Uploaded by wohaja6234

week 3 homework

advertisement
Cyber Security Week 3 Homework Questions
Week 3:
List the 6 steps followed in IT Security or FISMA process as required by Risk Management Framework (RMF)
●
categorize- select- implement-asses -authorize- monitor
Name the NIST publication that provides guidance for RMF
●
Public Law 107-347 lic Law
107-347
Name the NIST publication, especially the FIPS version, used for system security categorization.
●
FIPS 199 and NIST SP 800-60
Name the NIST publication (including its revision number) from which security controls are selected.
●
●
NIST Special Publication 800-53 Rev 4 and FIPS 200
Name the NIST publication that provides guidance on control assessment and indicates the controls for which interview,
document examination and configuration testing (EIT testing procedures) may be performed.
●
●
●
●
●
●
800-53A
In what document are the security controls selected for a system and their implementation details documented by the ISSO?
System Security Plan
What 2 security tasks are typically performed for continuous monitoring of controls on systems?
* step 1 testing a portion, annually or periodiclly
* step 2 vulnerability scanning.
What NIST 800-53 Control number requires that federal agencies must employ an independent assessor or IT security firm to assess
their system for Assessment and Authorization (A&A) purpose?
● CA-2 Enhancement 1 a.k.a. CA-2(1)
●
●
What is the number of security control families contained in NIST 800-53 control framework?
18
Name two classes of control other than operational class, and how many operational controls are contained in NIST 800-53?
●
Technical 4
•
● Operational 9
●
3 operational controls
What do you understand by common controls in an organization?
Name 2 examples of dash-1 controls, and what do these controls require that the organization should have in place?
● They will require the existence of policy and procedures
● AC-1: Access Control Policy & Procedures
● AT-1: Awareness & Training Controls
Which of low or moderate security categorized system requires control enhancement to be selected?
●
moderate
Which government Act instituted FISMA and which institute was given the mandate to develop RMF?
●
●
●
FEDERAL INFORMATION SECURITY MANAGEMENT ACT and mandated by OMB
What is an SSP and is it only used in a particular stage in the RMF?
System Security Plan, SSP, SSP is an overall document that indicates the security plan of the system,
What is a Security Assessment Report SAR and what is it used for?
●
Security Assessment Report (SAR) is produced after determining the overall risk level of the noted
controls, weaknesses, or findings using the NIST 800-30 Risk Assessment Guide
What is POA&M and why is it created
●
●
●
●
●
●
●
●
the Plan of Action and Milestone (POA&M) is created to correct the audit findings which are
identified through vulnerability scanning, penetration testing or other assessment methods used .
List the RMF stages and identify the security officials responsible for each stage
categorize ->information systems
select-> security controls
implement->security controls
assess -> security controls
authorize -> information system
monitor ->security controls.
Download