ISC(2) CAP: RMF Roles & Responsibilities

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Security Control Assessor

- Conduct SSP Assessments - Conduct Control Assessments - Provide Assessment of Deficiencies (findings) - Recommend Corrective Action - Prepare Security Assessment Report (SAR) - Independence of these people lead to: (i) Unbiased Assessment Processes (ii) Objective Information for Risk Determination

Authorizing Official Designated Representative

- Assists the Authorizing Official (AO) - Can NOT grant an ATO

Information Owner/Steward

- Authority for Specified Information - May or May not be the same as System Owner - Provide Input to Information System Owners - Rules of Behavior - Single System May Contain Information from Multiple Information Owners/Stewards

Senior Information Security Officer (aka CISO)

- Carries out the CIO FISMA Responsibilities - Primary Liaison for CIO to Organization's Senior Officials - Possesses Professional Qualifications - Heads Office that Conducts FISMA Reporting

Chief Information Officer (CIO)

- Designating SISO (aka CISO) - Information Security Policies - Ensuring Adequately Trained Personnel - Assisting Senior Officials with their Security Responsibilities - Appropriate Allocation of Resources - FISMA Reporting

Common Control Provider

- Documenting Common Controls - Validating Required Control Assessments - Documenting Assessment Findings in SAR - Producing POAMs

Information System Security Officer (ISSO)

- Ensures Appropriate Security Posture - Principal Advisor - Day-to-Day Security Operations - incluidng: (i) Environmental; (ii) Physical; (iii) Personnel; (iv) Incident Handling; (v) Training and Awareness - Policies and Procedures - Active System Monitoring

Risk Executive (Function)

- Ensures Risk-related Considerations are Organization-wide - Consistent Across Organization - Coordinates with Senior Leadership to: (i) Provide Comprehensive Approach; (ii) Develop a Risk Management Strategy; (iii) Facilitate Sharing of Risk Information; (iv) Provides Oversight; and (v) Provide Forum to Consider All Risk Sources

Information System Owner

- Focal point for Information System (IS) - Responsible for IS throughout the SDLC - Addressing the operational interests of user community - Ensuring Compliance with Information Security Requirements - SSP development and maintenance - Deciding who has access to the system - Works with Assessor to Remediate Deficiencies (findings) - aka "Program Manger"

Authorizing Official (AO)

- Formally Assumes Responsibility for system - Budgetary Oversight - Accountable for Security Risks - Senior Management Position - Approve Security Plans (SSP) and Plan of Actions and Milestones (POAMs) - Information System May Involve Multiple of these people - Authorizing Official Designated Representative - The only person that can grant an ATO

Head of Agency (Chief Executive Officer)

- Highest-level Senior Official - Overall Responsibility: Information & Information Systems - Security Integrated with Strategic and operational Processes - Sufficiently Trained Personnel - Establishes Appropriate Accountability - Provides Active Support - Oversight of Monitoring

Information System Security Engineer (ISSE)

- Part of the Development Team - Employ Security Control Best Practices - Coordinate Security-related Activities Also responsible for: a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information system through purposeful security architecting, design, development, and configuration

Information Security Architect

- Security Requirements Adequately Addressed in Enterprise Architecture: (i) Reference Models; (ii) Segment and Solution Architectures; (iii) Resulting Information System. - Liaison between the Enterprise Architect and Information System Security Engineer - Advisor to Senior Officials on: (i) System Boundaries; (ii) Assessing Severity of Deficiencies (findings); (iii) POAMs; (iv) Risk Mitigation Approaches; (v) Security Alerts


Ensembles d'études connexes

Ch 38 ass of dig and gas fun 😜

View Set

Chapter 1: Mass Communication, Culture, and Media Literacy

View Set

español direct object nouns and pronouns

View Set

Disease of the Nasal Cavity, Sinuses, Pharynx, and Larynx

View Set