Chpt 1 - Intro

Question 1

History of Legal and Regulatory Framework for Systems Authorization

Answer 1

FIPS 102 (1983)
Computer Security Act (1987)
OMB Circular A-130 elevated CSA (1987)

National Computer Security Center Technical Guidance (1994)

DITSCAP

NIACAP (National IA Certification and Accreditation Process) (2000)

FISMA (2002)

DIACAP (Defense IA Certification and Accreditation Process) superseded DITSCAP with publication of DoDI 8510.01 (2007)

Major change in DIACAP from DITSCAP was requiring implementation of IA controls as primary set of security requirements

Question 2

IA Controls in DIACAP are determined by MAC and CL, what are they?

Answer 2

Mission Assurance Category

Confidentiality Level

Question 3

What is the CNSS and what is it authorized to do?

Answer 3

Committee on National Security Systems

Authorized to establish requirements for national security systems operated or used by all executive departments, agencies and US government contractors who own, procure, use, operate or maintain NSS.

Question 4

What was unique about FISMA?

Answer 4

Certification, accreditation and system authorization were elevated and more visible throughout government and most federal executives and managers

Question 5

External drivers for system authorization

Answer 5

Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley Act (GLBA), Clinger-Cohen all pointed to the need for more effective security

NIST and ISO 17799 accompanied this push

Question 6

Certification

Answer 6

The process by which the effectiveness o security controls is assessed

Question 7

Accreditation

Answer 7

The management decision based on the certification assessment to permit an information system to operate at its current security posture

Question 8

System Authorization

Answer 8

comprises certification and authorization

Overarching process that includes C&A and serves as the basis for an official management decision by a senior organizational official to authorize operation of an information system with an explicit acceptance of the risk of its operation to the organization and based on the degree to which agree-upon security controls have been implemented.

Question 9

5 Benefits of a system authorization program

Answer 9

Due Diligence - provides a means for exercising due diligence

Accountability - provides mechanisms for making people accountable

Implementation - facilitates risk management, provides a road map

Visibility - provides visibility to IT security across organization

Cost-Effectiveness - provides cost-effective approach for securing systems via repeatable processes

Question 10

7 Factors for considering program goals

Answer 10

The authorization program goals should be:

Realistic

Comprehensive

Integrated

Achievable

Effective

Supported

Enduring

Question 11

Key Elements of an Enterprise System Authorization Program

Answer 11

Business Case
Goal Setting
Tasks and Milestones
Program Oversight
Visibility
Resources
Program Guidance

Question 12

3 Special Issues that must be addressed as part of the authorization program

Answer 12

Establishing accreditation boundaries

Determining the level of effort of system authorization activities

Defining significant changes and events that warrant reaccreditation of a system

Question 13

What are accreditation boundaries frequently based on?

Answer 13

components under the same management authority

Question 14

List some of the benefits of using metrics to measure progress

Answer 14

allows CISO to determine shortfalls

gives important feedback

allow comparison of different organizational elements

allow identification of trends

common metrics allow CISO to benchmark status of the organizations against other organizations