Chpt 1 - System Authorization Roles and Responsibilities

Question 1

List the 5 primary roles associated with the the system authorization program

Answer 1

CISO

system owner

ISSO

certifying agent

approving authority

Question 2

CISO

Answer 2

Chief Information Security Officer

serves as the senior agency information officer (SAISO) as required by FISMA

has overall responsibility for organization’s IT security-related programs (risk management, policy development, compliance monitoring).

Normally responsible for the system authorization program

Question 3

System Owner

Answer 3

Official who has primary responsibility for the security of an information system, over the full lifecycle (planning to disposition)

Establishes sensitivity level of the system based on data it processes. Thus establishes basis for types of controls needed.

Ensures controls are implemented, monitors them, updates them

Initiates system authorization activities, prepares security plans, monitors preparation of the accreditation package.

Question 4

Information Systems Security Officer

ISSO

Answer 4

Principal staff advisor to the system owner, who appoints the ISSO

Responsible for securing the system and managing all security aspects of the systems

Closely monitors daily security and effectiveness of controls

Performs security activities and tasks, develops and enforces security procedures, advises the system owner.

Plays the most significant role in the certification of the systems by serving as the POC for the certifying agent and assembling the security accreditation package

Question 5

Certifying Agent

aka Security Control Assessor in NIST

Answer 5

independent authority charged with assessing the security controls for a specific information system to see if they are implemented and working correctly and producing the desired outcome.

Recommends corrective action to reduce or eliminate vulnerabilities in assessed controls

To maintain independence, this role is normally performed by an individual assigned to another part of the organization or who is a contractor or consultant.

Question 6

Approving Authority
aka Authorizing Official (AO) in NIST

aka
accrediting official
designated approving authority (DAA)

Answer 6

Senior management person responsible for deciding if a system should be allowed to operate.

The executive with authority and ability to evaluate risks.

Responsible for accepting any residual risks to the system

Typically has budget authority, oversight of business processes, knowledge required to determine acceptable level of risk

Question 7

CIO

Answer 7

Overall responsibility for execution of IT security program.

Delegates authority to CISO

Supports program through oversight, maintaining visibility with senior management and provisioning resources.

Question 8

Approving Authority Designated Representative

aka AODR in NIST

Answer 8

Appointed by the approving authority to coordinate and execute activities for authorizing an information system

Does all the tasks of the AA (AO) except sign or make the accreditation decision

Question 9

IT Security Program Steering Committee

Answer 9

high-level oversight of the organization’s infosec program and provides direction on goals, resources, initiatives.

Provides indirect supervision and oversight

Question 10

Auditor

Answer 10

provides independent assessment of the viability of the overall program by looking at the viability of individual components

Question 11

Information Owner / Custodian

aka Information Owner/Steward in NIST

Answer 11

responsible for ensuring the system owner is aware of the requirements for protecting their information based on its sensitivity

Typically the information owner and system owner are the same entity, but the information owner has authority for specified information and understand ramifications if it’s exposed to threats.

Question 12

System Administrator / Manager

Answer 12

performs day-to-day administration and operation of the system

Implements many of the technical and operational security controls

Notifies ISSO of all system decisions they make

Demonstrates controls to the certifying agent during certification testing

Question 13

Business Unit Manager

Answer 13

Often function as system owners

Authorization responsibilities typically include disseminating security information to subordinate personnel, determining priorities and resources for implementing corrective actions, enforcing security controls

Question 14

Project Manager

Answer 14

Official tasked with performing system owner-related functions for a system in development.

Fulfills all the system authorization responsibilities of the system owner during the development phase.

Question 15

Risk analyst

Answer 15

conducts risk assessments

supports risk-related activities of all members of the system authorization team

Question 16

Facility manager

Answer 16

Implements and maintains physical and environmental controls to protect information systems located in their facilities

Question 17

Executive management

Answer 17

Crucial role in overseeing the system authorization program, establishing policy, providing resources, enforcing requirements

Critically can increase visibility of the program and ensure its success through support and emphasis

Question 18

Authorization advocate

Answer 18

Manages, coordinates, oversees all security authorization activities of the organization.

Works with the CISO, authorizing officials and system owners to ensure authorization activities are given priority and done effectively

Question 19

User representative

Answer 19

Represents operational interests and mission needs of the user community.

Identifies unique mission requirements and risks, serves as a liaison to the user community

Question 20

NIST 800-37 r1 role:

Head of Agency / Chief Executive Officer

Answer 20

highest-level senior official responsible for exercising overall responsibility for providing risk-based security for information assets

Question 21

NIST 800-37 r1 role: 
Risk Executive (Function)

Answer 21

An individual or group that ensures risks for individual systems are considered from an organization-wide perspective in terms of strategic goals and objectives

Ensures management of risks is consistent across the organization

Question 22

NIST 800-37 r1 role:

Common Control Provider

Answer 22

Develops, implements, assesses and monitors common controls.

Question 23

NIST 800-37 r1 role:

Information Security Architect

Answer 23

Ensures information security requirements are properly addressed in the enterprise architecture

Liaison between enterprise architect and the information system security engineer.

Coordinates with other roles about system boundary definition, determining severity of weaknesses, corrective actions related to POA&M weaknesses

Question 24

NIST 800-37 r1 role:

Information System Security Engineer

Answer 24

Performs system security engineering

Captures and refines infosec requirements and ensures they’re integrated into IT products and systems through security architecture, design, development and configuration

Supports design and development, updates to legacy equipment

Question 25

What role should hold the system authorization function?

Answer 25

CISO, the senior security professional.

they report to the COO or CEO, where they get management support, visibility and emphasis