Authorizing Information Systems

FITSP-AModule 6

It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk.

SP 800-39 Managing Information Security Risk (March 2011)

Leadership

FITSP-A Exam Module Objectives

Security Assessments and Authorization– Assess and implement plans of action designed to correct

deficiencies and reduce or eliminate vulnerabilities in organizational information systems

– Inspect mechanisms that authorize the operation of organizational information systems and any associated information system connections

Assessment and Authorization Overview

Section A: Assessment and Authorization Tasks– Assess Security Controls– Authorization Package– Authorization Decisions– Authorization Decision Document

Section B: Authorization Elements– Ongoing Authorization– Type Authorization– Authorization Approaches

ASSESSMENT AND AUTHORIZATION TASKS

Section A

RMF Step 4 – Assess Security Controls

Assessment Preparation Security Control Assessment Security Assessment Report Remediation Actions

RMF Step 5 – Authorize Information System

Plan of Action and Milestones Security Authorization Package Risk Determination Risk Acceptance

Authorization Package

Authorization Decisions

Authorization to Operate Denial Of Authorization to Operate

Interim Authorization to Test Interim Authorization to Operate

Authorization Decision Document

Authorization decision Terms and conditions for the authorization Authorization termination date Risk executive (function) input (if provided)

Knowledge Check

What is the first step in the Authorization RMF step? What documents the results of the security control

assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls?

What are the contents of the Authorization Package, from System Owner to Authorizing Official?

The authorization decision document contains what information?

AUTHORIZATION ELEMENTSSection B

Ongoing Authorization

Maintains Knowledge of Current Security State Re-execute RMF Step(s) Maximize Use of Status Reports Reauthorization

– Time-driven– Event-driven

Type Authorization

Definition of Type Authorization– Official authorization decision to employ identical copies of an

information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.

Authorization Approaches

Single Authorizing Official Multiple Authorizing Officials Leveraging an Existing Authorization

Key Concepts & Vocabulary

Authorization Decisions Authorization Decision Document Authorization Package Authorizing Official IATO IATT POAM SAR SSP Type Authorization

Questions?

Next Module: Continuous Monitoring