Professional Documents
Culture Documents
B-2
Appendix B Frequently Asked Questions
Q. How can the support for an awareness and training program be gauged?
A. The support for an awareness and training program can be shown through many
indicators. A few examples are:
• Key stakeholder demonstrates commitment and support.
• Sufficient funding is budgeted and available to implement the agreed-upon
awareness and training strategy.
• Infrastructure to support broad distribution (e.g., Web, e-mail, learning
management systems) and posting of security awareness and training materials
is funded and implemented.
• Executive/senior-level officials deliver messages to staff about security (e.g.,
staff meetings, broadcasts to all users by agency head), champion the
program, and demonstrate support for training by committing financial
resources to the program.
• Executives and managers do not use their status in the organization to avoid
security controls that are consistently adhered to by the rank and file.
• Level of attendance at voluntary security forums/briefings/training is
consistently high.
B-3
Appendix B Frequently Asked Questions
B-4
Appendix B Frequently Asked Questions
Q. Is there a process for integrating security into the capital planning and
investment control (CPIC) process?
A. Yes. There is a seven-step process for prioritizing security activities and
corrective actions:
1. Identify the Baseline;
2. Identify Prioritization Requirements;
3. Conduct Enterprise-Level Prioritization;
4. Conduct System-Level Prioritization;
5. Develop Supporting Materials;
6. Implement Investment Review Board and Portfolio Management; and
7. Submit Exhibit 300s, Exhibit 53, and Conduct Program Management.
B-5
Appendix B Frequently Asked Questions
B-6
Appendix B Frequently Asked Questions
B-7
Appendix B Frequently Asked Questions
Q. What is an ISA?
A. An Interconnection Security Agreement (ISA) is an agreement established
between the organizations that own and operate connected information systems
to document the technical requirements of the interconnection. The ISA is a
security document that specifies the requirements for connecting the information
systems, describes the security controls that will be used to protect the systems
and data, and contains a topographical drawing of the interconnection. It is a
commitment between the owners of two systems to abide by specific rules of
behavior. These rules are discretionary and should be based on risk.
Q. What is an MOU/MOA?
A. A Memorandum of Understanding/Memorandum of Agreement (MOU/MOA) is a
document that defines the responsibilities of two or more organizations in
establishing, operating, and securing a system interconnection. It defines the
purpose of the interconnection, identifies relevant authorities, specifies the
responsibilities of each organization, defines the apportionment of costs, and
identifies the timeline for terminating or reauthorizing the interconnection. The
B-8
Appendix B Frequently Asked Questions
MOU/MOA documents the terms and conditions for sharing data and information
resources and should be signed by an organizational official.
B-9
Appendix B Frequently Asked Questions
B-10
Appendix B Frequently Asked Questions
B-11
Appendix B Frequently Asked Questions
B-12
Appendix B Frequently Asked Questions
collection must be a priority with stakeholders and users if the collected data
is to be meaningful to management and faciliate improvement of the overall
security program.
Q. What are the activities that comprise the information security metrics
process?
A. The information security metrics development process consists of two major
activities:
1. Identification and definition of the current information security program;
and
2. Development and selection of specific metrics to measure implementation,
efficiency, effectiveness, and the impact of the security controls.
B-13
Appendix B Frequently Asked Questions
Q. Can a weighting scale be used during the selection process for metrics?
A. Yes. If weights were assigned to metrics in the Prepare for Data Collection phase,
these weights should be used to prioritize corrective actions. Alternatively,
weights may be assigned to corrective actions in the Identify Corrective Actions
phase based on the criticality of implementing specific corrective actions, the cost
of corrective actions, and the magnitude of corrective actions’ impact on the
organization’s security posture.
B-14
Appendix B Frequently Asked Questions
89
NIST SP 800-37 defines a minor application as an application, other than a major application, that
requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or
unauthorized access to or modification of the information in the application. Minor applications are
typically included as part of a GSS.
B-15
Appendix B Frequently Asked Questions
Q. In what time frame must systems and data be recovered and restored
when a disruption occurs?
A. When a disruption occurs, a recovery strategy must be implemented within the
recovery time objective (RTO) period.
B-16
Appendix B Frequently Asked Questions
RTO. The strategy must also address recovering information system critical
components within a priority, as established by their individual RTOs.
Q. What are the components of the IT contingency plan strategy that must
be tested?
A. The IT contingency plan strategy testing should include:
1. System recovery on an alternate platform from backup media;
2. Coordination among recovery teams;
3. Internal and external connectivity;
4. System performance using alternate equipment;
5. Restoration of normal operations; and
6. Notification procedures.
B-17
Appendix B Frequently Asked Questions
Q. Define risk mitigation and explain what steps are involved to control
implementation.
A. The second process in the overall risk management process is that of risk
mitigation. Because it is impractical, if not impossible, to eliminate all risks from
a system, risk mitigation strives to prioritize, evaluate, and implement the
appropriate risk-reducing controls recommended from the risk assessment
process based on NIST SP 800-53 guidance. Once the decision has been made
on which risks are to be addressed in the risk mitigation process, a seven-step
approach is used to guide control implementation:
B-18
Appendix B Frequently Asked Questions
1. Prioritize actions;
2. Evaluate recommended control options;
3. Conduct cost-benefit analysis;
4. Select control;
5. Assign responsibility;
6. Develop a safeguard implementation plan; and
7. Implement selected control(s).
B-19
Appendix B Frequently Asked Questions
Q. What is a vulnerability?
A. NIST SP 800-30 defines vulnerability as “a flaw or weakness in system security
procedures, design, implementation, or internal controls that could be exercised
(accidentally triggered or intentionally exploited) and result in a security breach
or a violation of the system’s security policy.”
B-20
Appendix B Frequently Asked Questions
B-21
Appendix B Frequently Asked Questions
Q. Do all the 800-53 security controls need annual testing to satisfy the
FISMA annual testing requirement?
A. All 800-53 security controls do not need to be tested to satisfy annual testing and
evaluation requirements. Agencies should first prioritize testing on POA&M items
that become closed. These newly implemented controls should be validated.
Agencies should test against system related security control changes that
occurred but did not constitute a major change necessitating a new C&A.
Agencies should identify all security controls that are continuously monitored as
annual testing and evaluation activities. Examples of this include (but are not
B-22
Appendix B Frequently Asked Questions
limited to) ongoing security training, Denial of Service and Malicious Code
protection activities, Intrusion Detection monitoring, Log File reviews, etc. Once
this is completed agencies should look at the remaining controls that have not
been tested for that year and make a decision on further annual testing based on
risk, importance of control and date of last test.
B-23
Appendix B Frequently Asked Questions
B-24
Appendix B Frequently Asked Questions
B-25
Appendix B Frequently Asked Questions
Q. What are the four phases of the incident response life cycle?
A. NIST SP 800-61, Computer Security Incident Handling Guide, states that the four
phases of the incident response life cycle are:
• Preparation;
• Detection and Analysis;
• Containment, Eradication, and Recovery; and
• Post-Incident Recovery.
B-26
Appendix B Frequently Asked Questions
B-27
Appendix B Frequently Asked Questions
B-28
Appendix B Frequently Asked Questions
B-29