Cyber Security Week 3 Homework Questions Week 3: List the 6 steps followed in IT Security or FISMA process as required by Risk Management Framework (RMF) ● categorize- select- implement-asses -authorize- monitor Name the NIST publication that provides guidance for RMF ● Public Law 107-347 lic Law 107-347 Name the NIST publication, especially the FIPS version, used for system security categorization. ● FIPS 199 and NIST SP 800-60 Name the NIST publication (including its revision number) from which security controls are selected. ● ● NIST Special Publication 800-53 Rev 4 and FIPS 200 Name the NIST publication that provides guidance on control assessment and indicates the controls for which interview, document examination and configuration testing (EIT testing procedures) may be performed. ● ● ● ● ● ● 800-53A In what document are the security controls selected for a system and their implementation details documented by the ISSO? System Security Plan What 2 security tasks are typically performed for continuous monitoring of controls on systems? * step 1 testing a portion, annually or periodiclly * step 2 vulnerability scanning. What NIST 800-53 Control number requires that federal agencies must employ an independent assessor or IT security firm to assess their system for Assessment and Authorization (A&A) purpose? ● CA-2 Enhancement 1 a.k.a. CA-2(1) ● ● What is the number of security control families contained in NIST 800-53 control framework? 18 Name two classes of control other than operational class, and how many operational controls are contained in NIST 800-53? ● Technical 4 • ● Operational 9 ● 3 operational controls What do you understand by common controls in an organization? Name 2 examples of dash-1 controls, and what do these controls require that the organization should have in place? ● They will require the existence of policy and procedures ● AC-1: Access Control Policy & Procedures ● AT-1: Awareness & Training Controls Which of low or moderate security categorized system requires control enhancement to be selected? ● moderate Which government Act instituted FISMA and which institute was given the mandate to develop RMF? ● ● ● FEDERAL INFORMATION SECURITY MANAGEMENT ACT and mandated by OMB What is an SSP and is it only used in a particular stage in the RMF? System Security Plan, SSP, SSP is an overall document that indicates the security plan of the system, What is a Security Assessment Report SAR and what is it used for? ● Security Assessment Report (SAR) is produced after determining the overall risk level of the noted controls, weaknesses, or findings using the NIST 800-30 Risk Assessment Guide What is POA&M and why is it created ● ● ● ● ● ● ● ● the Plan of Action and Milestone (POA&M) is created to correct the audit findings which are identified through vulnerability scanning, penetration testing or other assessment methods used . List the RMF stages and identify the security officials responsible for each stage categorize ->information systems select-> security controls implement->security controls assess -> security controls authorize -> information system monitor ->security controls.