Chapter 4 Flashcards by kyle messer

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

Authorization to Operate (ATO)

How well did you know this?

Not at all

Perfectly

Types include quantitative, qualitative, or semi-quantitative.

Assessment Approach

How well did you know this?

Not at all

Perfectly

Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.

Assessment Findings

How well did you know this?

Not at all

Perfectly

One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.

Assessment Method

How well did you know this?

Not at all

Perfectly

The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

Assessment Object

How well did you know this?

Not at all

Perfectly

A set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.

Assessment Objective

How well did you know this?

Not at all

Perfectly

A set of assessment objectives and an associated set of assessment methods and assessment objects.

Assessment Procedure

How well did you know this?

Not at all

Perfectly

Grounds for justified confidence that a claim has been or will be achieved.

Assurance

How well did you know this?

Not at all

Perfectly

A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.

Assurance Case

How well did you know this?

Not at all

Perfectly

Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.

Audit

How well did you know this?

Not at all

Perfectly

Access privileges granted to a user, program, or process or the act of granting those privileges.

Authorization

How well did you know this?

Not at all

Perfectly

All components of an information system to be authorized for operation by an authorizing official; excluding separately authorized systems to which the information system is connected.

Authorization Boundary

How well did you know this?

Not at all

Perfectly

A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.

Authorization Official

How well did you know this?

Not at all

Perfectly

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object.

Black Box Testing

How well did you know this?

Not at all

Perfectly

The set of data that documents the information system’s adherence to the security controls applied.

Body of Evidence

How well did you know this?

Not at all

Perfectly

The totality of evidence used to substantiate trust, trustworthiness, and risk relative to the system.

Body of Evidence

How well did you know this?

Not at all

Perfectly

The act of reverse-engineering the malicious program to understand the code that implements the software behavior.

Code Analysis

How well did you know this?

Not at all

Perfectly

Attempts to recreate the original source code of the program.

Disassembler

How well did you know this?

Not at all

Perfectly

Allows the analyst to step through the code, interacting with it, and observing the effects of its instructions to understand its purpose.

Debugger

How well did you know this?

Not at all

Perfectly

The technical basis for an international agreement which ensures that products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance.

Common Criteria

An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method.

Depth

A type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time.

Examine

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object; known as gray box testing.

Focused Testing

Segment of quality assurance testing in which advertised security mechanisms of an information system are tested against a specification.

Function Testing

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object; known as focused testing.

Grey Box Testing

A comprehensive review, analysis, and test (software and/or hardware) performed by an objective third party to confirm that the requirements are correctly defined, and to confirm that the system correctly implements the required functionality and security requirements.

Independent Verification and Validation

A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.

Interview

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.

Penetration Testing

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Security Control Assessment

The individual, group, or organization responsible for conducting a security control assessment.

Security Control Assessor

The individual, group, or organization responsible for conducting an assessment.

Assessor

The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

Security Impact Analysis

Any change to a system's configuration, environment, information content, functionality, or users that has the potential to change the risk imposed upon its continued operations.

Security-relevant Change

An implementation-dependent statement of security needs for a specific identified target of evaluation.

Security Target

Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.

Security Test and Evaluation

In accordance with Common Criteria, an information system, part of a system or product, and all associated documentation, which is the subject of a security evaluation.

Target of Evaluation

An official authorization decision to employ identical copies of an information system or subsystem―including hardware, software, firmware, and/or applications―in specified environments of operation.

Type Authorization

The certification acceptance of replica information systems based on the comprehensive evaluation of the technical and non-technical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.

Type Certification

Confirmation through the provision of strong, sound, objective evidence that requirements for a specific intended use or application have been fulfilled.

Validation

The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise's use of information systems.

White Team

Can refer to a small group of people who have prior knowledge of unannounced Red Team activities.

White Team

Acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission.

White Team

Helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement.

White Team

Has responsibility for deriving lessons learned, conducting the post-engagement assessment, and promulgating results.

White Team

The intended results or indicator that the system is functioning correctly.

Criteria for Passing a Control or Requirement

Consists of the security plan, a plan of action and milestones, and a security assessment report.

Authorization Package

Provide guidance on how to securely configure common information technology items.

Security Technical Implementation Guides (STIGs)

Verifies system and sub-system level performance.

Integration Testing

Objective is to acquire, integrate, configure, test, document, and train.

Implement System SE Activity