Course Hero Logo

Ultimately the responsibility for adequately

Course Hero uses AI to attempt to automatically extract content from documents to surface to you and others so you can study better, e.g., in search results, to enrich docs, and more. This preview shows page 43 - 45 out of 463 pages.

Ultimately, the responsibility for adequately mitigating unacceptable risks arising from the use ofexternal information system services remains with authorizing officials. Organizations requirethat appropriatechains of trustbe established with external service providers when dealing withthe many issues associated with information system security. Organizations establish and retain alevel of trust that participating service providers in the potentially complex consumer-providerrelationship provide adequate protection for the services rendered to organizations. The chain oftrust can be complicated due to the number of entities participating in the consumer-providerrelationship and the types of relationships between the parties. External service providers mayalso outsource selected services to other external entities, making the chain of trust more difficultand complicated to manage. Depending on the nature of the services, organizations may find itimpossible to place significant trust in external providers. This situation is due not to any inherentuntrustworthiness on the part of providers, but to the intrinsic level of risk in the services.4846Commercial providers of commodity-type services typically organize their business models and services around theconcept of shared resources and devices for a broad and diverse customer base. Therefore, unless organizations obtainfully dedicated services from commercial service providers, there may be a need for greater reliance on compensatingsecurity controls to provide the necessary protections for the information system that relies on those external services.Organizational assessments of risk and risk mitigation activities reflect this situation.47For example, procurement originators could authorize information systems providing external services to the federalgovernment under the specific terms and conditions of the contracts. Federal agencies requesting such services underthe terms of the contracts would not be required to reauthorize the information systems when acquiring such services(unless the request included services outside the scope of the original contracts).48There may also be risk in disallowing certain functionality because of security concerns. Security is merely one ofmultiple considerations in an overall risk determination.CHAPTER 2PAGE19
Special Publication 800-53 Revision 4Security and Privacy Controls for Federal Information Systemsand Organizations________________________________________________________________________________________________Where a sufficient level of trust cannot be established in the external services and/or providers,organizations can: (i) mitigate the risk by employing compensating controls; (ii) accept the riskwithin the level of organizational risk tolerance; (iii) transfer risk by obtaining insurance to coverpotential losses; or (iv) avoid risk by choosing not to obtain the services from certain providers(resulting in performance of missions/business operations with reduced levels of functionality orpossibly no functionality at all).49For example, in the case of cloud-based information systemsand/or services, organizations might require as a compensating control, that all information storedin the cloud be encrypted for added security of the information. Alternatively, organizations mayrequire encrypting some of the information stored in the cloud (depending on the criticality or

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 463 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Winter
Professor
N/A
Tags
Information Security, The Next Time, NIST, Federal Information Systems

Newly uploaded documents

Show More

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture