26. What is the acronym (or name) of the federal organization that writes all fe

Question

26. What is the acronym (or name) of the federal organization that writes all federal cyber security and Risk Management standards, guidelines, and special publications?

(2) []27. There are three types of information, Public, Proprietary and private, which one requires the most protection?

(3) []28. What is a security control? Why would you use one?

(2) [] 29. Where would you find the control for the policy and procedures for the Contingency Planning (CP)) family?

(2) []30. What control family would you use if you wanted to make sure only the people that needed the information could see it?

(2) []31. What is the purpose of a system security plan?

(2) []32. Why is continuous monitoring important?

Explanation / Answer

Q.26 NIST is the federal organistation that writes all federal cyber security and risk management standards.NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Q.28 Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. Protection measures (otherwise known as security controls) tend to fall into two categories. First, security weaknesses in the system need to be resolved.Second, the system should offer only the required functionality to each authorized user, so that no one can use functions that are not necessary. This principle is known as least privilege.

There are three types of security controls, as follows:

Management controls: The security controls that focus on the management of risk and the management of information system security.
Operational controls: The security controls that are primarily implemented and executed by people (as opposed to systems).
Technical controls: The security controls that are primarily implemented and executed by the system through the system's hardware, software, or firmware.

Need

All three types of controls are necessary for robust security. For example, a security policy is a management control, but its security requirements are implemented by people (operational controls) and systems (technical controls). Think of phishing attacks. An organization may have an acceptable use policy that specifies the conduct of users, including not visiting malicious websites. Security controls to help thwart phishing, besides the management control of the acceptable use policy itself, include operational controls, such as training users not to fall for phishing scams, and technical controls that monitor emails and web site usage for signs of phishing activity.

Problems

A common problem with security controls is that they often make systems less convenient or more difficult to use. When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be long and complex, users may write them down. Balancing security, functionality, and usability is often a challenge. The goal should be to strike a proper balance: provide a reasonably secure solution while offering the functionality and usability that users require.

Q 31. SSP

A system security plan is a formal plan that defines the plan of action to secure a computer or information system.

It provides a systematic approach and techniques for protecting a computer from being used by unauthorized users, guards against worms and viruses as well as any other incident/event/process that can jeopardize the underlying system’s security.

Uses

The purpose of the system security plan (SSP) is to provide an overview of federal information system security requirements and describe the controls in place or planned to meet those requirements. The SSP also delineates responsibilities and expected behavior of all individuals who access the information system and should be viewed as documentation of the structured process for planning adequate, cost-effective security protection for a major application or general support system. It should reflect input from various managers with responsibilities concerning the information system, including information owner(s), system owner(s), system operator(s), and the information security manager. Additional information may be included in the basic plan, and the structure and format organized according to requirements.

Q.32 Today, nearly all of an agency’s mission-critical functions depend on safe and secure information technology systems. With cyber threats ever evolving and growing at an exponential rate, and increased reliance on technology to deliver core services in government, a robust cyber defense is needed by agencies.

Continuous monitoring is one part of a six-step process in the NIST Risk Management Framework (RMF), from NIST publication 800-53, rev4

It can be defined as "a formalized process where an agency can define each of their IT systems, categorize them by risk level, apply the appropriate controls, and continuously monitor the controls in place and assess their effectiveness against threats in their environment.”

Continuous monitoring is an essential step for organizations to identify and measure the security implications for planned and unexpected changes to hardware, software, firmware and to assess vulnerabilities in a dynamic threat space.

Continuous monitoring provides many benefits to government agencies yet holistic adoption still seems to be lagging. “If you're operating all those sensors in silos, which unfortunately, a lot of people are doing, you're only seeing one aspect of what's going on in your network. Continuous monitoring really provides a situational awareness of your network, giving you the opportunity to react to that changing situation.

Related Questions

Navigate

• Browse (All)
• Browse 2
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.