risk assessment or the formal output from the process of assessing risk.
Risk Assessment Report (RAR)
73
The individual, group, or organization responsible for conducting a risk assessment.
Risk Assessor
74
An individual or group within an organization that helps to ensure that (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) risk management form individual information systems is consistent across organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.
Risk Executive (Function)
75
The program and supporting processes to manage information security risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Risk Management
76
Includes (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
Risk Management
77
A structure approach used to oversee and manage risk for an enterprise.
Risk Management Framework (RMF)
78
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended for the risk management process.
Risk Mitigation
79
Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations, organizational assets, individuals, other organizations, or the Nation.
Risk Response
80
The level of risk an entity is willing to assume in order to achieve a potential desired result.
Risk Tolerance
81
Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting an identified vulnerabilities in the security controls.
Security Assessment Report (SAR)
82
Documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls.
Security Authorization Package
83
Contains: (i) the security plan; (ii) the security assessment report (SAR); and (iii) the plan of action and milestones.
Security Authorization Package
84
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.
Security Category
85
The process of determining the security category for information or an information system.
Security Categorization
86
Methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS PUB 199 for other than national security systems.
Security Categorization
87
Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements.
Security Plan
88
A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.
Sensitivity
89
Formal document that provides and overview of the security requirements for an information system and describes the security controls in place or planned to meeting those requirements
System Security Plan (SSP)
90
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through an information security system via unauthorized access, destruction, disclosure, modification or information, and/or denial of service.
Threat
91
Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.
Threat Assessment
92
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.
Threat Source
93
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Vulnerability
94
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data to help predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Vulnerability Assessment
95
Risk that occurs at a strategic level.
Organizational Risk
96
Organization-wide information security programs, policies, procedures, and guidance.
Organizational Risk Example
97
The types of appropriate risk countermeasures.
Organizational Risk Example
98
Investment decisions for information technologies/systems.
Organizational Risk Example
99
Procurements
Organizational Risk Example
100
Minimum organization-wide security controls.
Organizational Risk Example
101
Conformance to enterprise/security architectures.
Organizational Risk Example
102
Monitoring strategies and ongoing authorizations of information systems and common controls.
Organizational Risk Example
103
An example of a common organization-wide documentation; the security policies and procedures for an organization.
Dash-1 Security Controls
104
Provides a repeatable process designed to promote the protection of information and information systems commensurate with risk.
Risk Management Framework (RMF)
105
Emphasizes organization-wide preparation necessary to manage security and privacy risks.
Risk Management Framework (RMF)
106
Facilitates the categorization of information and systems, the selection, implementation, assessment, and monitoring of controls, and the authorization of information systems and common controls.
Risk Management Framework (RMF)
107
Promotes the use of automation for near real-time risk management and ongoing system and control authorization through the implementation of continuous monitoring processes.
Risk Management Framework (RMF)
108
Encourages the use of correct and timely metrics to provide senior leaders and managers with the necessary information to make cost-effective, risk-based decisions for information systems supporting their missions and business functions.
Risk Management Framework (RMF)
109
Facilitates the integration of security and privacy requirements and controls into enterprise architecture, SDLC, acquisition processes, and system engineering processes.
Risk Management Framework (RMF)
110
Connects risk management processes at the organization and mission or business process levels to risk management processes at the information system level though a senior accountable official for risk management and risk executive function.
Risk Management Framework (RMF)
111
Establishes responsibility and accountability for controls implemented within information systems and inherited by those systems.
Risk Management Framework (RMF)
112
Steps include: (i) prepare, (ii) categorize, (iii) select, (iv) implement, (v) assess, (vi) authorize, and (vii) monitor.
RMF
113
Establishes the scope of protection for an information system.
Authorization Boundary
114
Security and privacy requirements and risks identified by the organization, lead to the need for security and privacy controls to respond to the risk.
Derived Requirements
115
Commonly addressed by putting in place organization-wide or company-wide security policies, processes, and standard operating procedures.
Organizational Risk
116
The security-relevant risk for a particular business unit within an organization.
Mission and Business Risk
117
Design decisions: (i) selection, tailoring, and supplementation of security controls, and (ii) selection of information technology products for organizational information systems.
Information System Risk Example
118
Implementation decisions: whether specific information technology products or product configurations meet security control requirements.
Information System Risk Example
119
Operational decisions: (i) level of monitoring activity, and (ii) frequency of ongoing information system authorizations.
Information System Risk Example
120
The characteristics of the system are described and documented.
RMF Categorize Task
121
A security categorization of the system, including the information processed by the system represented by the organization-identified information types, is completed.
RMF Categorize Task
122
The security categorization results are reviewed, and the categorization decision is approved by senior leaders in the organization.
RMF Categorize Task
123
{(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, and HIGH.
System Categorization
124
Control baseline necessary to protect the system commensurate with risk is selected.
RMF Select Task
125
Controls are tailored producing tailored control baselines.
RMF Select Task
126
Controls are designed as system-specific, hybrid, or common controls and allocated to the specific system elements.
RMF Select Task
127
Controls and associated tailoring actions are documented in security and privacy plans or equivalent documents.
RMF Select Task
128
A continuous monitoring strategy for the system that reflects the organizational risk management strategy is developed.
RMF Select Task
129
Security and privacy plans reflecting the selection of controls necessary to protect the system and the environment of operation commensurate with risk are reviewed and approved by the authorizing official.
RMF Select Task
130
Controls specified in the security and privacy plans are implemented.
RMF Implement Task
131
Changes to the planned implementation of controls are documented and the security and control plans are updated based on the changes.
RMF Implement Task
132
An assessor or assessment team (with the appropriate level of independence) is selected to conduct the control assessment.
RMF Assess Task
133
Documentation needed to conduct the assessments is provided to the assessor or assessment team.
RMF Assess Task
134
Control assessment is conducted in accordance with the security and privacy plans.
RMF Assess Task
135
Secuity and privacy assessment reports that provide findgins and recommendations are completed.
RMF Assess Task
136
Remediation actions to address deficiencies in the controls implemented in the system and environment of operation are taken and security and privacy plans are updated to reflect the remediation actions.
RMF Assess Task
137
A plan of action and milestones detailing remediation plans for unacceptable risks identified in security and privacy assessment repots is developed.
RMF Assess Task
138
An authorizing package is developed for submission to the authorizing official.
RMF Authorize Task
139
A risk determination by the authorizing official that reflects the risk management strategy including risk tolerance is rendered.
RMF Authorize Task
140
Risk responses for determined risks are provided.
RMF Authorize Task
141
The authorization for the system for the common controls is approved or denied.
RMF Authorize Task
142
Authorization decisions, significant vulnerabilities, and risks are reported to organizational officials.
RMF Authorize Task
143
The information system and environment of operation are monitored in accordance with the continuous monitoring strategy.
RMF Monitor Task
144
Ongoing assessments of control effectiveness are conducted in accordance with the continuous monitoring strategy.
RMF Monitor Task
145
The output of continuous monitoring activities is analyzed and responded to appropriately.
RMF Monitor Task
146
Risk management documents are updated based on continuous monitoring activities.
RMF Monitor Task
147
A process is in place to report the security and privacy posture to the authorizing official and other senior leaders and executives.
RMF Monitor Task
148
A system disposal strategy is developed and implemented as needed.
RMF Monitor Task
149
Frames the environment, or scope, of where the risk is being assessed.
Risk Context
150
Identifies: (i) threats to organizations or threats directed through organizations against other organizations or the Nation, (ii) vulnerabilities internal and external to organizations, (iii) the harm that may occur given the potential for threats exploiting vulnerabilities, and (iv) the likelihood of that will occur.
Risk Assessment Purpose
151
Includes: (i) frame, (ii) assess, (iii) respond, and (iv) monitor.
Risk Assessment Steps
152
Example of a risk assessment method that combines qualitative and quantitative assessment methods.
Heat Map
153
Results are time boxed and not accurate for longer periods of time.
Risk Assessment
154
The process of identifying, estimating, and prioritizing information security risks.
Risk Assessment
155
Typically includes: (i) a risk assessment process, (ii) and explicit risk model, (iii) an assessment approach, and (iv) and analysis approach.
Risk Assessment Methodology
156
Defines key terms and assessable risk factors and the relationships among factors.
Risk Model
157
Specifies the range of values risk factors can assume during the risk assessment and how combinations of risk factors are identified/analyzed so that values of those factors can be functionally combined to evaluate risk.
Assessment Approach
158
Describes how combinations of risk factors are identified/analyzed to ensure adequate coverage of the problem space at a consistent level of detail.
Analysis Approach
159
Defines the risk factors to be assessed and the relationships among those factors.
Risk Model
160
Documentation includes: (i) identification of risk factors, and (ii) identification of the relationships among risk factors.
Risk Model
161
Include the following: (i) threats, (ii) vulnerabilities, (iii) impact, (iv) likelihood, and (v) predisposing condition.
Risk Factors
162
Hostile cyber or physical attack.
Threat Source
163
Human error of omission or commission.
Threat Source
164
Structural failure of organization-controlled resources.
Threat Source
165
Natural and man-made disasters, accidents, and failures beyond the control of an organization.
Threat Source
166
Can be either: (i) a single event, action, or circumstance; or (ii) sets and/or sequences of actions, activities, and/or circumstances.
Threat Event
167
A set of discrete threat events, attributed to a specific threat source or multiple threat sources, ordered in time, that results in adverse effects.
Threat Scenario
168
The response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.
Threat Shifting
169
Can occur in one or more domains including: (i) the time domain, (ii) the target domain, (iii) the resource domain, or (iv) the attack planning/attack method domain.
Threat Shifting
170
A condition that exists within an organization, a mission or business process, enterprise architecture, information system, or environment of operation which affects the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation.
Predisposing Condition
171
An assessment of the relative importance of mitigating/remediating the vulnerability.
Vulnerability Severity
172
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.
Level of Impact
