Misc. Flashcards
Assessment Object
AIMS
- Activity
- Individual
- Mechanism
- Specification
Assessment Objective Methods
TIE
- Test
- Interview
- Examine
Assessment Objective Security Control Classes
MOT
- Management
- Operations
- Technical
An Information System containing what cannot have an confidentiality impact level below moderate?
- Privacy Information
- Trade Secrets
6 Steps of the Tailoring Guidance
- Identifying and Designating Common Controls
- Applying Scoping Considerations
- Selecting Compensating Controls
- Assigning Security Control Parameter Values
- Supplementing Baseline Security Controls
- Providing Additional Specification Information for Implementation
Tiered Roles
Tier 1:
- Organization (Governance)
- Head/CEO, CIO, SISO, RE
Tier 1/2:
- CCP, ISO, SCA
Tier 2:
- Mission/Business Process (Information Flow)
- AO, AODR
Tier 3:
- Information System (Environment of Operations)
- ISO, IO, ISSO, ISSE
Organizational Risk Frame
determines Risk Assessment Model
- Risk Assumptions
- Risk Constraints
- Priorities and Tradeoffs
- Risk Tolerance
- Uncertainty
NIST 800-60 Process
- Step 1: Identify Information Type
- Step 2: Select Provisional Impact Level
- Step 3: Review Provisional Impact Level and Adjust/Finalize Provisional Impact Level
- Step 4: Assign System Security Category
- Leads to Security Categorization and Security Control Selection
Low = Minor/Limited Moderate = Serious High = Severe/Catastrophic
Risk Assessment Methodology
determined by Organizational Risk Frame
- Risk Assessment Process
- Risk Model
- Assessment Approach
- Analysis Approach
Risk Management Process; what is it, where is it from?
- NIST SP 800-39
- Frame
- Assess
- Respond
- Monitor
Risk Assessment Process; what is it, where is it from?
- NIST SP 800-39
- Prepare
- Conduct
- Communicating
- Maintaining
What are the criteria for a National Security System? Where is it from?
- NIST SP 800-59
- Intelligence Activities
- Cryptographic Information
- Command and Control of Military Forces
- Weapon/ Weapon System
- Military or Intelligence Missions
- Processes Classified Information
What is the standard wording for an effective control?
Implemented correctly, operating as intended and producing the desired outcome
Risk = ?
Likelihood x Impact
Threat and Vulnerability feed into Likelihood and Impact
Threat Source - initiates - Threat Event - exploits - Vulnerability - causing - Adverse Impact - producing - Organizational Risk
Enterprise Architechture
People
Process
Technology
Architecture Description Inputs
- Architecture Reference Models
- Segment and Solution Architectures
- Mission and Business Processes
- Information System Boundaries
Organization Inputs
- Laws, Directives, Policy Guidance
- Strategic Goals and Objectives
- Priorities and Resource Availability
- Supply Chain Considerations
CIO
- Will use words like “ensure a program does…”
- Primarily administrative
- Makes sure the ISCM program exists
- Ensures resources are available to support
- High level
- Inherently government function
SCA
- Will use words like “assessment” a lot
- Updates the SSP and SAR
- Submits the SAP for approval
- Has to be an engineer (technically competent)
SISO
- Responsible for developing and implementing the ISCM program
- Looks at initial monitoring strategy put together by the ISO and CCP
- Tracks and analyzes POAMs
CCP
- Only really involved a lot if some common controls need updating/remediation
RE
- Oversees strategy and program
- Matrix position
- Collaborates and shares news with everyone
- Uses words like: Shared, Communicated, Collaborated
- Inherently government position
AO
- Ensures security posture of the program is acceptable
- Makes authorization decisions
ISO
- Does the grunt work
- Ensures operational impacts are being done
- Conducts assessments
- Reports back to AO/SCA
- Updates documentation
- Only one who registers anything
ISSO
- Assists the ISO
Safeguards v Countermeasures
Safeguards are designed into a system to prevent risk
Countermeasures are reactive and added after the risk assessment
RTO
Recovery Time Objective
Amount of time a system is allowable to be down; no impacts
MTD
Maximum Tolerable Downtime
Maximum amount of time a system can be down
RPO
Recovery Point Objective
Point to which you want to be able to restore to
Boxes and Knowledge
- Basic (Black Box) - Zero Knowledge
- Focused (Grey Box) - Partial Knowledge
- Comprehensive (White Box) - Full Knowledge, Explicit and substantial
Forms of Authorization
- Single Authorization
- Traditional
- One AO - Joint Authorization
- Multiple AOs (maybe different services)
- Have to agree on everything - Leveraged Authorization
- Use an existing ATO and create your own ATO
- Have to be willing to accept the risk or make changes (when able if it’s not your system)
- ie: Cross service
Cleaning v. Purging
Cleaning is erasing, but data can be recovered using forensic capabilities (overwriting)
Purging is erasing, but the data cannot be recovered using forensic capabilities (degaussing)
Purging: Rendering sanitized data unrecoverable by laboratory attack methods
Continuous Monitoring Process
Define/Monitor Establish Implement Analyze Respond Review
Risk Assessment and Risk Determination, in order
Threats
Vulnerabilities
Probability
Impact
Types of Assessment Approaches
Quantitative
Qualitative
Semi-Quantitative
Information Type
A specific category of information, defined by an organization or a specific law
Subsystems in a service-oriented architecture (SOA) or net-centric architecture are registered in RMF Task 1-3 by:
- Establishing a separate registration process
- As a subset of systems or registered separately as a dynamic subsystem
- Proper identification during system categorization
What is an Overlay?
A specification that may be more or less stringent than the original criteria for security controls, control enhancements, supplemental guidance and other supporting information employed during the tailoring process, and is intended to complement (and further refine) security control baselines.
What is Baseline Security?
The minimum security controls required for safeguarding an information technology system based on its identified impact levels for confidentiality, integrity and availability.
What types of security are the two fundamental components that affect the trustworthiness of information systems?
Functionality-related (does it work?)
Assurance-related (can I prove it?)
(cited in NIST SP 800-53)
What is a PIA?
Privacy Impact Assessment
Established by the E-Government Act of 2002
- Ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
- Determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic IS
- Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks
Configuration Management has the following benefits:
- Reliance
- Quality Control
- Risk Control
What is a hybrid control?
A control determined partly by the organization and partly system-specific
Contingency Planning Process (per NIST 800-34)
- Develop the contingency planning statement
- Conduct the Business Impact Analysis (BIA)
- Identify preventative controls
- Create contingency strategies
- Develop an information system contingency plan
- Ensure plan test, training and exercise
- Ensure plan maintenance
Backup/Recovery Strategy for each Impact Level
Low
- Back up: Tape backup
- Strategy: Relocate or Cold site
Moderate
- Backup: Optical backup, WAN/LAN replication
- Strategy: Cold or Warm site
High
- Backup: Mirrored systems and disc replication
- Strategy: Hot site
Partial assessments can be performed and are reusable if:
the assessor is deemed to be independent and technically competent. Additionally, the security control must be under configuration or version management.
Logical flow for conducting security control assessments?
Assessment procedures, assessment objectives and assessment objects, all of which are evaluated using assessment methods
RMF Step 4 primary documents
- NIST 800-37
- NIST 800- 53A
- NIST 800- 115
Security control assessments provide:
- Evidence about the effectiveness of security controls
- Information about the strengths and weaknesses of IS which are supporting organizational and business functions
- An indication of the quality of the risk management process employed within the organization
What documents form the Security Authorization Package?
- SSP for the system to be authorized
- SAR for the system to be authorized
- POAMs for the system to be authorized
- Same documents for all common control systems that are used to mitigate risks
Sanitization
Process to remove information from media such that information recovery is not possible. Includes removing all labels, markings and activity logs.
The security control analysis results and recommended changes are contained in the:
Security Assessment Report (SAR)
The structure for POAMs is determined by:
The Office of Management and Budget (OMB)
The pillars of continuous monitoring are:
- Ongoing authorization
- Near real-time risk management
Continuous Monitoring Strategy ensures that:
- Items on the POAM receive adequate oversight
- Controls with greater volatility or importance are assessed more frequently
- Control implementations that have changed since the last assessment are reevaluated
Primary reference documents for RMF Step 6?
NIST SP 800-37
NIST SP 800-53A
Before a rescission letter, the AO consults with:
SISO and RE
Per NIST 800-55, performance management criteria translate into KPI using what evaluation criteria?
- Measures of effectiveness
- Measures of efficiency
- Impact measures
Compliance Management is:
A collection of processes employed to ensure that an agency conforms to the legal, policy and associated regulatory mandates that apply to a system
Adequate security
Security commensurate with the risk and magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information
Baseline security
The minimum security controls required for safeguarding an information technology system based on its identified impact levels for Confidentiality, Integrity and Availability
System of Records Notice
An official notice of an organization’s system(s) of records, as required by the Privacy Act of 1974 that identifies:
- the purpose for the system of records
- the individuals covered by information in the system of records
- the categories of records maintained about individuals
- the ways in which the information is shared
Information System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information
Threat Source
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability
Threat Scenario
A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time
Threat Event
An event or situation that has the potential for causing undesirable consequences or impact
NIST 800-37 Steps
- Categorize the IS
- Select Security Controls
- Implement Security Controls
- Assess Security Controls
- Authorize the IS
- Monitor Security Controls
Organizational Risk Management Strategy includes
- SORN
- Strategic Goals and Objectives
- Organizational Culture and Infrastructure
- Investment Strategies?
Risk Response options:
Risk Acceptance
Risk Avoidance
Risk Transfer/Sharing
Risk Mitigation
Combination of above
Interconnecting system phases
From NIST SP 800-47
Plan
Establish
Maintain
Disconnect
Incident Response Phases
- Prepare
- Detect and Analyze
- Containment, Eradication and Recovery
- Post-Incidence Activity
Security Configuration Management Process
- Planning
- Identifying and Implementing Configurations
- Controlling Configuration Changes
- Monitor
Inherently government roles
- CIO
- RE
- SISO
- AO/DR
- IO/Steward
- CEO (no primary roles)
Depth means ?
Coverage means ?
Depth = Rigor Coverage = Scope
Risk assessment incorporates
threat and vulnerability analysis and considers mitigations
NIST 800-60 Exceptions/Key Statements
- Aggregation
- Privacy and Trade Secrets require minimum Moderate Confidentiality impact value
- PIA must exist before developing systems with PII
- The system categorization process, including determination of impact values, is reused during development of a BIA
- System categorization contributes and provides inputs into capital planning and investments processes
- Info sharing and system interconnection agreements should use aggregated and individual security categorization when assessing interconnection agreements
- Specific guidance is provided related to critical infrastructure programs (CIP) and the relationship to Homeland Security Presidential Directive 7
Defense-in-Depth
Defense-in-Breadth
Defense-in-Depth:
Strategy to establish visible barriers across multiple layers and dimensions
Defense-in-Breadth:
Set of activities that seeks to identify, manage and reduce risk of exploitable vulnerabilities at every stage of the system
