S3-m3 Flashcards
NIST Special Publication 800-39
The risk management framework outlies a comprehensive process to manage risks by applying four components
-Risk Framework
-Assess Risk
-Respond to Risk
-Monitor Risk
Risk Framework
Involves defining, or framing, the environment in which risk-based decisions are made. The purpose of this component is to form a strategy that enables a company to asses, respond, and monitor risk. Companies must identify
-Risk assumptions
-Risk constraints
-Risk tolerance
-Priorities and trade offs
Assess Risk
This component addresses the way companies asses risk in the context of the risk framework. The goal is to identify
-threats to nations, organizations, individuals, assets or operations
-vulnerabilities internal and external to orgs and entities
-the harm that may occur given the potential for threats exploiting vulnerabilities
-the likelihood that harm will occur
Respond to Risk
The purpose of this component is to provide a consistent, organization wide response based on the risk assessment results by:
-developing alt courses of action
-evaluation the alt courses of action
-determining appropriate courses of action consistent with org risk tolerance
Monitor Risk
To evaluate and monitor risk over time by:
-determining the ongoing effectiveness of risk responses
-identifying risk impacting changes to org info systems and the environments in which the systems operated
-Verifying that planned risk response are implemented and that info security requirements are satisfied
Security assessment engagements involve…
addressing the second component of the risk management framework, which includes performing a risk assessment and testing controls to obtain data on the company’s current state.
-often results in a SAR to management
Examination
Assesment Method
Process of analyzing, observing, and reviewing one or more assessment objects, security activities, or relevant operations
Interviewing
Assesment Method
Involves having individual or group discussions to better understand, collect, and evaluate evidence
Testing
Assesment Method
The process of testing assessment objects that reflect how the object performs in its current state compared to a target expected state
Security Assessment Reports (SARs)
issued as evidence of controls complying, or not complying, with state security goals and objectives. NIST defines a security assessment report as a report that provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified issues or vulnerabilities in the security controls
Satisfied Rating
Indicates the assessment objective was met and yielded an acceptable result
Other Than Satisfied Rating
Indicated that an assessor could not obtain sufficient information that me the statements in the assessment procedure.
Summary of Findings
SARs
Introductory portion of SAR has a synopsis of key findings and recommended actions to address weaknesses or deficiencies
System Overview
SARs
The overview of SAR outlines the information management system being assessed, including hardware, software, personnel, and other relevant resources
Assessment Methodology
SARs
This part of a SAR explains the techniques and procedures utilized to perform the assessment