Question

1. Explain the difference between a General Support System, Major Application, and a Minor Application and explain how you determine the accreditation boundary?

2. Explain each of the three different ways to assess a security control and give an example of how each one is used.

3. Explain the 4 phases of assessing security controls.  

Please I need an answer to this..... Thanks!!!

Answer 1

1. General Support System:- It is an interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.A GSS can be, for example, a LAN including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization.

Major Application:- A major application is expected under FIPS 199 to have an impact level of moderate or high, as these are more critical systems. Major applications are systems that perform a clearly specified function, for which there are readily identifiable threats.

Minor Application:-Applications which are not deemed major are minor applications. Minor applications inherit most of their security controls from the GSS, or occasionally, the MA if they are part of one. Minor applications can have an impact rating of low or moderate, but if a minor application resides on a system that does not have adequate boundary protection, the minor application must implement the minimum security requirements required by the system.

2.The thee different ways to assess a security control are as follows:-

i) Management security is the overall design of your controls. Sometimes referred to as administrative controls, these provide the guidance, rules, and procedures for implementing a security environment.

ii) Operational Security is the effectiveness of your controls. Sometimes referred to as technical controls, these include access controls, authentication, and security topologies applied to networks, systems, and applications.

iii) Physical security is the protection of personnel, data, hardware, etc., from physical threats that could harm, damage, or disrupt business operations or impact the confidentiality, integrity, or availability of systems and/or data.

3. The 4 phases of assessing a security control arae as follows:-

i) Identify:- It is the process of identifying your digital assets.

ii) Protection:- It includes a variety of processes, from implementing security policies to installing sophisticated software that provides advanced data risk management capabilities.

iii) Implementation:- It includes the adoption of formal policies and data security controls.

iv) Risk Montioring:- Adopting an information risk management framework is critical to providing a secure environment for your technical assets.