Chpt 1 - Intro Flashcards
History of Legal and Regulatory Framework for Systems Authorization
FIPS 102 (1983)
Computer Security Act (1987)
OMB Circular A-130 elevated CSA (1987)
National Computer Security Center Technical Guidance (1994)
DITSCAP
NIACAP (National IA Certification and Accreditation Process) (2000)
FISMA (2002)
DIACAP (Defense IA Certification and Accreditation Process) superseded DITSCAP with publication of DoDI 8510.01 (2007)
Major change in DIACAP from DITSCAP was requiring implementation of IA controls as primary set of security requirements
IA Controls in DIACAP are determined by MAC and CL, what are they?
Mission Assurance Category
Confidentiality Level
What is the CNSS and what is it authorized to do?
Committee on National Security Systems
Authorized to establish requirements for national security systems operated or used by all executive departments, agencies and US government contractors who own, procure, use, operate or maintain NSS.
What was unique about FISMA?
Certification, accreditation and system authorization were elevated and more visible throughout government and most federal executives and managers
External drivers for system authorization
Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley Act (GLBA), Clinger-Cohen all pointed to the need for more effective security
NIST and ISO 17799 accompanied this push
Certification
The process by which the effectiveness o security controls is assessed
Accreditation
The management decision based on the certification assessment to permit an information system to operate at its current security posture
System Authorization
comprises certification and authorization
Overarching process that includes C&A and serves as the basis for an official management decision by a senior organizational official to authorize operation of an information system with an explicit acceptance of the risk of its operation to the organization and based on the degree to which agree-upon security controls have been implemented.
5 Benefits of a system authorization program
Due Diligence - provides a means for exercising due diligence
Accountability - provides mechanisms for making people accountable
Implementation - facilitates risk management, provides a road map
Visibility - provides visibility to IT security across organization
Cost-Effectiveness - provides cost-effective approach for securing systems via repeatable processes
7 Factors for considering program goals
The authorization program goals should be:
Realistic
Comprehensive
Integrated
Achievable
Effective
Supported
Enduring
Key Elements of an Enterprise System Authorization Program
Business Case Goal Setting Tasks and Milestones Program Oversight Visibility Resources Program Guidance
3 Special Issues that must be addressed as part of the authorization program
Establishing accreditation boundaries
Determining the level of effort of system authorization activities
Defining significant changes and events that warrant reaccreditation of a system
What are accreditation boundaries frequently based on?
components under the same management authority
List some of the benefits of using metrics to measure progress
allows CISO to determine shortfalls
gives important feedback
allow comparison of different organizational elements
allow identification of trends
common metrics allow CISO to benchmark status of the organizations against other organizations