Domain 2 - Scope of the System Flashcards
What does system scoping define?
Scoping of the system is a critical step in the risk management process, as it defines the boundaries and characteristics of the system that will be assessed and protected.
What does scoping of the system helps to identify?
Scoping of the system helps identifying the system’s:
- assets
- functions
- interconnections
- dependencies
- area of operations
- users
- stakeholders
as well as the:
- applicable laws
- regulations
- policies
- and standards
that govern the system.
What does scoping of the sytem helps to determine?
Scoping of the system also helps to determine the level of risk that the system poses to the organization and its mission, and the level of effort and resources that will be required to manage the risk.
The scoping process consists of four main activities. What are they?
The scoping process consists of four main activities:
1. defining the system
2. identifying the system context
3. determining the system categorization
4. documenting the system scope
Explain the scoping process step: Defining the system.
This activity involves describing the system’s:
- purpose
- function
- architecture
as well as the system’s:
- components
- interfaces
- data flows
The system definition should provide a clear and comprehensive understanding of what the system is, what it does, and how it works
Explain the scoping process step: Identifying the system context.
Identifying the system context.
This activity involves identifying the system’s environment, including:
- the physical
- logical
- organizational aspects
The system context should provide a clear and comprehensive understanding of where the system is located, how it is connected, and who is involved with the system.
Explain the scoping process step: Determining the system categorization.
Determining the system categorization
This activity involves assigning a security impact level to the system based on the potential adverse effects that a loss of:
- Confidentiality
- Integrity
- Availability
would have on the organization and its mission.
The system categorization should provide a clear and consistent basis for selecting the appropriate security controls and risk mitigation strategies for the system.
Explain the scoping process step: Documenting the system scope.
Documenting the system scope
This activity involves creating a system scope statement that summarizes the results of the previous activities and defines the boundaries and characteristics of the system that will be subject to the risk management process.
The system scope statement should provide clear and concise reference for the:
- System owners
- managers
- stakeholders
the risk management team, and other relevant parties.
Every organization depends on three types of resources to achieve its goals and objects.
What are they?
In broad terms, these resources can be grouped as:
- materials
- supplies
- assets
What are Materials?
Materials are the inputs to manufacturing processes
- the plastic for an an injection mold or 3D print parts and packing,
- the electronic components
- or subassemblies ( at the board or unit level),
- fasteners,
- and so on.
Materials come in, finished goods go out.
What are supplies?
Supplies are items that are consumed by that manufacturing process (or the managing of it)
- chemicals
- shipping and packing supplies
- wire
- glue
- paper and pens of the office
are all examples of supplies.
What are Assets?
Assets are the heart of business processes; without them, nothing gets done.
Assets remain with the organization. They might be purchased or otherwise acquired from the marketplace or developed in-house.
What are tangible assets?
Tangible assets are those that have physical existence, such as
- computer servers
- buildings
What are intangible assets?
Intangible Assets are those that exist in the mind:
- they are ideas
- data
- information
- plans
- processes
- questions
Consider a typical database used by an organization.
Name the intangible and tangible assets invovled.
Consider a typical database used by an organization.
- The data contained in a database is one intangible asset
- The software that is the database management systems (DMBS) is another intangible asset
- The storage array or subsystem it physically resides on is a tangible asset, while the software executes on a combination of processors (more tangible assets)
- The endpoint device that an employee uses to access the database (via its applications) is connected via a network (another tangible asset to the system
- The procedural knowledge in the employee’s head is an intangible asset, which is tacit knowledge if not written down in a procedure (which makes it explicit knowledge.)
