GRC WEEK 2 CHAPTERS 3 & 4 Flashcards
What is the objective of the PREPARE step in the RMF process?
To understand how to prepare for the RMF process and manage security and privacy risks
This includes conducting essential activities at the organization, mission, business process, and information system levels.
What is TASK P-1 in the PREPARE phase?
Risk Management Roles
Individuals are identified and assigned key roles for executing the Risk Management Framework.
What does TASK P-2 involve?
Risk Management Strategy
Establishing a risk management strategy that includes a determination and expression of organizational risk tolerance.
What is the purpose of TASK P-3?
Risk Assessment—Organization
Completing or updating an organization-wide risk assessment.
What is defined in TASK P-4?
Organizationally-tailored Control Baselines and Cybersecurity Framework Profiles
Establishment of tailored control baselines and/or profiles.
What does TASK P-5 focus on?
Common Control Identification
Identifying, documenting, and publishing common controls available for inheritance by organizational systems.
What is the focus of TASK P-6?
Impact-Level Prioritization
Conducting a prioritization of organizational systems with the same impact level (optional).
What is developed in TASK P-7?
Continuous Monitoring Strategy—Organization
Developing and implementing an organization-wide strategy for monitoring control effectiveness.
What is the objective of the CATEGORIZATION step?
To understand how to categorize information and determine an information system’s high water mark.
Who is responsible for the categorization of the information system?
Information System Owner and Information Owner/Steward.
What guidance documents are referenced for the categorization process?
FIPS-199, NIST SP 800-18, 800-30, 800-39, 800-60, CNSS-1253.
Fill in the blank: Sensitivity is a measure of the _______ assigned to information by its owner for protection.
importance
Fill in the blank: Criticality is a measure of the degree to which an organization depends on the information for the success of a _______.
mission or business function
True or False: Information loses its sensitivity over time.
True
Example: Economic/commodity projections after they’ve been published.
What are the three levels of potential impact defined by FIPS 199?
- Low
- Moderate
- High
What does a loss of confidentiality prevent?
Disclosure of information to unauthorized individuals or systems.
What is the definition of Integrity in the context of security objectives?
Prevents the unauthorized modification or destruction of information.
What does Availability ensure?
Timely and reliable access to and use of information.
What is the purpose of the High Water Mark concept?
To determine the highest potential impact value assigned to each Security Objective for all Security Categories resident on the system.
What is included in the System Security Plan?
- System Description
- Categorization
- Description of Controls
- System Security Roles and Responsibilities
- System Operational Status
- System Environment
- System Interconnections
- Rules of Behavior
What is a key responsibility of the System Owner regarding the System Security Plan?
To construct and approve the initial system security plan.
What must be maintained in the System Security Plan?
It should be a living document and kept up to date.
What is the first step in the registration process of an information system?
Identifying the information system in the organization’s system inventory.
What are the inputs to the categorize process?
- System description
- Enterprise architecture
- Information types
What does the outputs of the categorize process include?
- Security category for each information type
- Information system’s security category and high water mark
What is NIST SP 800-60?
Guide for Mapping Types of Information and Information Systems to Security Categories.
What is the significance of changes in criticality and sensitivity?
They must be managed as they affect pre-existing controls.