Chpt 1 - System Authorization Lifecycle Flashcards

1
Q

Initiation Phase

A

Security Categorization

Preliminary risk assessment

POA&M generated from the risk assessment to document controls to implement for addressing potential risks and vulnerabilities

Controls are defined and refined

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Acquisition / Development Phase

A

Security functional requirements analysis

Security assurance requirements analysis

Cost considerations and reporting

Security planning

Security control development

Developmental security test and evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Implementation Phase

A

Once the certification test plan is developed, it is executed during this phase to ensure required controls are in place and working

Certification test plan results are recorded in the certification test plans report which goes into the System Authorization Package for the system

Security Plan updated to record test results and document status of controls

With this approach, the AO has all necessary documentation to make an authorization decision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Operations / Maintenance Phase

A

System owners must exercise controls that allow continuous monitoring of the security environment.

Owners review it for possible needs for recertification and accreditation following significant events (intrusions, new threats, changes in system components, facility, etc)

First evaluate need for recertification by reviewing the impact of the change via a Risk Assessment

Reaccreditation may be required every 2-3 years regardless of changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Disposition Phase

A

Ensure data is purged to prevent disclosure

Integrity of data may require archival and storage

Risk assessment should be conducted and remediation plan with a POAM developed

System authorization procedures in this phase are scaled-down versions of processes from previous phases

Often retiring one system means replacing it with another, linking their lifecycle activities can make sense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Precertification Phase

A

tasks performed to prepare for certifying

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Validation Phase

A

tasks to get actual certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Integrating system authorization into the SDLC is promoted by _____

A

the consistency of the project manager / system owner in recertification and validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Reasons for failure 1

A

Program Scope

incomplete identification and inventory of systems leads to incomplete application of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Reasons for failure 2

A

Assessment Focus

The program never leaves the assessment phase, so remediation / mitigation isn’t applied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Reasons for failure 3

A

Short-Term thinking

Organizations only focus on day to day requirements. Solutions are point solutions that don’t contribute to overall security architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Reasons for failure 4

A

Long-Term thinking

focusing on strategy alone prohibits implementation

You have to translate the requirements identified in the security architecture down to the implementation level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Reasons for failure 5

A

Poor Planning

Failure to recognize the costs can stop efforts at following through

Fits and starts lose the confidence of management who become inclined to scrap it

Unrealistic requirements

Misaligned responsibilities assigned to personnel

Failure to correctly identify assumptions

Failure to recognize limitations of system authorization contributes to poor planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Reasons for failure 6 Lack of Responsibility

A

Must distinguish program-level responsibilities for the enterprise, and system-level responsibilities for individual systems

A single entity cannot do both

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Reasons for failure 7 Excessive Paperwork

A

too much bureaucracy slows and stops development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Reasons for failure 8 Lack of Enforcement

A

Failure to enforce the system authorization policy leads to an inconsistent and ineffective program

17
Q

Reasons for failure 9 Lack of Foresight

A

Inadequate understanding of the benefits will keep an organization from considering implementation. It’s a failure of opportunity

18
Q

Reasons for failure 10 Poor Timing

A

If an organization isn’t ready for it, or a real need doesn’t exist, the program can fail

19
Q

Reasons for failure 11 Lack of Support

A

Possibly the most significant obstacle is lack of management support.

Programs can’t force participation on their own or carry through with requirements

Can result in failure to accredit or re-accredit