A security plan is to provide an overview of the security requirements of the system Quizlet

1. Although the principles seem simple, the mechanisms needed to meet these requirements are complex and require subtle reasoning.

2. Consider potential attacks on security features, b/c successful attacks are designed by looking @ the prob. In new ways and exploiting an unexpected weakness in the mechanism.

3. The procedures used to provide particular services are often counterintuitive and complex

4. The location of the security mechanism matters

Physical placement = points in a network that need the security mechanism

Logical sense = at what layer/ layers of an architecture such as TCP/IP (Transmission Control Protocol/Internet Protocol should mechanisms be placed)

5. In addition to security mechanisms, participants should also be in possession of secret information (encryption keys), raising questions about the creation, distribution + protection of the secret information.

- A potential obstacle may result from the reliance on communications protocols whose behavior may complicate the task of developing the security mechanism.

- Ex: proper functioning of the security mechanism, requires setting time limits on the transit time of a message from sender to receiver, then any protocol/network that introduces variable, unpredictable delays may render such time limits meaningless.

6. The attacker has an advantage b/c only need to find 1 weakness, while the designer must find and eliminate all weaknesses to achieve perfect security.

7. There is a tendency of users + system managers to perceive little benefit from security investment until a security failure occurs.

8. Security requires regular, even constant monitoring, and this is difficult in today's short-term and overloaded environment.

9. Security is often an afterthought to be incorporated into a system after the design is complete, rather than being an integral part of the design process.

10. Many users + security administrators view strong security as an impediment to efficient + user-friendly operation of an information system or use of information.

The process of identifying risks to organizational operations
(including mission, functions, image, reputation), organizational
assets, individuals, other organizations, and the Nation, resulting
from the operation of an information system.
Part of risk management, incorporates threat and vulnerability
analyses, and considers mitigations provided by security controls
planned or in place. Synonymous with risk analysis.

TASK 5-1
Plan of Action and Milestones
Prepare the plan of action and
milestones based on the findings
and recommendations of the
security assessment report
excluding any remediation actions
taken.
Information System Owner or Common
Control Provider
Information Owner/Steward
Information System Security Officer
TASK 5-2
Security Authorization Package
Assemble the security authorization
package and submit the package to
the authorizing official for
adjudication.
Information System Owner or Common
Control Provider
Information System Security Officer
Security Control Assessor
TASK 5-3
Risk Determination
Determine the risk to organizational
operations (including mission,
functions, image, or reputation),
organizational assets, individuals,
other organizations, or the Nation.
Authorizing Official or Designated
Representative
Risk Executive (Function)
Senior Information Security Officer
TASK 5-4
Risk Acceptance
Determine if the risk to
organizational operations,
organizational assets, individuals,
other organizations, or the Nation is
acceptable.

TASK 6-1
Information System and
Environment Changes
Determine the security impact of
proposed or actual changes to the
information system and its
environment of operation.
Information System Owner or Common
Control Provider
Risk Executive (Function)
Authorizing Official or Designated
Representative
Senior Information Security Officer
Information Owner/Steward
Information System Security Officer
TASK 6-2
Ongoing Security Control
Assessments
Assess the technical, management,
and operational security controls
employed within and inherited by
the information system in
accordance with the organizationdefined
monitoring strategy.
Security Control Assessor Authorizing Official or Designated
Representative
Information System Owner or Common
Control Provider
Information Owner/Steward
Information System Security Officer
TASK 6-3
Ongoing Remediation Actions
Conduct remediation actions based
on the results of ongoing monitoring
activities, assessment of risk, and
outstanding items in the plan of
action and milestones.
Information System Owner or Common
Control Provider
Authorizing Official or Designated
Representative
Information Owner/Steward
Information System Security Officer
Information System Security Engineer
Security Control Assessor
TASK 6-4
Key Updates
Update the security plan, security
assessment report, and plan of
action and milestones based on the
results of the continuous monitoring
process.
TASK 6-5
Security Status Reporting
Report the security status of the
information system (including the
effectiveness of security controls
employed within and inherited by
the system) to the authorizing
official and other appropriate
organizational officials on an
ongoing basis in accordance with
the monitoring strategy
TASK 6-6
Ongoing Risk Determination and
Acceptance
Review the reported security status
of the information system (including
the effectiveness of security controls
employed within and inherited by
the system) on an ongoing basis in
accordance with the monitoring
strategy to determine whether the
risk to organizational operations,
organizational assets, individuals,
other organizations, or the Nation
remains acceptable.
Authorizing Official Risk Executive (Function)
Authorizing Official Designated
Representative
Senior Information Security Officer
TASK 6-7
Information System Removal and
Disposal
Implement an information system
disposal strategy, when needed,
which executes required actions
when a system is removed from
service.
Inf