Chapter 2 Flashcards
(31 cards)
Organisation-Wide Risk Management
Involve everyone in the organisation, from top leaders to regular employees.
Multi-Level Risk Management Model
This model manages risks at three levels: organisation, mission/business process, and information system, ensuring that risks are addressed comprehensively.
Level 1 and 2 Activities
These activities prepare the organisation for risk management by identifying roles, assets, threats, and risk assessments.
Level 3 in Risk Management
Level 3 focuses on system-specific risks, guided by decisions at higher levels, and designates controls based on security/privacy requirements.
Traceability of Controls
It ensures that security and privacy controls are linked to specific requirements throughout the system’s lifecycle.
Consequences of Inadequate Organisational Preparation
Inadequate preparation can lead to costly and ineffective security measures, impacting the organisations efficiency and security.
Risk Management Framework Steps (RMF)
RMF has seven steps, including preparation, categorisation, selection, implementation, assessment, authorisation, and monitoring.
- Prepare
Step 1 establishes priorities for security and privacy risk management.
- Categorise
In step 2, the impact of potential loss and system categorisation is analysed.
- Select
Step 3 involves selecting and tailoring controls based on a risk assessment.
- Implement
Step 4 is about putting selected controls into practice.
- Assess
Step 5 evaluates control implementation to ensure they meet requirements.
- Authorise
Step 6 grants system authorisation based on acceptable risk levels.
- Monitor
Step 7 involves continuous assessment of control effectiveness and reporting.
Adaption of RMF Steps
RMF steps can be adjusted as needed, especially in agile development, where steps may need revisiting.
Integration of Information Security and Privacy Programs
Information security and privacy programs work together to manage risks associated with personally identifiable information (PII) by selecting and monitoring controls.
Privacy Controls vs Security Controls
Privacy controls focus on compliance and privacy risks, while security controls cover broader protection needs.
Authorisation Boundaries
The authorisation boundary defines what the organisation commits to protect in an information system, involving people, processes, and technologies supporting the organisations mission.
Systems and System Elements
Information systems consist of various elements, including technology, humans, physical components, and environmental factors, working together for specific goals.
Authorisation Boundaries Review
The scope of the authorisation boundary is periodically reviewed as part of continuous monitoring, aligning with the organisations resources and flexibility.
Interconnections in Systems
Systems’ interconnections enable them to interact and produce capabilities, operating within an influencing environment.
External Systems
Other systems interact with the operational environment but may be outside the authorisation boundary, depending on context and organisational considerations.
Enabling Systems
Enabling systems, although outside the authorisation boundary, may provide support during a system’s lifecycle by offering common controls or services.
Establishing Authorisation Boundaries
Establishing meaningful authorisation boundaries involves coordinating with key participants, considering mission, business, security, privacy, and cost factors.
