Risk Management Flashcards

1
Q

Tiers of Risk Management

A

Tier 1 - Organization (governance)
*What does your organization do?

Tier 2 - Mission (Business Process)
*How you’re going to accomplish business goals?

Tier 3 - Information System (Environment of Operations)
*System put in place to accomplish the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

RMF

A

NIST standards and guidance documents to provide a process to reveal risks and protect from threats - helps leadership understand the current status of their security programs and security controls protecting the IS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

RMF Steps

A

1) Categorize - Categorize the information and information system
2) Select - Select baseline of security controls and tailor, this produces the SSP
3) Implement
4) Assess - once you assess, you get the SAR
5) Authorize - once you authorize, you get POA&M
6) Continuous Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Roles & Responsibilities - Highest Level

A

CEO - head of agency - overall responsibility to provide information security protections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Roles & Responsibilities - 2nd highest

A

Risk Executive - helps to ensure risk-related considerations from individuals, risks from systems is consistent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Roles & Responsibilities - 3rd highest

A

CIO - appoint the SAISO (Senior Agency IS Officer) - develop & maintain policies procedures, control teqniques, training and overseeing personnel, assisting senior officials, report annually to head of fed agency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Roles & responsibilities - 4th highest

A

CISO or SISO (Chief or Senior information security officer) - head of organization’s security program office and serves as liaison to SOs, AOs, and ISSOs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Roles & responsibilities - 5th highest

A

AO - makes final decision on ATO - risk is deemed acceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Roles & responsibilities - 6th highest

A

AODR - Authorizing Official Designated Representative - acting for AO, can assist but cannot issue ATO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Roles & Responsibilities - 7th highest

A

Information owner - create policies and procedures, they understand, manage their information, provides input to SO regarding requirements and controls for how info is processed, stored, or transmitted

SO - responsible for overall procurement, development, integration, modification, operation, maintenance, disposal of an information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Roles & Responsibilities - 8th highest

A

ISSO - help ensure security posture is maintained - advisor on all matters involving the security of the information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Roles & Responsibilities - 9th highest

A

security architect - as changes occur, they asses the risks & implement new controls as needed to safeguard

i.e. Expansions in network connectivity, changes to existing infrastructure & policies, intro to new technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Roles & Responsibilities - 10th highest

A

Security Engineers - conduct security engineering activities, captures and refines requirements and ensures requirements are integrated through architecting, design, development, & configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Roles & Responsibilities - 11th highest

A

SCA - Security Control Assessor - assess controls - recommend corrective actions - prepares the SAR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Roles & Responsibilities - 12th highest

A

Common Control Providers - responsible for overseeing inherited controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Roles & Responsibilities - 13th highest

A

Security Practitioners - after engineers implement requirements, practitioners use the IS to ensure accurate implementation

i.e. DB admins, Computer specialists, security analysts, security consultants