Chpt 1 - Fundamentals of IS RM per NIST SP 800-37 r1

Question 1

4 fundamental concepts of information systems risk management in 800-37

Answer 1

Establish organization-wide view of risk management and application of NIST RMF

Integrating information security requirements into the organization’s SDLC and other management processes

Establishing information systems boundaries

Allocating system-specific, hybrid or common controls to information systems

Question 2

3 Tiers of an organization

Answer 2

Tier 1 - Organization (top)

Tier 2 - Mission / Business Process (mid)

Tier 3 - Information Systems (bottom)

Question 3

Tier 1 (organization) activities

Answer 3

Assessment of risks (SP 800-30)

evaluation of risks (SP 800-30)

mitigation of risks (SP 800-53)

acceptance of risk (SP 800-39)

monitoring risk

risk management strategy oversight

Question 4

Tier 2 (Mission / Business process) activities

Answer 4

ID core missions and business processes

Prioritize mission and business processes

Define types of information needed to carryout missions and business processes. Define internal & external information flows. (SP 800-60)

Develop information protection strategy

Specify authority granted to subordinate organizations for risk assessment, evaluation, mitigation, acceptance and monitoring

Question 5

Tier 3 (Information System Level)

Answer 5

Primary focus of SP 800-37 r1

Touches on security requirements defined in SP 800-53 and its controls

allocation of security control components in the form of controls according to the infosec architecture developed as part of Tier 2 activities

Security controls should be traceable to organization’s established security requirements

Question 6

6 steps in RMF

Answer 6

Categorize
the information systems

Select
baseline security controls

Implement
the security controls

Assess
the security controls

Authorize
the information systems

Monitor
the security controls

Question 7

NIST’s 3 classifications of security controls

Answer 7

system specific
intended for a specific information system only and are the responsibility of the system owner

common controls
controls that are common to multiple information systems and are the responsibility of the common control provider

hybrid controls
have characteristics of specific and common controls with shared responsibility

Question 8

Guidance on defining system boundaries

Answer 8

typically a boundary will be items under the same direct management control.

The items usually support the same mission/business objectives for functions nad have similar basic characteristics

The items reside in the same general operating environment or location

Question 9

Guidance on software application boundaries

Answer 9

applications depend on resources provided by a hosting system

Owners of application and hosting systems must coordinate with each other on:

selection, implementation, assessment and monitoring of security controls for hosted applications

evaluation of the effects of changes to hosted applications on the overall security state of the hosting system

evaluation of the effects of changes to the information system on hosted applications

Question 10

Guidance on complex systems

Answer 10

NIST suggests owners consider deconstructing complex systems into more manageable subsystems

This permits targeted application of security controls