Organizational and Operational Environment
A security-focused description of an information system, its operational policies, classes of users, and interactions with other systems.
Security CONOP
A security measure designed to protect a communications system against acceptance of fraudulent transmission
Authentication
A software and/or hardware product that is commercially ready-made and available for sale, lease, or license to the public.
COTS (Commercial-off-the-shelf)
System engineering activities intended to deter and/or delay exploitation of critical technologies
Anti-tamper
One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment
Assessment method
An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process
Configuration Item
A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation.
Audit trail
A security principle in which any user or process is given only the minimum necessary privileges to perform their job function.
Least Privilege
A cybersecurity strategy that uses multiple security controls in a layered manner to protect systems.
Defense-in-depth
Cryptographic transformation of data from plaintext to ciphertext
Encryption
It encompasses all essential stakeholder security requirements from functional to legal.
Organizational Environment
Defense-in-depth is also known as
layered security
An access control primarily associated with organizations that assign clearance levels to all users and classification levels to all assets.
Need-to-know
Key tools in creating a system security design includes functional flow block diagrams and requirements allocation worksheets, but does not require timelines.
False, timeline are key to determining when controls will be implemented.
Authorizing Officials are required to accept common control assessments by other SCAs. This is
Reciprocity
Identifying relevant constraints that could impact the system security including any assumption
Organizational Environment
Controls that are implemented in parallel is a good example of defense-in-depth
False, the control have to be implemented in series to constitute defense-in-depth
Documenting the system security requirements baseline is one of the requirements. which two items are used to craft the baseline.
Security context and CONOPS
Traceability between system requirements and the proposed designed must be maintained using one of three different options. Formal tools is one, tagging is a second. What is the third method
Metadata
Assurance from a third party provider, as to whether the security controls are implemented and functioning as intended can be determined by reviewed which type third-party audit
SOC2
Considering assets, threats, vulnerabilities, likelihood, and impact and then generating a Security Test Plan is part of understanding the
Operational Environment
Separation of Duties (SoD) is considered an adequate access control, negating the need to least privilege or need-to-know
False, this would not satisfy the defense-in-depth requirement is all other access controls were negated.
Security requirements need to be actionable and relevant but do not need to be in alignment with the overarching security startegy.
False, the primary outcome of all security activity is Strategic Alignment
GOTS and COTS are determined to be adequate/inadequate by what method
Trade-off studies
Confirming the stakeholder's security requirements
Validation