authorizing information systems fitsp-a module 6
TRANSCRIPT
Authorizing Information Systems
FITSP-AModule 6
It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk.
SP 800-39 Managing Information Security Risk (March 2011)
Leadership
FITSP-A Exam Module Objectives
Security Assessments and Authorization– Assess and implement plans of action designed to correct
deficiencies and reduce or eliminate vulnerabilities in organizational information systems
– Inspect mechanisms that authorize the operation of organizational information systems and any associated information system connections
Assessment and Authorization Overview
Section A: Assessment and Authorization Tasks– Assess Security Controls– Authorization Package– Authorization Decisions– Authorization Decision Document
Section B: Authorization Elements– Ongoing Authorization– Type Authorization– Authorization Approaches
ASSESSMENT AND AUTHORIZATION TASKS
Section A
RMF Step 4 – Assess Security Controls
Assessment Preparation Security Control Assessment Security Assessment Report Remediation Actions
RMF Step 5 – Authorize Information System
Plan of Action and Milestones Security Authorization Package Risk Determination Risk Acceptance
Authorization Package
Authorization Decisions
Authorization to Operate Denial Of Authorization to Operate
Interim Authorization to Test Interim Authorization to Operate
Authorization Decision Document
Authorization decision Terms and conditions for the authorization Authorization termination date Risk executive (function) input (if provided)
Knowledge Check
What is the first step in the Authorization RMF step? What documents the results of the security control
assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls?
What are the contents of the Authorization Package, from System Owner to Authorizing Official?
The authorization decision document contains what information?
AUTHORIZATION ELEMENTSSection B
Ongoing Authorization
Maintains Knowledge of Current Security State Re-execute RMF Step(s) Maximize Use of Status Reports Reauthorization
– Time-driven– Event-driven
Type Authorization
Definition of Type Authorization– Official authorization decision to employ identical copies of an
information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.
Authorization Approaches
Single Authorizing Official Multiple Authorizing Officials Leveraging an Existing Authorization
Key Concepts & Vocabulary
Authorization Decisions Authorization Decision Document Authorization Package Authorizing Official IATO IATT POAM SAR SSP Type Authorization
Questions?
Next Module: Continuous Monitoring