Risk Management Flashcards
Tiers of Risk Management
Tier 1 - Organization (governance)
*What does your organization do?
Tier 2 - Mission (Business Process)
*How you’re going to accomplish business goals?
Tier 3 - Information System (Environment of Operations)
*System put in place to accomplish the above
RMF
NIST standards and guidance documents to provide a process to reveal risks and protect from threats - helps leadership understand the current status of their security programs and security controls protecting the IS
RMF Steps
1) Categorize - Categorize the information and information system
2) Select - Select baseline of security controls and tailor, this produces the SSP
3) Implement
4) Assess - once you assess, you get the SAR
5) Authorize - once you authorize, you get POA&M
6) Continuous Monitoring
Roles & Responsibilities - Highest Level
CEO - head of agency - overall responsibility to provide information security protections
Roles & Responsibilities - 2nd highest
Risk Executive - helps to ensure risk-related considerations from individuals, risks from systems is consistent
Roles & Responsibilities - 3rd highest
CIO - appoint the SAISO (Senior Agency IS Officer) - develop & maintain policies procedures, control teqniques, training and overseeing personnel, assisting senior officials, report annually to head of fed agency
Roles & responsibilities - 4th highest
CISO or SISO (Chief or Senior information security officer) - head of organization’s security program office and serves as liaison to SOs, AOs, and ISSOs
Roles & responsibilities - 5th highest
AO - makes final decision on ATO - risk is deemed acceptable
Roles & responsibilities - 6th highest
AODR - Authorizing Official Designated Representative - acting for AO, can assist but cannot issue ATO
Roles & Responsibilities - 7th highest
Information owner - create policies and procedures, they understand, manage their information, provides input to SO regarding requirements and controls for how info is processed, stored, or transmitted
SO - responsible for overall procurement, development, integration, modification, operation, maintenance, disposal of an information system
Roles & Responsibilities - 8th highest
ISSO - help ensure security posture is maintained - advisor on all matters involving the security of the information system
Roles & Responsibilities - 9th highest
security architect - as changes occur, they asses the risks & implement new controls as needed to safeguard
i.e. Expansions in network connectivity, changes to existing infrastructure & policies, intro to new technologies
Roles & Responsibilities - 10th highest
Security Engineers - conduct security engineering activities, captures and refines requirements and ensures requirements are integrated through architecting, design, development, & configuration
Roles & Responsibilities - 11th highest
SCA - Security Control Assessor - assess controls - recommend corrective actions - prepares the SAR
Roles & Responsibilities - 12th highest
Common Control Providers - responsible for overseeing inherited controls