3. Risk Tiers

Question 1

Tier 1

Answer 1

Organization

Where enterprise institutional risk polices are articulated by the risk executive

Fundamental contexts about governance structures, larger views of risk tolerance, etc.

Defining a risk strategy for the whole organization

Question 2

Tier 2

Answer 2

Mission and Business Process

Translates the organizational strategy defined in Tier 1 into processes the organization can use

For example, defining requirements or treating the R&D department as a separate division with its own requirements

Question 3

Tier 3

Answer 3

Information Systems

Where controls are implemented using Tier 2 (mission / business process) requirements and categorizations

Question 4

General Support System

Circular A-130 definition

Answer 4

Set of IT resources sharing the same management and common functionality

Question 5

Major Application
(Circular A-130 definition)

Answer 5

Set of IT resources requiring special security attention due to the harm if their CIA were compromised.

Question 6

Can you create authorization boundaries from general support and major systems by considering commonality of purpose, security perimeter and ownership?

Answer 6

Yes

Question 7

When are information system boundaries established?

Answer 7

in coordination with the security categorization process and before developing security plans

Question 8

What happens if IS boundaries are too expansive?

Answer 8

The risk management process becomes unwieldy and too complex

Question 9

What happens if IS boundaries are too narrow?

Answer 9

The number of systems that must be separately managed becomes too high, and inflates the organizational costs

Question 10

What’s the goal of creating system inventories and boundaries?

Answer 10

Identify systems requiring protection, planning and management

Aspects are used in RMF Step 1, categorization

Question 11

What defines the boundaries of a system?

Answer 11

The set of information resources allocated to an information system

There is a lot of flexibility in determining what an information system is composed of, and its associated boundary

If a set of information resources is identified as an information system, the resources are generally under the same direct management control

Question 12

What has made boundaries more complex?

Answer 12

modern computing changes such as:

service-oriented architecture (SOA), cloud computing, introduced “dynamic subsystems” and “external subsystems)

Question 13

3 types of authorization

Answer 13

single authorizing official

multiple (joint) authorizing officials

leveraging existing authorization

Question 14

Single Authorizing Official

Answer 14

Traditional approach

A single official is both responsible and accountable for an information system

Question 15

Joint Authorizing Officials

Answer 15

multiple officials from the same or different organizations have a shared interest in authorizing an information system

They are collectively responsible and accountable and jointly accept the risks

Question 16

Leveraged Authorization

Answer 16

An agency chooses to accept some or all of the information in an existing authorization package generated by a different agency based on a need to use the same information resources.

Leveraging organization reviews owning organization’s authorization package as the basis for determining risk