Chpt 1 - Fundamentals of IS RM per NIST SP 800-37 r1 Flashcards
4 fundamental concepts of information systems risk management in 800-37
Establish organization-wide view of risk management and application of NIST RMF
Integrating information security requirements into the organization’s SDLC and other management processes
Establishing information systems boundaries
Allocating system-specific, hybrid or common controls to information systems
3 Tiers of an organization
Tier 1 - Organization (top)
Tier 2 - Mission / Business Process (mid)
Tier 3 - Information Systems (bottom)
Tier 1 (organization) activities
Assessment of risks (SP 800-30)
evaluation of risks (SP 800-30)
mitigation of risks (SP 800-53)
acceptance of risk (SP 800-39)
monitoring risk
risk management strategy oversight
Tier 2 (Mission / Business process) activities
ID core missions and business processes
Prioritize mission and business processes
Define types of information needed to carryout missions and business processes. Define internal & external information flows. (SP 800-60)
Develop information protection strategy
Specify authority granted to subordinate organizations for risk assessment, evaluation, mitigation, acceptance and monitoring
Tier 3 (Information System Level)
Primary focus of SP 800-37 r1
Touches on security requirements defined in SP 800-53 and its controls
allocation of security control components in the form of controls according to the infosec architecture developed as part of Tier 2 activities
Security controls should be traceable to organization’s established security requirements
6 steps in RMF
Categorize
the information systems
Select
baseline security controls
Implement
the security controls
Assess
the security controls
Authorize
the information systems
Monitor
the security controls
NIST’s 3 classifications of security controls
system specific
intended for a specific information system only and are the responsibility of the system owner
common controls
controls that are common to multiple information systems and are the responsibility of the common control provider
hybrid controls
have characteristics of specific and common controls with shared responsibility
Guidance on defining system boundaries
typically a boundary will be items under the same direct management control.
The items usually support the same mission/business objectives for functions nad have similar basic characteristics
The items reside in the same general operating environment or location
Guidance on software application boundaries
applications depend on resources provided by a hosting system
Owners of application and hosting systems must coordinate with each other on:
selection, implementation, assessment and monitoring of security controls for hosted applications
evaluation of the effects of changes to hosted applications on the overall security state of the hosting system
evaluation of the effects of changes to the information system on hosted applications
Guidance on complex systems
NIST suggests owners consider deconstructing complex systems into more manageable subsystems
This permits targeted application of security controls