Download CIST 1601 Final IT 429 Final Exam Final. and more Exams Information Security and Markup Languages in PDF only on Docsity!
CIST 1601 Final IT 429 Final Exam Final.
Phase 1 - Minimum Baseline Security Controls? - Answer:::✔✔The minimum controls that are allowed for a system. The baseline is calculated based off the highest scored assigned to one of the CIA triad Phase 1 - What is the high water mark? - Answer:::✔✔When doing security categorization, the highest required security level (low, moderate, high) becomes the actual categorization for a system For example: Confidentiality: Low Integrity: Moderate Availability: Low System categorization: Moderate Phase 1 - What do baseline security controls represent? - Answer:::✔✔a STARTING POINT for deciding what controls are required. Phase 1 - Who is responsible for security categorization? - Answer:::✔✔System Owner and Information Owner
Phase 1 - What documents are used in system categorization? - Answer:::✔✔SP800 - 60 volume 1 and 2 FIPS - 199 Technically FIPS 200 as well Phase 1 - What is FIPS 200's relation to Security Categorization? - Answer:::✔✔High level: Allows you to access impact. Helps guide rule makers as to what info systems and information can be included in each category and the impact level (low, moderate, high) Help map impact levels in a consistent way. Phase 1 - What are the security levels in Security categorization and what is the CIA triad? - Answer:::✔✔Low, moderate, high Confidentiality, Availability, Integrity Phase 1 - After FIPS 200 water mark is used and a level of security controls is created...whats next? - Answer:::✔✔ 800 - 53 helps you
- If they are under the same budget
- If they support the same mission
- The same environment of operation Phase 1 - What are some types of to systems? 3 - Answer:::✔✔GSS - General support system MA - Major Application MIA - Minor Integrated Application Phase 1 - What are some GSS systems included in this boundary? - Answer:::✔✔Anything wider area network Servers, workstations, network equipment Phase 1 - What are some MA systems included in this boundary? - Answer:::✔✔Application infrastructure
Phase 1 - What are some MIA systems included in this boundary? - Answer:::✔✔Applications hosted on GSS or MA. Uses security controls of the hosting system - if hosting system has controls MIA has them. Often this means that same OS Phase 1 - When is the MIA assessed? - Answer:::✔✔When the hosting system is certified and accredited Phase 1 - Should system configurations be changed? - Answer:::✔✔Yes, they should be changed by the configuration control board Phase 1 - How often should boundaries be revisited? - Answer:::✔✔Annually - this change Phase 1 - Complex Systems (GGS boundary) have what attributes? - Answer:::✔✔- should be broken down into subsystems to help with complexity
- inheritance - all physical controls should be inherited from the location in which they reside
- Can follow organizational policies Phase 2 - What is a hybrid control? - Answer:::✔✔A control that is a combination of a security control and a common control. Ex: company Cell phones. They have common controls for the company and also security controls specific to that information system Phase 2 - What is the SCTM? - Answer:::✔✔Security control matrix - Same as baseline minimum security controls for the most part but with added unique controls for the specific system Phase 2 - Once the security categorization has been selected and boundaries are set what comes next? - Answer:::✔✔Scoping and tailoring - based on what the system does and does not do - add or remove some important controls - ex: If the system doesn't have wireless, don't implement wireless controls. Phase 2 - What are compensating controls? - Answer:::✔✔Thinking outside the box to create controls. Ex: Users using the same login - if you cant get around this, then other controls need to be put into place to add accountability - written logs were put into place
Phase 2 - What do you need to do in order to have an effective continuous monitoring plan? 4 things - Answer:::✔✔- have a control process
- analyze security impact for proposed or implemented changes
- assess all inherited controls
- report security status to officials Phase 2 - CMP configuration management plan issues? - Answer:::✔✔- can be costly
- frequency - how often do you look for changes
- Operational impact - whats the standard time to get a change active Phase 2 - What is the SSP? - Answer:::✔✔System security proposal - required by FISMA Phase 2 - What does the SSP (system security proposal) require? - Answer:::✔✔RAR, ISA, SAR, MOA
Phase 3 Task 1 - What is a specific security requirement that needs to be assessed during the security control development? - Answer:::✔✔How often do you plan on allowing anti virus updates and how will that affect the final product Phase 3 Task 1 - What are three OTHER controls that need to be assessed along with the tailored and scoped security controls? - Answer:::✔✔Hybrid controls Common Controls Inherited controls What is the common Criteria website? - Answer:::✔✔A website that rates different products from vendors. Shows a certification report. Provides and EAL rating What are STIGs in the IASE? - Answer:::✔✔they are certified configurations standards that have already been created for certain information systems Whats found at the NSA IA Guidance sites? - Answer:::✔✔Security configuration guidance - NSA's specific view on it.
Phase 3 Task 2 - why is Security control Documentation important? - Answer:::✔✔required so that auditors can test the system later on in the RMF phases. Phase 3 Task 1 - What an important apect of security control documentation? - Answer:::✔✔deciding what test procedures you are going to have as part of the documentation. Will it be compliance scan, vulnerability scans? Phase 4 - What happens in phase 4? - Answer:::✔✔Assessing and testing how each of the different controls was implemented into the info system Phase 4 - What are the four phases of Assessing Security Controls? - Answer:::✔✔- develop, review, and approve testing plan
- Assess the security controls
- Prepare the assessment report
- Re-mediate deficient controls So in less words: Make a plan for testing, do the test, make a report of results, fix bad controls
Phase 4 - What are the three types of assessment methods for testing that can be run? - Answer:::✔✔- examine method
- Interview method
- test method Phase 4 - What is the examine method of testing? - Answer:::✔✔- reviewing, examining, studying the system or activities to understand or again evidence of ineffective controls Phase 4 - What is the interview method of testing? - Answer:::✔✔holding discussions or talking to groups of people to gain evidence or understanding Phase 4 - What is the test method of testing? - Answer:::✔✔run one of the assessment objects functions and see how it compares to the original controls and its expected function Phase 4 - Whats required to do a security control assessment? - Answer:::✔✔access to the system documentation out how the system should work
interviews with the related personnel Phase 4 - Task 3 - What is the SAR? - Answer:::✔✔Security assessment report end result of the actual assessment all the findings from the assessment Phase 4 - Task 4 - How does the remediation process work? - Answer:::✔✔The system owner looks over the findings in the SAR and finds any false positives. ISSO helps here Then the assessor, SO and ISSO sit down and figure out which findings they will put in the addendum. Phase 4 - Task 4 - how we prioritize remediation actions? - Answer:::✔✔High, Moderate, Low, Informational CP CMP PIA BIA - What is the PIA? - Answer:::✔✔Privacy impact assessment - process to make sure that PII is being safeguarded and protect properly. Usually checklist
CP CMP PIA BIA - BIA - Teams? - Answer:::✔✔you need to have teams to address different parts of the problem. CP CMP PIA BIA - What is the CP? - Answer:::✔✔Contingency plan - what do we have ready in case the worst happens? examples: Key staff ready to act, alternative sites, offsite storage for data CP CMP PIA BIA - CONOPS? - Answer:::✔✔concept of operations - how do we look foe current operation so we can rebuilt in of its all gone - map the network and the system for correct rebuild CP CMP PIA BIA - Contingency plan - level of disruption? - Answer:::✔✔Limited serious major catastrophic
CP CMP PIA BIA - contingency plan procedures? 4 - Answer:::✔✔Backup OS recovery key recovery power CP CMP PIA BIA - CMP? - Answer:::✔✔Configuration Management plan
- track evidence of changes to code, applications, and other software. Phase 5 - Task 1 - What is the POAM? - Answer:::✔✔Plan of action and milestone the task, timelines, resources all required to fix the weakness discovered from the assessment (SAR) Phase 5 - Task 1 - Whats in each of the 8 columns of the POAM? - Answer:::✔✔ 1 - brief explanation of the weakness 2 - who is responsible for solving the weakness 3 - Source of funding and estimated cost 4 - scheduled completion date
decide what and what not to update, how will it affect everything else? Phase 6 - Hardware/software has a support date - why is this important? - Answer:::✔✔this is EOL - end of life the vendor will no longer support the device and it probably needs to be upgraded (especially for security reasons) Phase 6 - Task 3 - Ongoing remediation actions - What needs to be consistently updated? - Answer:::✔✔The SAR, add new actions and validations Phase 6 - Task 4 - Update the security documentation... like what? - Answer:::✔✔POAM SAR Phase 6 - Task 5 - Security Status Reporting - What are some update attributes? - Answer:::✔✔- culture - how important is security uses reports with good consistency, good content and often enough.
FedRAMP? What is it? - Answer:::✔✔3rd part comes to Google, AWS, Azure and looked to see if cloud based severs can be used for government information What is Govcloud? - Answer:::✔✔cloud for the government. A 3rd party will rate the level of security on a given cloud platform. Based on that, it can be used for certain levels of security.
