This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Industry:Project Review/NIST SP 800-37r1 FPD Chapter 3"

From OWASP
Jump to: navigation, search
Line 9: Line 9:
 
EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS
 
EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS
  
As an overall comment I find that the blocks of text making up these tasks are too dense and need to be broken up into shorter, more targetted segments.  NIST SP 800-53r3 made excellent use of exploding out lists which had previously been embedded in paragraphs (e.g., (i) ..., (ii) ..., etc.).  Reading security documents is often difficult for people who feel overwhelmed trying to the different data elements to each other. Good writing practice and formatting can make reading dense guidance wording easier, much as good writing and formatting can make reading source code easier.  [[User:Dan Philpott|Dan Philpott]] 04:10, 8 December 2009 (UTC)
+
As an overall comment I find that the blocks of text making up these tasks are too dense and need to be broken up into shorter, more targetted segments.  NIST SP 800-53r3 made excellent use of exploding out lists which had previously been embedded in paragraphs (e.g., (i) ..., (ii) ..., etc.).  Reading security documents is often difficult for people who feel overwhelmed trying to link the different data elements into a comprehensive picture. Good writing practice and formatting can make reading dense guidance wording easier, much as good writing and formatting can make reading source code easier.  [[User:Dan Philpott|Dan Philpott]] 04:10, 8 December 2009 (UTC)
  
 
=== APPLICATION OF THE RISK MANAGEMENT FRAMEWORK ===
 
=== APPLICATION OF THE RISK MANAGEMENT FRAMEWORK ===

Revision as of 04:25, 8 December 2009

CHAPTER THREE

THE PROCESS

EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS

As an overall comment I find that the blocks of text making up these tasks are too dense and need to be broken up into shorter, more targetted segments. NIST SP 800-53r3 made excellent use of exploding out lists which had previously been embedded in paragraphs (e.g., (i) ..., (ii) ..., etc.). Reading security documents is often difficult for people who feel overwhelmed trying to link the different data elements into a comprehensive picture. Good writing practice and formatting can make reading dense guidance wording easier, much as good writing and formatting can make reading source code easier. Dan Philpott 04:10, 8 December 2009 (UTC)

APPLICATION OF THE RISK MANAGEMENT FRAMEWORK

3.1 RMF STEP 1 - CATEGORIZE INFORMATION SYSTEM

TASK 1-1 SECURITY CATEGORIZATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 1-2 INFORMATION SYSTEM DESCRIPTION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 1-3 INFORMATION SYSTEM REGISTRATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #1

3.2 RMF STEP 2 - SELECT SECURITY CONTROLS

TASK 2-1 SECURITY CONTROL SELECTION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-2 COMMON CONTROL IDENTIFICATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-3 MONITORING STRATEGY

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-4 SECURITY PLAN APPROVAL

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #2

3.3 RMF STEP 3 - IMPLEMENT SECURITY CONTROLS

TASK 3-1 SECURITY CONTROL IMPLEMENTATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 3-2 SECURITY CONTROL DOCUMENTATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #3

3.4 RMF STEP 4 - ASSESS SECURITY CONTROLS

TASK 4-1 ASSESSMENT PREPARATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 4-2 SECURITY CONTROL ASSESSMENT

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 4-3 SECURITY ASSESSMENT REPORT

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #4

3.5 RMF STEP 5 - AUTHORIZE INFORMATION SYSTEM

TASK 5-1 REMEDIATION ACTIONS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-2 PLAN OF ACTION AND MILESTONES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-3 SECURITY AUTHORIZATION PACKAGE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-4 RISK DETERMINATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-5 RISK ACCEPTANCE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #5

3.6 RMF STEP 6 - MONITOR SECURITY CONTROLS

TASK 6-1 INFORMATION SYSTEM AND ENVIRONMENT CHANGES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-2 ONGOING SECURITY CONTROL ASSESSMENTS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-3 ONGOING REMEDIATION ACTIONS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-4 CRITICAL UPDATES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-5 SECURITY STATUS REPORTING

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-6 ONGOING RISK DETERMINATION AND ACCEPTANCE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-7 INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #6