O-K-State MSIS 4253 - MSIS 4253, (SP18), Exam 1 Focus list (1) (4 pages)

Unformatted text preview:

MSIS 4253 Exam 1 Focus List Spring 2018 1 System characterization items hardware software information sensitivity etc 2 Types of threats and vulnerabilities a Threats natural human made environmental b Vulnerabilities weakness in the system or the people that use it 3 Classes of security controls managerial operational technical a Managerial assessments planning acquisition program management b Operational training configuration contingency planning incident resonse maintenance physical protection c Technical access control audit and accountability identification and authentication system and communication protection 4 Common Controls a Security controls that are inheritable by one or more organizational information systems b Ex Contingency planning controls incident response controls security training and awareness controls personnel security controls physical and environmental protection controls intrusion detection controls 5 Hybrid or System specific controls a Security controls not designated as common controls b System specific controls are the primary responsibility of information system owners and their respective authorizing officials c Hybrid controls may also serve as templates for further control refinement 6 Relationships with external service providers a Services implemented outside of the authorization boundaries established by the organization for its information systems b Joint ventures business partnerships outsourcing arrangements licensing agreements supply chain exchanges 7 Scoping guidance Literally review the slide that covers scoping guidance NIST SP 80053 Chapter 3 8 Security Considerations there are many a Common control related considerations b Security objective related considerations c System component allocation related considerations d Technology related considerations e Physical infrastructure related considerations f Operations environmental related considerations g Scalability related considerations h Public access related considerations 9 Compensating security controls a A management operational or technical control employed by an organization in lieu of a recommended security control in the low moderate or high baselines that provides an equivalent or comparable level or protection for an information system and the information processed stored or transmitted by that system 10 Organization Defined Security Control Parameters a After the application of scoping guidance and selection of compensating security controls organizations review the list of security controls for assignment and selection operations and determine the appropriate organization defined values for the identified parameters Values for organization define parameters are adhered to unless more restrictive values are prescribed by applicable federal laws executive orders directive policies standards guidelines or regulations 11 Supplementing the Tailored Baseline a Requirements Definition the organization acquires specific and credible threat