Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Controls
0 likes336 views
The document outlines the processes for conducting information security assessments, which involve evaluating the effectiveness of management, operational, and technical security controls. It describes three assessment methods: testing, examination, and interviewing, and emphasizes the importance of these assessments in supporting security accreditation decisions. The document also includes guidelines for planning, executing, and reporting on security control assessments to ensure compliance and risk management.
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Controls
- 14. Management Operational Technical Implemented correctly Operating as intended Producing the desired outcome factual basis for an authorizing official to render a security accreditation decision
- 15. An information security assessment is the process of determining how effectively an entity being assessed meets specific security objectives. Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing. Assessment results are used to support the determination of security control effectiveness over time. - NIST SP 800-115
- 16. “Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.” - CNSS Instruction No. 4009
- 17. “Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.” - CNSSI No. 4009
- 18. Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors. Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. Source NIST SP 800-115
- 19. “The security certification and accreditation process is designed to ensure that an information system will operate with the appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically.” NIST SP 800-100
- 20. “Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.” NIST SP 800-100
- 23. From OMB M-10-15 - FY 2010
- 26. Planning Information Gathering Business Process Assessment Technology Assessment Risk Analysis & Reporting
- 33. Plan Execute Post Execution FISCAM NIST SP 800-115 Plan PerformReport
- 38. Task 1“Assemble any documentation and supporting materials necessary for the assessment of the security controls in the information system; if these documents include previous assessments of security controls, review the findings, results, and evidence.” Task 2 “Select, or develop when needed, appropriate methods and procedures to assess the management, operational, and technical security controls in the information system.” Task 3 “Assess the management, operational, and technical security controls in the information system using methods and procedures selected or developed.” Task 4 “Prepare the final security assessment report.” NIST SP 800-37
- 39. Task 1“Provide the information system owner with the security assessment report.” Task 2 “Update the system security plan (and risk assessment) based on the results of the security assessment and any modifications to the security controls in the information system.” Task 3 “Prepare the plan of action and milestones based on the results of the security assessment.” Task 4 “Assemble the final security accreditation package and submit to authorizing official.” NIST SP 800-37
- 45. *GAO recommends 65% of audit staff to be CISA
- 52. “Risk assessments should be used to guide the rigor and intensity of all security control assessment related activities associated with the information system to enable cost effective, risk- based implementation of key elements in the organization’s information security program” - NIST SP 800-37 rev 1
- 55. Populations over 250 Control Testing Sample Size Table Significance of Control Inherent Risk Minimum Sample Size1 High High 60 High Low 40 Moderate High 40 Moderate Low 25 Compliance Testing Sample Size Table Desired Level of Assurance Minimum Sample Size1 High 60 Moderate 40 Low 25 1: No exceptions expected
- 62.
- 81. Where is the best place to scan from? What strategy would you use to scan systems? External scan found 2 critical vulnerabilities Internal scan found 15 critical vulnerabilities Authenticated internal scan found 35 critical vulnerabilities
- 83. Observers & Referees Mimic real-world attacks Unannounced
- 84. Announced
- 85. Red Team “A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. “ - CNSSI No. 4009
- 88. Authenticated internal scan found 35 critical vulnerabilities Discovery Gain Access Escalate Privilege System Browsing Install Tools External scan found 2 critical vulnerabilities Discovery Gain Access Escalate Privilege System Browsing Install Tools
- 100. DoDI 8510.01, November 28, 2007
- 101. DoDI 8510.01, November 28, 2007
- 107. implemented correctly, operating as intended, and producing the desired outcome