This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix F"

From OWASP
Jump to: navigation, search
(F.4 ONGOING AUTHORIZATION)
(F.4 ONGOING AUTHORIZATION)
Line 35: Line 35:
 
affect the security state of an information system."  This definition is overbroad and includes almost any activity on a computer as all activity has the potential to affect the security state of the system.  The threshold should be raised to either "a change that is likely to affect" or "a change that has the potential to significantly affect". [[User:Dan Philpott|Dan Philpott]] 04:36, 9 December 2009 (UTC)
 
affect the security state of an information system."  This definition is overbroad and includes almost any activity on a computer as all activity has the potential to affect the security state of the system.  The threshold should be raised to either "a change that is likely to affect" or "a change that has the potential to significantly affect". [[User:Dan Philpott|Dan Philpott]] 04:36, 9 December 2009 (UTC)
  
Text of the examples in the event-driven reauthorizations paragraph (Page F-7) should reflect that the examples are only significant when they meet the threshold established in the definition of significant change.  Otherwise misreading of the lines is likely to occur with the affect of causing unnecessary effort without worthwhile security gains. [[User:Dan Philpott|Dan Philpott]] 04:36, 9 December 2009 (UTC)
+
Text of the examples in the event-driven reauthorizations paragraph (page F-7) should reflect that the examples are only significant when they meet the threshold established in the definition of significant change.  Otherwise misreading of the lines is likely to occur with the affect of causing unnecessary effort without worthwhile security gains. [[User:Dan Philpott|Dan Philpott]] 04:36, 9 December 2009 (UTC)
  
Footnote 63 should add the word can between "action include" unless the requirement is to always have both the Risk Executive (Function) and SISO/CISO provide input whenever a formal reauthorization decision is made.  This could cause unnecessary effort for an AO who is making the decision to initiate reauthorization for a system and reduce the likelihood it will occur. [[User:Dan Philpott|Dan Philpott]] 04:36, 9 December 2009 (UTC)
+
Footnote 63 should add the word can between "action include" unless the requirement is to always have both the Risk Executive (Function) and SISO/CISO provide input whenever the decision to initiate a formal reauthorization is made.  This could cause unnecessary effort for an AO who is making the decision to initiate reauthorization for a system and reduce the likelihood it will occur. [[User:Dan Philpott|Dan Philpott]] 04:36, 9 December 2009 (UTC)
  
 
[[Category:GIC-NISTSP80037r1FPD]]
 
[[Category:GIC-NISTSP80037r1FPD]]

Revision as of 04:42, 9 December 2009

APPENDIX F

SECURITY AUTHORIZATION

AUTHORIZATION DECISIONS AND SUPPORTING EVIDENCE


F.1 AUTHORIZATION PACKAGE

F.2 AUTHORIZATION DECISIONS

Authorization to Operate

Denial of Authorization to Operate

F.3 AUTHORIZATION DECISION DOCUMENT

F.4 ONGOING AUTHORIZATION

In the second paragraph of page F-7 a definition is offered for significant change, the text reads "A significant change is defined as a change that has the potential to affect the security state of an information system." This definition is overbroad and includes almost any activity on a computer as all activity has the potential to affect the security state of the system. The threshold should be raised to either "a change that is likely to affect" or "a change that has the potential to significantly affect". Dan Philpott 04:36, 9 December 2009 (UTC)

Text of the examples in the event-driven reauthorizations paragraph (page F-7) should reflect that the examples are only significant when they meet the threshold established in the definition of significant change. Otherwise misreading of the lines is likely to occur with the affect of causing unnecessary effort without worthwhile security gains. Dan Philpott 04:36, 9 December 2009 (UTC)

Footnote 63 should add the word can between "action include" unless the requirement is to always have both the Risk Executive (Function) and SISO/CISO provide input whenever the decision to initiate a formal reauthorization is made. This could cause unnecessary effort for an AO who is making the decision to initiate reauthorization for a system and reduce the likelihood it will occur. Dan Philpott 04:36, 9 December 2009 (UTC)