Chpt 1 - System Authorization Roles and Responsibilities Flashcards

1
Q

List the 5 primary roles associated with the the system authorization program

A

CISO

system owner

ISSO

certifying agent

approving authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CISO

A

Chief Information Security Officer

serves as the senior agency information officer (SAISO) as required by FISMA

has overall responsibility for organization’s IT security-related programs (risk management, policy development, compliance monitoring).

Normally responsible for the system authorization program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

System Owner

A

Official who has primary responsibility for the security of an information system, over the full lifecycle (planning to disposition)

Establishes sensitivity level of the system based on data it processes. Thus establishes basis for types of controls needed.

Ensures controls are implemented, monitors them, updates them

Initiates system authorization activities, prepares security plans, monitors preparation of the accreditation package.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Systems Security Officer

ISSO

A

Principal staff advisor to the system owner, who appoints the ISSO

Responsible for securing the system and managing all security aspects of the systems

Closely monitors daily security and effectiveness of controls

Performs security activities and tasks, develops and enforces security procedures, advises the system owner.

Plays the most significant role in the certification of the systems by serving as the POC for the certifying agent and assembling the security accreditation package

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Certifying Agent

aka Security Control Assessor in NIST

A

independent authority charged with assessing the security controls for a specific information system to see if they are implemented and working correctly and producing the desired outcome.

Recommends corrective action to reduce or eliminate vulnerabilities in assessed controls

To maintain independence, this role is normally performed by an individual assigned to another part of the organization or who is a contractor or consultant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Approving Authority
aka Authorizing Official (AO) in NIST

aka
accrediting official
designated approving authority (DAA)

A

Senior management person responsible for deciding if a system should be allowed to operate.

The executive with authority and ability to evaluate risks.

Responsible for accepting any residual risks to the system

Typically has budget authority, oversight of business processes, knowledge required to determine acceptable level of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CIO

A

Overall responsibility for execution of IT security program.

Delegates authority to CISO

Supports program through oversight, maintaining visibility with senior management and provisioning resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Approving Authority Designated Representative

aka AODR in NIST

A

Appointed by the approving authority to coordinate and execute activities for authorizing an information system

Does all the tasks of the AA (AO) except sign or make the accreditation decision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IT Security Program Steering Committee

A

high-level oversight of the organization’s infosec program and provides direction on goals, resources, initiatives.

Provides indirect supervision and oversight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Auditor

A

provides independent assessment of the viability of the overall program by looking at the viability of individual components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Information Owner / Custodian

aka Information Owner/Steward in NIST

A

responsible for ensuring the system owner is aware of the requirements for protecting their information based on its sensitivity

Typically the information owner and system owner are the same entity, but the information owner has authority for specified information and understand ramifications if it’s exposed to threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

System Administrator / Manager

A

performs day-to-day administration and operation of the system

Implements many of the technical and operational security controls

Notifies ISSO of all system decisions they make

Demonstrates controls to the certifying agent during certification testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Business Unit Manager

A

Often function as system owners

Authorization responsibilities typically include disseminating security information to subordinate personnel, determining priorities and resources for implementing corrective actions, enforcing security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Project Manager

A

Official tasked with performing system owner-related functions for a system in development.

Fulfills all the system authorization responsibilities of the system owner during the development phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk analyst

A

conducts risk assessments

supports risk-related activities of all members of the system authorization team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Facility manager

A

Implements and maintains physical and environmental controls to protect information systems located in their facilities

17
Q

Executive management

A

Crucial role in overseeing the system authorization program, establishing policy, providing resources, enforcing requirements

Critically can increase visibility of the program and ensure its success through support and emphasis

18
Q

Authorization advocate

A

Manages, coordinates, oversees all security authorization activities of the organization.

Works with the CISO, authorizing officials and system owners to ensure authorization activities are given priority and done effectively

19
Q

User representative

A

Represents operational interests and mission needs of the user community.

Identifies unique mission requirements and risks, serves as a liaison to the user community

20
Q

NIST 800-37 r1 role:

Head of Agency / Chief Executive Officer

A

highest-level senior official responsible for exercising overall responsibility for providing risk-based security for information assets

21
Q
NIST 800-37 r1 role: 
Risk Executive (Function)
A

An individual or group that ensures risks for individual systems are considered from an organization-wide perspective in terms of strategic goals and objectives

Ensures management of risks is consistent across the organization

22
Q

NIST 800-37 r1 role:

Common Control Provider

A

Develops, implements, assesses and monitors common controls.

23
Q

NIST 800-37 r1 role:

Information Security Architect

A

Ensures information security requirements are properly addressed in the enterprise architecture

Liaison between enterprise architect and the information system security engineer.

Coordinates with other roles about system boundary definition, determining severity of weaknesses, corrective actions related to POA&M weaknesses

24
Q

NIST 800-37 r1 role:

Information System Security Engineer

A

Performs system security engineering

Captures and refines infosec requirements and ensures they’re integrated into IT products and systems through security architecture, design, development and configuration

Supports design and development, updates to legacy equipment

25
Q

What role should hold the system authorization function?

A

CISO, the senior security professional.

they report to the COO or CEO, where they get management support, visibility and emphasis