ISC2 Notes Deck

Systems Inventory Key Roles

Management (support)
CISO (execution and implementation)
ISSO (ISO primary security POC)
Systems Managers (primary role)
LOB IT Security Manager (Inventory collection from ISOs)
CEO (approval of policy & procedures)

Qualifications for combining systems

1) Systems can be grouped when all systems in the group fall under the responsibility of the same system owner
2) Each must process in the same operating environment (ex same server)
3) Each must be protected within a common security perimeter (eg same co

System Authorization

Everything must be certified

Accreditation boundaries (best to precede in this order)

1) Business Processes
2) Security Perimeter
3) Ownership

Inventory Process

1) Identify business process
2) Identify supporting Info Technology resources
3) Categorize resources as types of systems
4) Classify systems by determining their needs for protection based on a) disclosure b) destruction c) denial
5) Complete Systems Inv

CIO

Who approves the inventory?

Tools for managing the inventory program

1) inventory form
2) inventory change form
3) organization inventory summary

For interconnecting systems

1) need memorandum of agreement
2) that's then supplemented with a more detailed interconnection security agreement
(Both are critical and must be reviewed in the system authorization process)

Impact analysis

What is categorization based on?

Business requirements =

Requirements

Security controls

Based on sensitivity of data

Categorization is performed for this reason

1) determine the types of information included within the security authorization boundary
2) determine the security requirements for the information types
3) determine the potential impact on the organization resulting from a security compromise

Categorization results are used to:

A) develop the security plan (basis)
B) select security controls
C) determines the risk inherent in operating the system

FISMA

What replaced the computer security act of 1987?

Overall sensitivity level

What can be based on aggregated sensitivity levels?

Overall sensitivity level

FIPS 199 refers to this as the "highest water mark" that is to be used in defining the security category

Data Classification Examples

A) public
B) internal use
C) restricted

FIPS 199 Categorization

Align security categories to recommended initial baseline sets of security controls according to NIST SP 800-53

NIST SP 800-18

Provides examples for describing various sensitivity rankings for a government system (high, moderate, low)

Information taxonomy or catalog (required to comply with FIPS 199)

Persists mapping types of information to security objectives (confidentiality, integrity, availability) & impact levels (high, moderate, low) - NIST SP 800-60 provides more info on this.

Business Reference Model (BRM)

Organized, hierarchical framework for describing the day-to-day business operations of the federal government. Uses a functionality driven approach to represent the business of an organization. Provides a structured approach to classifying system data. Th

E-Government Act of 2002

A) strengthened privacy protections requirements
B) under its terms, federal agency's have specific responsibilities regarding the collection, dissemination, or disclosure of information on individuals

National Information Assurance Certification & Accreditation Process (NIACAP)

Rather than NIST 800-37, how are National security information systems certified and accredited?

National Security Telecommunications & Information Systems Security Committee (NSTISSC)

Developed by the NIACAP. Now replaced by CNSS (Committee on National Security Systems).

System Security Authorization Agreement (SSAA)

Used by NIACAP to document accreditation requirements - similar to the NIST SSP.

NIACAP Methodology

1) definition
2) verification
3) validation
4) post accreditation

Roles & responsibilities for authorizing using NIACAP

Are almost the same as NIST 800-37, however the AO is referred to as the designated approving authority (DAA) and the certifying agent is the certifier.

CI/KR

Critical Information Infrastructure Act of 2002 (Public Law 107-296)

BIA

Methodology normally used to quantify the criticality of systems based on the amount of time that an organization can tolerate the non availability of a system

CISO

Who should perform an annual review of the criticality of the system?

Security Control Baseline

A) established by determining controls required to protect the system based on security categorization of the system
B) tailored & supplemented in accordance with organizational assessment of risk & local parameters (relies on an risk assessment)
C) docum

NIST SP 800-53 three levels of controls pertaining to countering malicious code according to system activity

1) low sensitivity - automatic updates
2) moderate sensitivity - automatic updates + organizational managed virus protection
3) high sensitivity - automatic updates + system automated virus protection

International Organization for Standardization 27002

A method in which minimum security baselines can be developed (just as with NIST SP 800-53 which is government wide)

HIPAA

Health Insurance Portability & Accountability Act

GLBA

Gramm-Leach-Bliley Act

HIPAA & GLBA

Both mandate certain controls that must be taken into consideration when creating your baseline of controls for certain businesses

Minimum baseline controls should take these factors into consideration

A) organization policies
B) management statements & strategies
C) contracts
D) laws
E) operational rules
F) legal obligations
G) privacy needs
H) proprietary & trade secret requirements
I) other governing regulations

Minimum security baselines must address these

A) management controls
B) operational controls
C) technical controls

CISO

Commonly develops common controls & is an agency level official who provides direction to the ISOs regarding which controls will be implemented outside of the ISOs controls

System Owners

Who determines the impact of weaknesses in common controls & can formulate a plan for addressing them?

Hybrid

What controls have characteristics of both common controls and system specific?

Security Plan

This document should specify the category for each control (system specific, common, hybrid)

FRAP

Facilitated risk assessment process - a tool for assessment