Download presentation
Presentation is loading. Please wait.
Published byJulian Skinner Modified over 9 years ago
1
It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk. SP 800-39 Managing Information Security Risk (March 2011) Leadership
2
FITSP-M Exam Module Objectives Security Assessments and Authorization –Administer and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems –Manage mechanisms that authorize the operation of organizational information systems and any associated information system connections
3
Authorization OverviewAuthorization Overview Section A: Authorization Tasks –Authorization Package –Authorization Decisions –Authorization Decision Document Section B: Authorization Elements –Ongoing Authorization –Type Authorization –Authorization Approaches
4
AUTHORIZATION TASKS Section A
5
RMF Step 4 - Authorization Describe Plan of Action and Milestones Understand the Elements of the Security Authorization Package Understand Risk Determination Understand Risk Acceptability Distinguish between the Security Authorization Decisions
6
RMF Step 5 – Authorize Information System Plan of Action and Milestones Security Authorization Package Risk Determination Risk Acceptance
7
Authorization Package
8
Authorization Decisions Authorization to Operate Denial Of Authorization to Operate Interim Authorization to Test Interim Authorization to Operate
9
Authorization Decision Document Authorization decision Terms and conditions for the authorization Authorization termination date Risk executive (function) input (if provided)
10
Knowledge Check What is the first step in the Authorization RMF step? What documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls? What are the contents of the Authorization Package, from System Owner to Authorizing Official? The authorization decision document contains what information?
11
AUTHORIZATION ELEMENTS Section B
12
Ongoing Authorization Maintains Knowledge of Current Security State Re-execute RMF Step(s) Maximize Use of Status Reports Reauthorization –Time-driven –Event-driven
13
Type Authorization Official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.
14
Authorization Approaches Single Authorizing Official Multiple Authorizing Officials Leveraging an Existing Authorization
15
Authorization Key Concepts & Vocabulary Authorization Package Authorization Decisions Authorization Decision Document Ongoing Authorization Type Authorization Authorization Approaches
16
Questions? Next Module: Continuous MonitoringContinuous Monitoring
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.