authorizing information systems fitsp-a module 6
TRANSCRIPT
![Page 1: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/1.jpg)
Authorizing Information Systems
FITSP-AModule 6
![Page 2: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/2.jpg)
It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk.
SP 800-39 Managing Information Security Risk (March 2011)
Leadership
![Page 3: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/3.jpg)
FITSP-A Exam Module Objectives
Security Assessments and Authorization– Assess and implement plans of action designed to correct
deficiencies and reduce or eliminate vulnerabilities in organizational information systems
– Inspect mechanisms that authorize the operation of organizational information systems and any associated information system connections
![Page 4: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/4.jpg)
Assessment and Authorization Overview
Section A: Assessment and Authorization Tasks– Assess Security Controls– Authorization Package– Authorization Decisions– Authorization Decision Document
Section B: Authorization Elements– Ongoing Authorization– Type Authorization– Authorization Approaches
![Page 5: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/5.jpg)
ASSESSMENT AND AUTHORIZATION TASKS
Section A
![Page 6: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/6.jpg)
RMF Step 4 – Assess Security Controls
Assessment Preparation Security Control Assessment Security Assessment Report Remediation Actions
![Page 7: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/7.jpg)
RMF Step 5 – Authorize Information System
Plan of Action and Milestones Security Authorization Package Risk Determination Risk Acceptance
![Page 8: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/8.jpg)
Authorization Package
![Page 9: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/9.jpg)
Authorization Decisions
Authorization to Operate Denial Of Authorization to Operate
Interim Authorization to Test Interim Authorization to Operate
![Page 10: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/10.jpg)
Authorization Decision Document
Authorization decision Terms and conditions for the authorization Authorization termination date Risk executive (function) input (if provided)
![Page 11: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/11.jpg)
Knowledge Check
What is the first step in the Authorization RMF step? What documents the results of the security control
assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls?
What are the contents of the Authorization Package, from System Owner to Authorizing Official?
The authorization decision document contains what information?
![Page 12: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/12.jpg)
AUTHORIZATION ELEMENTSSection B
![Page 13: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/13.jpg)
Ongoing Authorization
Maintains Knowledge of Current Security State Re-execute RMF Step(s) Maximize Use of Status Reports Reauthorization
– Time-driven– Event-driven
![Page 14: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/14.jpg)
Type Authorization
Definition of Type Authorization– Official authorization decision to employ identical copies of an
information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.
![Page 15: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/15.jpg)
Authorization Approaches
Single Authorizing Official Multiple Authorizing Officials Leveraging an Existing Authorization
![Page 16: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/16.jpg)
Key Concepts & Vocabulary
Authorization Decisions Authorization Decision Document Authorization Package Authorizing Official IATO IATT POAM SAR SSP Type Authorization
![Page 17: Authorizing Information Systems FITSP-A Module 6](https://reader036.vdocuments.us/reader036/viewer/2022082505/56649f4f5503460f94c70616/html5/thumbnails/17.jpg)
Questions?
Next Module: Continuous Monitoring