Chpt 1 - System Authorization Roles and Responsibilities Flashcards
List the 5 primary roles associated with the the system authorization program
CISO
system owner
ISSO
certifying agent
approving authority
CISO
Chief Information Security Officer
serves as the senior agency information officer (SAISO) as required by FISMA
has overall responsibility for organization’s IT security-related programs (risk management, policy development, compliance monitoring).
Normally responsible for the system authorization program
System Owner
Official who has primary responsibility for the security of an information system, over the full lifecycle (planning to disposition)
Establishes sensitivity level of the system based on data it processes. Thus establishes basis for types of controls needed.
Ensures controls are implemented, monitors them, updates them
Initiates system authorization activities, prepares security plans, monitors preparation of the accreditation package.
Information Systems Security Officer
ISSO
Principal staff advisor to the system owner, who appoints the ISSO
Responsible for securing the system and managing all security aspects of the systems
Closely monitors daily security and effectiveness of controls
Performs security activities and tasks, develops and enforces security procedures, advises the system owner.
Plays the most significant role in the certification of the systems by serving as the POC for the certifying agent and assembling the security accreditation package
Certifying Agent
aka Security Control Assessor in NIST
independent authority charged with assessing the security controls for a specific information system to see if they are implemented and working correctly and producing the desired outcome.
Recommends corrective action to reduce or eliminate vulnerabilities in assessed controls
To maintain independence, this role is normally performed by an individual assigned to another part of the organization or who is a contractor or consultant.
Approving Authority
aka Authorizing Official (AO) in NIST
aka
accrediting official
designated approving authority (DAA)
Senior management person responsible for deciding if a system should be allowed to operate.
The executive with authority and ability to evaluate risks.
Responsible for accepting any residual risks to the system
Typically has budget authority, oversight of business processes, knowledge required to determine acceptable level of risk
CIO
Overall responsibility for execution of IT security program.
Delegates authority to CISO
Supports program through oversight, maintaining visibility with senior management and provisioning resources.
Approving Authority Designated Representative
aka AODR in NIST
Appointed by the approving authority to coordinate and execute activities for authorizing an information system
Does all the tasks of the AA (AO) except sign or make the accreditation decision
IT Security Program Steering Committee
high-level oversight of the organization’s infosec program and provides direction on goals, resources, initiatives.
Provides indirect supervision and oversight
Auditor
provides independent assessment of the viability of the overall program by looking at the viability of individual components
Information Owner / Custodian
aka Information Owner/Steward in NIST
responsible for ensuring the system owner is aware of the requirements for protecting their information based on its sensitivity
Typically the information owner and system owner are the same entity, but the information owner has authority for specified information and understand ramifications if it’s exposed to threats.
System Administrator / Manager
performs day-to-day administration and operation of the system
Implements many of the technical and operational security controls
Notifies ISSO of all system decisions they make
Demonstrates controls to the certifying agent during certification testing
Business Unit Manager
Often function as system owners
Authorization responsibilities typically include disseminating security information to subordinate personnel, determining priorities and resources for implementing corrective actions, enforcing security controls
Project Manager
Official tasked with performing system owner-related functions for a system in development.
Fulfills all the system authorization responsibilities of the system owner during the development phase.
Risk analyst
conducts risk assessments
supports risk-related activities of all members of the system authorization team
Facility manager
Implements and maintains physical and environmental controls to protect information systems located in their facilities
Executive management
Crucial role in overseeing the system authorization program, establishing policy, providing resources, enforcing requirements
Critically can increase visibility of the program and ensure its success through support and emphasis
Authorization advocate
Manages, coordinates, oversees all security authorization activities of the organization.
Works with the CISO, authorizing officials and system owners to ensure authorization activities are given priority and done effectively
User representative
Represents operational interests and mission needs of the user community.
Identifies unique mission requirements and risks, serves as a liaison to the user community
NIST 800-37 r1 role:
Head of Agency / Chief Executive Officer
highest-level senior official responsible for exercising overall responsibility for providing risk-based security for information assets
NIST 800-37 r1 role: Risk Executive (Function)
An individual or group that ensures risks for individual systems are considered from an organization-wide perspective in terms of strategic goals and objectives
Ensures management of risks is consistent across the organization
NIST 800-37 r1 role:
Common Control Provider
Develops, implements, assesses and monitors common controls.
NIST 800-37 r1 role:
Information Security Architect
Ensures information security requirements are properly addressed in the enterprise architecture
Liaison between enterprise architect and the information system security engineer.
Coordinates with other roles about system boundary definition, determining severity of weaknesses, corrective actions related to POA&M weaknesses
NIST 800-37 r1 role:
Information System Security Engineer
Performs system security engineering
Captures and refines infosec requirements and ensures they’re integrated into IT products and systems through security architecture, design, development and configuration
Supports design and development, updates to legacy equipment
What role should hold the system authorization function?
CISO, the senior security professional.
they report to the COO or CEO, where they get management support, visibility and emphasis
