RMF Step 4 - Security Control Assessment

¡Supera tus tareas y exámenes ahora con Quizwiz!

Assurance Case

A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.

Penetration Testing

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.

Coverage

An attribute associated with an assessment method that addresses the scope of the assessment objects included in the assessment (e.g., types of objects to be assessed and the number of objects to be assessed by type). The values hierarchically from less to more are: basic, focused, and comprehensive.

Continuous Monitoring

Maintaining ongoing awareness to support organizational risk decisions.

Assessment Object

The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

Environment of Operation

The physical surroundings in which an information system processes, stores, and transmits information.

Tailoring (Assessment Procedures)

The process by which assessment procedures defined in Special Publication 800-53A are adjusted, or scoped, to match the characteristics of the information system under assessment, providing organizations with the flexibility needed to meet specific organizational requirements and to avoid overly-constrained assessment approaches.

Security Control Assessment

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting the security requirements for the system.

Network Sniffing

A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.

Assessment Procedure

A set of assessment objectives and an associated set of assessment methods and assessment objects.

Internal Security Testing

Security testing conducted from inside the organization's security perimeter.

External Security Testing

Security testing conducted from outside the organization's security perimeter.

Passive Security Testing

Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.

Active Security Testing

Security testing that involves direct interaction with a target, such as sending packets to a target.

Security Control Effectiveness

The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.

Security Assessment Plan

The objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment.

Root Cause Analysis

A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.

Assessment Objective

A set of determination statements that expressed the desired outcome for the assessment of a security control or control enhancement.

Comprehensive Testing

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.

Basic Testing

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.

Focused Testing

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing.

Examine

A type of assessment method characterized by checking, inspecting, reviewing, observing, studying, or analyzing assessment objects to facilitate understanding and achieve clarification (or obtain evidence) to support the determination of security control effectiveness over time.

Interview

A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results are used to support the determine of security control effectiveness over time.

Specification

An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system.

Activities

An assessment object that includes specific protection related actions supporting an information system that involves people (e.g., conducting system back up operations, monitoring network traffic).

Depth

An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values hierarchically from less to more are: basic, focused, and comprehensive.

Executive Agency

An executive department specified in 5 U.S.C., Section 101; a military department specified in 5 U.S.C., Section 102; an independent establishment as defined in 5 U.S.C., Section 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91

Assessment Findings

Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.

Rules of Engagement (ROE)

Detailed guidelines and constraints regarding the execution of information security testing. The BLANK is established before the start of security test, and gives the test team authority to conduct defined activities without the need for additional permissions.

Assessment Method

One of the three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.

Vulnerability Assessment

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Supplementation (Assessment Procedures)

The process of adding procedures or details to assessment procedures in order to adequately meet the organization's risk management needs.


Conjuntos de estudio relacionados

Chapter 10: Alcohol and Other Drugs

View Set

MANGT 366 Exam 3 - Frequently Missed Qs - TopHat Qs

View Set

Computer Programming Ch. 4 and 6

View Set

United States History to 1877 - Chapter 1

View Set