Chpt 1 - Intro Flashcards

1
Q

History of Legal and Regulatory Framework for Systems Authorization

A

FIPS 102 (1983)
Computer Security Act (1987)
OMB Circular A-130 elevated CSA (1987)

National Computer Security Center Technical Guidance (1994)

DITSCAP

NIACAP (National IA Certification and Accreditation Process) (2000)

FISMA (2002)

DIACAP (Defense IA Certification and Accreditation Process) superseded DITSCAP with publication of DoDI 8510.01 (2007)

Major change in DIACAP from DITSCAP was requiring implementation of IA controls as primary set of security requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IA Controls in DIACAP are determined by MAC and CL, what are they?

A

Mission Assurance Category

Confidentiality Level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the CNSS and what is it authorized to do?

A

Committee on National Security Systems

Authorized to establish requirements for national security systems operated or used by all executive departments, agencies and US government contractors who own, procure, use, operate or maintain NSS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What was unique about FISMA?

A

Certification, accreditation and system authorization were elevated and more visible throughout government and most federal executives and managers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

External drivers for system authorization

A

Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley Act (GLBA), Clinger-Cohen all pointed to the need for more effective security

NIST and ISO 17799 accompanied this push

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Certification

A

The process by which the effectiveness o security controls is assessed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Accreditation

A

The management decision based on the certification assessment to permit an information system to operate at its current security posture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

System Authorization

A

comprises certification and authorization

Overarching process that includes C&A and serves as the basis for an official management decision by a senior organizational official to authorize operation of an information system with an explicit acceptance of the risk of its operation to the organization and based on the degree to which agree-upon security controls have been implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

5 Benefits of a system authorization program

A

Due Diligence - provides a means for exercising due diligence

Accountability - provides mechanisms for making people accountable

Implementation - facilitates risk management, provides a road map

Visibility - provides visibility to IT security across organization

Cost-Effectiveness - provides cost-effective approach for securing systems via repeatable processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

7 Factors for considering program goals

A

The authorization program goals should be:

Realistic

Comprehensive

Integrated

Achievable

Effective

Supported

Enduring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Key Elements of an Enterprise System Authorization Program

A
Business Case
Goal Setting
Tasks and Milestones
Program Oversight
Visibility
Resources
Program Guidance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3 Special Issues that must be addressed as part of the authorization program

A

Establishing accreditation boundaries

Determining the level of effort of system authorization activities

Defining significant changes and events that warrant reaccreditation of a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are accreditation boundaries frequently based on?

A

components under the same management authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List some of the benefits of using metrics to measure progress

A

allows CISO to determine shortfalls

gives important feedback

allow comparison of different organizational elements

allow identification of trends

common metrics allow CISO to benchmark status of the organizations against other organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly