Understanding the Security Authorization of federal information systems
The ISC2 CAP candidate needs to understand the multitier approach to evaluating strategic & tactical risk across an organization/enterprise. This is discussed thoroughly in NIST SP 800-39, Managing Information Security Risk. 800-39 explains risk management from the organization, mission, and system perspective.
800-39 explains how and organization does risk framing by making risk assumptions, knowing risk constraints, risk tolerance, priorities & tradeoffs. Implementation of an organizationís risk management strategy is also based itís governance structure.
Security Authorization is a risk management process that based on identification of threats, vulnerabilities and countermeasures. 800-39 and 800-37 explains what must be included in a risk assessments that will evaluated residual risks and determine if they are acceptable or unacceptable to the organization as whole. Unacceptable risks can be reduced by implementing security controls.
Understanding the Security Authorization of federal information systems covers the following key areas:
Understand the Risk Management Approach to Security Authorization
Understanding and distinguishing among the Risk Management Framework (RMF) steps
Define and Understand Roles & Responsibilities
Understand the Relationship between the RMF and SDLC
Understand Legal, Regulatory, and Other Requirements for Security Authorization
Understand Common Controls and Security Control Inheritance
Understand Ongoing Monitoring Strategies
Understand How the Security Authorization Process Relates to:
1. Organization-wide risk management
2. System Development Life Cycle (SDLC)
3. Information system boundaries
4. Authorization decisions