Part 9 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).

2. Categorize
Select
Implement
Assess
Authorize
Monitor

9. Categorize
Select
Implement
Assess
Authorize
Monitor

14.  Management
 Operational
 Technical
 Implemented correctly
 Operating as intended
 Producing the desired outcome
factual basis for an authorizing official to render a
security accreditation decision

15. An information security assessment is the process of
determining how effectively an entity being assessed
meets specific security objectives.
Three types of assessment methods can be used to
accomplish this—testing, examination, and
interviewing.
Assessment results are used to support the
determination of security control effectiveness over
time.
- NIST SP 800-115

16. “Independent review and examination
of records and activities to assess the
adequacy of system controls and
ensure compliance with established
policies and operational procedures.”
- CNSS Instruction No. 4009

17. “Examination and analysis of the safeguards
required to protect an information system,
as they have been applied in an operational
environment, to determine the security
posture of that system.”
- CNSSI No. 4009

18. Testing is the process of exercising one or more assessment objects under
specified conditions to compare actual and expected behaviors.
Examination is the process of checking, inspecting, reviewing, observing,
studying, or analyzing one or more assessment objects to facilitate
understanding, achieve clarification, or obtain evidence.
Interviewing is the process of conducting discussions with individuals or
groups within an organization to facilitate understanding, achieve
clarification, or identify the location of evidence.
Source NIST SP 800-115

19. “The security certification and accreditation process is
designed to ensure that an information system will
operate with the appropriate management review, that
there is ongoing monitoring of security controls, and
that reaccreditation occurs periodically.”
NIST SP 800-100

20. “Security certification is a
comprehensive assessment of the
management, operational, and
technical security controls in an
information system, made in support
of security accreditation, to
determine the extent to which the
controls are implemented correctly,
operating as intended, and producing
the desired outcome with respect to
meeting the security requirements for
the system. The results of a security
certification are used to reassess the
risks and update the system security
plan, thus providing the factual basis
for an authorizing official to render a
security accreditation decision.” NIST
SP 800-100

23. From
OMB M-10-15 - FY 2010

25. Categorize
Select
Implement
Assess
Authorize
Monitor

26. Planning
Information
Gathering
Business Process
Assessment
Technology
Assessment
Risk Analysis &
Reporting

28. use independent assessor
self-assessment

33. Plan
Execute
Post
Execution
FISCAM NIST SP 800-115
Plan
PerformReport

38. Task 1“Assemble any documentation and supporting materials
necessary for the assessment of the security controls in the
information system; if these documents include previous
assessments of security controls, review the findings, results,
and evidence.”
Task 2 “Select, or develop when needed, appropriate methods
and procedures to assess the management, operational, and
technical security controls in the information system.”
Task 3 “Assess the management, operational, and technical
security controls in the information system using methods and
procedures selected or developed.”
Task 4 “Prepare the final security assessment report.”
NIST SP 800-37

39. Task 1“Provide the information system owner with the security
assessment report.”
Task 2 “Update the system security plan (and risk assessment)
based on the results of the security assessment and any
modifications to the security controls in the information
system.”
Task 3 “Prepare the plan of action and milestones based on the
results of the security assessment.”
Task 4 “Assemble the final security accreditation package and
submit to authorizing official.”
NIST SP 800-37

44. Knowledge
SkillAbility

45. *GAO recommends 65% of audit staff to be CISA

52. “Risk assessments should be used to guide the
rigor and intensity of all security control
assessment related activities associated with the
information system to enable cost effective, risk-
based implementation of key elements in the
organization’s information security program”
- NIST SP 800-37 rev 1

55. Populations over 250
Control Testing Sample Size Table
Significance of Control Inherent Risk Minimum Sample Size1
High High 60
High Low 40
Moderate High 40
Moderate Low 25
Compliance Testing Sample Size Table
Desired Level of
Assurance Minimum Sample Size1
High 60
Moderate 40
Low 25
1: No exceptions expected

62. 



66. Governance
RiskCompliance
Dashboards
Metrics
Checklists
Reporting
Trend Analysis
Remediation

70. Input
• Data
Entry
Data
Collection
• Database
Storage
Output • Reports

81. Where is the best place to scan from?
What strategy would you use to scan
systems?
External scan found 2
critical vulnerabilities
Internal scan found 15
critical vulnerabilities
Authenticated internal
scan found 35 critical
vulnerabilities

83. Observers
& Referees
Mimic real-world attacks
Unannounced

84. Announced

85. Red Team
“A test methodology in which assessors, typically working under
specific constraints, attempt to circumvent or defeat the security
features of an information system. “
- CNSSI No. 4009

88. Authenticated internal
scan found 35 critical
vulnerabilities
Discovery
Gain Access
Escalate
Privilege
System
Browsing
Install Tools
External scan found 2
critical vulnerabilities
Discovery
Gain Access
Escalate
Privilege
System
Browsing
Install Tools

98. *Definition form ISACA

100. DoDI 8510.01, November 28, 2007

101. DoDI 8510.01, November 28, 2007

107. implemented correctly,
operating as intended, and producing the desired outcome