Security Controls
This security control Define and document the types of accounts allowed and specifically prohibited for use within the system
What is AC-2 Account management?
a document outlining the scope, methods, and resources for evaluating the security measures implemented in a system, ensuring a structured and effective assessment process
What is a Security Assessment Plan (SAP)?
The set of minimum security controls defined for a low impact, moderate impact, or high impact information system.
What are Security Control baseline's
These controls focus on collecting and reviewing information about operational activity within the organization and system environments.
What is the Audit and Accountability Family?
Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.
What is a Security Assessment Report?
This process achieves solutions that support organizational mission and business needs and provide security and privacy protections to commensurate with risk.
What is Tailoring Controls?
These controls focus on identifying devices, system users, or processes acting on behalf of users. Controls authenticate (or verify) the identities of those devices, users, or processes as a prerequisite to allowing access.
This is a concise statement that summarizes a specific problem or issue identified during an audit, outlining the condition, cause, criteria, effect, and a recommended solution
What is a Finding Statement?
There are three potential assessment methods which are
What is Examine, Interview, and Test?
a security or privacy control implemented partially as a common control (shared across multiple systems) and partially as a system-specific control (unique to a specific system)
What is a Hybrid Control?
This Contains: (i) the security plan; (ii) the security assessment report (SAR); and (iii) the plan of action and milestones (POA&M).
What is an Authorization Package?
A provider of external system services to an organization through a variety of consumer-producer relationships, including joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges.
What is an External System Service Provider?
This Security control looks for Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator.
What is IA-5 Authenticator Management
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.
What is an Information Type?
The official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.
What is an Authorization to Operate?