This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Industry:Project Review/NIST SP 800-37r1 FPD Chapter 3

From OWASP
Revision as of 04:27, 22 December 2009 by Dan Philpott (talk | contribs) (Supplemental Guidance)

Jump to: navigation, search

CHAPTER THREE

THE PROCESS

EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS

As an overall comment I find that the blocks of text making up these tasks are too dense and need to be broken up into shorter, more targetted segments. NIST SP 800-53r3 made excellent use of exploding out lists which had previously been embedded in paragraphs (e.g., (i) ..., (ii) ..., etc.). Reading security documents is often difficult for people who feel overwhelmed trying to link the different data elements into a comprehensive picture. Good writing practice and formatting can make reading dense guidance wording easier, much as good writing and formatting can make reading source code easier. Dan Philpott 04:10, 8 December 2009 (UTC)

APPLICATION OF THE RISK MANAGEMENT FRAMEWORK

In the line "Execution of the RMF tasks by common control providers, both internal and external to the organization, helps to ensure that the security capabilities provided by the common controls can be inherited by information system owners with a known degree of assurance." The issue here is the reference to a known degree of assurance. How is the degree of assurance known? Often organizations have no insight into the security operations of a common control provider or information system from which controls are inherited. To state that the degree of assurance is known may not be accurate. At best the degree of assurance can be estimated based on the level of trust one has in the controls provider, but trust is an inherently unmeasurable quality. Recommend restating "common controls can be inherited by information system owners with an appropriate level of trust." Dan Philpott 03:28, 22 December 2009 (UTC)

3.1 RMF STEP 1 - CATEGORIZE INFORMATION SYSTEM

TASK 1-1 SECURITY CATEGORIZATION

TASK

The task "Categorize the information system and document the results of the security categorization in the security plan." varies the order of activities slightly from the NIST SP 800-18r1 description of the process, "Before the system security plan can be developed, the information system and the information resident within that system must be categorized based on a FIPS 199 impact analysis. Then a determination can be made as to which systems in the inventory can be logically grouped into major applications or general support systems." In general the security categorization is separately documented and then eventually recorded in the security plan. Recommend including in the Supplemental Guidance that recording the categorization does not have to initially be done in the security plan but it should be included in the security plan eventually. Dan Philpott 03:42, 22 December 2009 (UTC)

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

In the line "The security categorization process is conducted as an organization-wide activity taking into consideration the enterprise architecture and the information security architecture." The wording of this line may cause confusion and impose an unnecessary burden on those with primary responsibility for conducting security categorization. The categorization process has organization-wide influences and impacts but for systems is conducted primarily at the system level. It may later be reviewed and adjusted by others but the activity of the categorization is local. By stating it is an organization-wide activity the burden is then to have all those listed with primary responsibility and supporting roles involved in all levels of the activity. Recommend the sentence be changed to "The security categorization process takes potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and the Nation as well as organization-wide guidance into consideration including the enterprise architecture and the information security architecture." This would also obviate the need for the final sentence of this Supplemental Guidance. Dan Philpott 04:03, 22 December 2009 (UTC)

References

TASK 1-2 INFORMATION SYSTEM DESCRIPTION

TASK

Primary Responsibility

Supporting Roles

Inclusion of the Risk Executive (Function) may be indicated. As grouping of systems in the organizational inventory into an information system is often a function of determining which have related risks the organizational function which coordinates the holistic assessment of risk may play a role. Recommend considering whether the Risk Executive (Function) should be included in the Supporting Roles for Task 1-2. Dan Philpott 04:11, 22 December 2009 (UTC)

System Development Life Cycle Phase

Supplemental Guidance

In the line "A typical system description may include, for example:". Use of the word typical in this instance implies that all of the below should be included to be 'typical'. The later modifiers, 'may include' and 'for example' indicate this is not the case. Recommend rephrasing the line to "A system description may include, for example:". Dan Philpott 04:27, 22 December 2009 (UTC)

In the bullet point, "- Cross domain devices/requirements; " The term 'cross domain' is a term that may not be familiar to many FISMA practitioners and may be a reference to multi-level security. Recommend including an entry for 'Cross Domain' in the glossary. Dan Philpott 04:27, 22 December 2009 (UTC)

As organizations implement dynamic subsystems it will be more important to include a reference to the data resource that contains all of the system's inventory of subsystems instead of trying to include that highly dynamic data in the information system description itself. Recommend including a bullet point indicating a reference to a real-time inventory of subsystems resource be included in the system description where appropriate. Dan Philpott 04:27, 22 December 2009 (UTC)

References

TASK 1-3 INFORMATION SYSTEM REGISTRATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #1

3.2 RMF STEP 2 - SELECT SECURITY CONTROLS

TASK 2-1 SECURITY CONTROL SELECTION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-2 COMMON CONTROL IDENTIFICATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-3 MONITORING STRATEGY

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-4 SECURITY PLAN APPROVAL

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #2

3.3 RMF STEP 3 - IMPLEMENT SECURITY CONTROLS

TASK 3-1 SECURITY CONTROL IMPLEMENTATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 3-2 SECURITY CONTROL DOCUMENTATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #3

3.4 RMF STEP 4 - ASSESS SECURITY CONTROLS

TASK 4-1 ASSESSMENT PREPARATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 4-2 SECURITY CONTROL ASSESSMENT

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 4-3 SECURITY ASSESSMENT REPORT

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #4

3.5 RMF STEP 5 - AUTHORIZE INFORMATION SYSTEM

TASK 5-1 REMEDIATION ACTIONS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-2 PLAN OF ACTION AND MILESTONES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-3 SECURITY AUTHORIZATION PACKAGE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-4 RISK DETERMINATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-5 RISK ACCEPTANCE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #5

3.6 RMF STEP 6 - MONITOR SECURITY CONTROLS

TASK 6-1 INFORMATION SYSTEM AND ENVIRONMENT CHANGES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-2 ONGOING SECURITY CONTROL ASSESSMENTS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-3 ONGOING REMEDIATION ACTIONS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-4 CRITICAL UPDATES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-5 SECURITY STATUS REPORTING

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-6 ONGOING RISK DETERMINATION AND ACCEPTANCE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-7 INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #6

Footnotes