Leadership • It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk. • SP 800-39 Managing Information Security Risk (March 2011)
FITSP-M Exam Module Objectives • Security Assessments and Authorization • Administer and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems • Manage mechanisms that authorize the operation of organizational information systems and any associated information system connections
Authorization Overview • Section A: Authorization Tasks • Authorization Package • Authorization Decisions • Authorization Decision Document • Section B: Authorization Elements • Ongoing Authorization • Type Authorization • Authorization Approaches
Section A Authorization Tasks
RMF Step 4 - Authorization • Describe Plan of Action and Milestones • Understand the Elements of the Security Authorization Package • Understand Risk Determination • Understand Risk Acceptability • Distinguish between the Security Authorization Decisions
RMF Step 5 – Authorize Information System • Plan of Action and Milestones • Security Authorization Package • Risk Determination • Risk Acceptance
Authorization Decisions • Authorization to Operate • Denial Of Authorization to Operate • Interim Authorization to Test • Interim Authorization to Operate
Authorization Decision Document • Authorization decision • Terms and conditions for the authorization • Authorization termination date • Risk executive (function) input (if provided)
Knowledge Check • What is the first step in the Authorization RMF step? • What documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls? • What are the contents of the Authorization Package, from System Owner to Authorizing Official? • The authorization decision document contains what information?
Section B Authorization Elements
Ongoing Authorization • Maintains Knowledge of Current Security State • Re-execute RMF Step(s) • Maximize Use of Status Reports • Reauthorization • Time-driven • Event-driven
Type Authorization Official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.
Authorization Approaches • Single Authorizing Official • Multiple Authorizing Officials • Leveraging an Existing Authorization
Authorization Key Concepts & Vocabulary • Authorization Package • Authorization Decisions • Authorization Decision Document • Ongoing Authorization • Type Authorization • Authorization Approaches
Questions? Next Module: Continuous Monitoring