Chapter 4 Flashcards
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
Authorization to Operate (ATO)
Types include quantitative, qualitative, or semi-quantitative.
Assessment Approach
Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.
Assessment Findings
One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.
Assessment Method
The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.
Assessment Object
A set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.
Assessment Objective
A set of assessment objectives and an associated set of assessment methods and assessment objects.
Assessment Procedure
Grounds for justified confidence that a claim has been or will be achieved.
Assurance
A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.
Assurance Case
Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.
Audit
Access privileges granted to a user, program, or process or the act of granting those privileges.
Authorization
All components of an information system to be authorized for operation by an authorizing official; excluding separately authorized systems to which the information system is connected.
Authorization Boundary
A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.
Authorization Official
A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object.
Black Box Testing
The set of data that documents the information system’s adherence to the security controls applied.
Body of Evidence
The totality of evidence used to substantiate trust, trustworthiness, and risk relative to the system.
Body of Evidence
The act of reverse-engineering the malicious program to understand the code that implements the software behavior.
Code Analysis
Attempts to recreate the original source code of the program.
Disassembler
Allows the analyst to step through the code, interacting with it, and observing the effects of its instructions to understand its purpose.
Debugger
The technical basis for an international agreement which ensures that products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance.
Common Criteria
An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method.
Depth
A type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time.
Examine
A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object; known as gray box testing.
Focused Testing
Segment of quality assurance testing in which advertised security mechanisms of an information system are tested against a specification.
Function Testing
A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object; known as focused testing.
Grey Box Testing
A comprehensive review, analysis, and test (software and/or hardware) performed by an objective third party to confirm that the requirements are correctly defined, and to confirm that the system correctly implements the required functionality and security requirements.
Independent Verification and Validation
A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.
Interview
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.
Penetration Testing
The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Security Control Assessment
The individual, group, or organization responsible for conducting a security control assessment.
Security Control Assessor
The individual, group, or organization responsible for conducting an assessment.
Assessor
The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.
Security Impact Analysis
Any change to a system’s configuration, environment, information content, functionality, or users that has the potential to change the risk imposed upon its continued operations.
Security-relevant Change
An implementation-dependent statement of security needs for a specific identified target of evaluation.
Security Target
Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.
Security Test and Evaluation
In accordance with Common Criteria, an information system, part of a system or product, and all associated documentation, which is the subject of a security evaluation.
Target of Evaluation
An official authorization decision to employ identical copies of an information system or subsystem―including hardware, software, firmware, and/or applications―in specified environments of operation.
Type Authorization
The certification acceptance of replica information systems based on the comprehensive evaluation of the technical and non-technical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.
Type Certification
Confirmation through the provision of strong, sound, objective evidence that requirements for a specific intended use or application have been fulfilled.
Validation
The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise’s use of information systems.
White Team
Can refer to a small group of people who have prior knowledge of unannounced Red Team activities.
White Team
Acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission.
White Team
Helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement.
White Team
Has responsibility for deriving lessons learned, conducting the post-engagement assessment, and promulgating results.
White Team
The intended results or indicator that the system is functioning correctly.
Criteria for Passing a Control or Requirement
Consists of the security plan, a plan of action and milestones, and a security assessment report.
Authorization Package
Provide guidance on how to securely configure common information technology items.
Security Technical Implementation Guides (STIGs)
Verifies system and sub-system level performance.
Integration Testing
Objective is to acquire, integrate, configure, test, document, and train.
Implement System SE Activity