Chpt 1 - Fundamentals of IS RM per NIST SP 800-37 r1 Flashcards

1
Q

4 fundamental concepts of information systems risk management in 800-37

A

Establish organization-wide view of risk management and application of NIST RMF

Integrating information security requirements into the organization’s SDLC and other management processes

Establishing information systems boundaries

Allocating system-specific, hybrid or common controls to information systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 Tiers of an organization

A

Tier 1 - Organization (top)

Tier 2 - Mission / Business Process (mid)

Tier 3 - Information Systems (bottom)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Tier 1 (organization) activities

A

Assessment of risks (SP 800-30)

evaluation of risks (SP 800-30)

mitigation of risks (SP 800-53)

acceptance of risk (SP 800-39)

monitoring risk

risk management strategy oversight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Tier 2 (Mission / Business process) activities

A

ID core missions and business processes

Prioritize mission and business processes

Define types of information needed to carryout missions and business processes. Define internal & external information flows. (SP 800-60)

Develop information protection strategy

Specify authority granted to subordinate organizations for risk assessment, evaluation, mitigation, acceptance and monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tier 3 (Information System Level)

A

Primary focus of SP 800-37 r1

Touches on security requirements defined in SP 800-53 and its controls

allocation of security control components in the form of controls according to the infosec architecture developed as part of Tier 2 activities

Security controls should be traceable to organization’s established security requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

6 steps in RMF

A

Categorize
the information systems

Select
baseline security controls

Implement
the security controls

Assess
the security controls

Authorize
the information systems

Monitor
the security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NIST’s 3 classifications of security controls

A

system specific
intended for a specific information system only and are the responsibility of the system owner

common controls
controls that are common to multiple information systems and are the responsibility of the common control provider

hybrid controls
have characteristics of specific and common controls with shared responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Guidance on defining system boundaries

A

typically a boundary will be items under the same direct management control.

The items usually support the same mission/business objectives for functions nad have similar basic characteristics

The items reside in the same general operating environment or location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Guidance on software application boundaries

A

applications depend on resources provided by a hosting system

Owners of application and hosting systems must coordinate with each other on:

selection, implementation, assessment and monitoring of security controls for hosted applications

evaluation of the effects of changes to hosted applications on the overall security state of the hosting system

evaluation of the effects of changes to the information system on hosted applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Guidance on complex systems

A

NIST suggests owners consider deconstructing complex systems into more manageable subsystems

This permits targeted application of security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly