Chpt 1 - System Authorization Roles and Responsibilities Flashcards
List the 5 primary roles associated with the the system authorization program
CISO
system owner
ISSO
certifying agent
approving authority
CISO
Chief Information Security Officer
serves as the senior agency information officer (SAISO) as required by FISMA
has overall responsibility for organization’s IT security-related programs (risk management, policy development, compliance monitoring).
Normally responsible for the system authorization program
System Owner
Official who has primary responsibility for the security of an information system, over the full lifecycle (planning to disposition)
Establishes sensitivity level of the system based on data it processes. Thus establishes basis for types of controls needed.
Ensures controls are implemented, monitors them, updates them
Initiates system authorization activities, prepares security plans, monitors preparation of the accreditation package.
Information Systems Security Officer
ISSO
Principal staff advisor to the system owner, who appoints the ISSO
Responsible for securing the system and managing all security aspects of the systems
Closely monitors daily security and effectiveness of controls
Performs security activities and tasks, develops and enforces security procedures, advises the system owner.
Plays the most significant role in the certification of the systems by serving as the POC for the certifying agent and assembling the security accreditation package
Certifying Agent
aka Security Control Assessor in NIST
independent authority charged with assessing the security controls for a specific information system to see if they are implemented and working correctly and producing the desired outcome.
Recommends corrective action to reduce or eliminate vulnerabilities in assessed controls
To maintain independence, this role is normally performed by an individual assigned to another part of the organization or who is a contractor or consultant.
Approving Authority
aka Authorizing Official (AO) in NIST
aka
accrediting official
designated approving authority (DAA)
Senior management person responsible for deciding if a system should be allowed to operate.
The executive with authority and ability to evaluate risks.
Responsible for accepting any residual risks to the system
Typically has budget authority, oversight of business processes, knowledge required to determine acceptable level of risk
CIO
Overall responsibility for execution of IT security program.
Delegates authority to CISO
Supports program through oversight, maintaining visibility with senior management and provisioning resources.
Approving Authority Designated Representative
aka AODR in NIST
Appointed by the approving authority to coordinate and execute activities for authorizing an information system
Does all the tasks of the AA (AO) except sign or make the accreditation decision
IT Security Program Steering Committee
high-level oversight of the organization’s infosec program and provides direction on goals, resources, initiatives.
Provides indirect supervision and oversight
Auditor
provides independent assessment of the viability of the overall program by looking at the viability of individual components
Information Owner / Custodian
aka Information Owner/Steward in NIST
responsible for ensuring the system owner is aware of the requirements for protecting their information based on its sensitivity
Typically the information owner and system owner are the same entity, but the information owner has authority for specified information and understand ramifications if it’s exposed to threats.
System Administrator / Manager
performs day-to-day administration and operation of the system
Implements many of the technical and operational security controls
Notifies ISSO of all system decisions they make
Demonstrates controls to the certifying agent during certification testing
Business Unit Manager
Often function as system owners
Authorization responsibilities typically include disseminating security information to subordinate personnel, determining priorities and resources for implementing corrective actions, enforcing security controls
Project Manager
Official tasked with performing system owner-related functions for a system in development.
Fulfills all the system authorization responsibilities of the system owner during the development phase.
Risk analyst
conducts risk assessments
supports risk-related activities of all members of the system authorization team