Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
0 likes527 views
The document outlines the importance of security authorization processes, describing roles, responsibilities, and legal requirements for establishing effective security controls in information systems. It highlights the risk management framework (RMF) phases and emphasizes the necessity of management support for successful program implementation. Key factors include the management's role in authorizing operations and accepting associated risks based on an agreed set of security controls.
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
- 2. What is Security Authorization? Employing an applicable Security Authorization Process Roles and Responsibilities Legal, Regulatory and Other Requirements Common Controls and Control Inheritance Risk Management Framework (RMF) Phases System Development Life Cycle (SDLC)
- 11. “Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.)
- 12. Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
- 15. • Management • Operational • Technical • Implemented correctly • Operating as intended • Producing the desired outcome
- 16. official management decision to operate budget and business operations
- 17. “The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP 800-37 rev 1
- 21. Why are Agencies riddled with security holes?
- 23. http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
- 27. What are some key factors in creating a successful RMF program?
- 28. business enabler
- 32. • Need consistent management support • Without management support people will not fulfill their obligations to the project • Without management support you will not have access to needed resources and funding • The Senior Information Security Officer (SISO) can keep the program visible by giving regular updates to c-level management
- 35. Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf
- 36. Life-cycle for the development of the documentation for the RMF process • Awareness • Monitoring • Enforcement • Maintenance • Retirement • Communication • Compliance • Exceptions • Creation • Review • Approval Development Implementation MaintenanceDisposal