1
1

00:00:00,150  -->  00:00:00,983
<v ->Now, in this video,</v>
2

2

00:00:00,983  -->  00:00:03,630
we're going to continue on to Step 6,
3

3

00:00:03,630  -->  00:00:06,450
which is called Authorize.
4

4

00:00:06,450  -->  00:00:09,810
The goal of Step 6 is to create a culture of accountability
5

5

00:00:09,810  -->  00:00:12,990
in your organization by requiring senior management
6

6

00:00:12,990  -->  00:00:16,290
to determine which risks can be accepted
7

7

00:00:16,290  -->  00:00:18,360
and which ones cannot.
8

8

00:00:18,360  -->  00:00:21,810
There are five tasks here in step number six.
9

9

00:00:21,810  -->  00:00:24,240
Now, let's take a look at each one.
10

10

00:00:24,240  -->  00:00:26,490
When you complete Task R-1,
11

11

00:00:26,490  -->  00:00:29,370
your organization will have an authorization package
12

12

00:00:29,370  -->  00:00:31,680
with an executive summary.
13

13

00:00:31,680  -->  00:00:35,190
The authorization package could be created manually
14

14

00:00:35,190  -->  00:00:37,503
or it could be automatically generated
15

15

00:00:37,503  -->  00:00:41,190
from a security or privacy management tool
16

16

00:00:41,190  -->  00:00:44,790
and then submitted to your authorizing official.
17

17

00:00:44,790  -->  00:00:48,660
But what's inside an authorization package?
18

18

00:00:48,660  -->  00:00:50,790
The authorization package includes security
19

19

00:00:50,790  -->  00:00:55,530
and privacy plans, assessment reports, plans of action,
20

20

00:00:55,530  -->  00:00:58,590
and milestones and an executive summary.
21

21

00:00:58,590  -->  00:01:01,020
The authorization package will then be handed over
22

22

00:01:01,020  -->  00:01:06,000
to the authorizing official for their review and approval.
23

23

00:01:06,000  -->  00:01:08,370
Additional information can be included
24

24

00:01:08,370  -->  00:01:11,250
if your authorizing official requests it.
25

25

00:01:11,250  -->  00:01:13,350
Make sure to maintain version
26

26

00:01:13,350  -->  00:01:17,640
and change control of your authorization packages.
27

27

00:01:17,640  -->  00:01:20,190
By the end of Task R-2,
28

28

00:01:20,190  -->  00:01:23,850
you'll have a risk determination that has been decided on
29

29

00:01:23,850  -->  00:01:27,450
by your organization's authorizing official.
30

30

00:01:27,450  -->  00:01:29,197
The authorizing official, in collaboration
31

31

00:01:29,197  -->  00:01:32,790
with your information security officer and privacy officer,
32

32

00:01:32,790  -->  00:01:36,750
will analyze the information in the authorization package
33

33

00:01:36,750  -->  00:01:40,230
and will finalize the risk management approach.
34

34

00:01:40,230  -->  00:01:43,500
And when you finish the next task, R-3,
35

35

00:01:43,500  -->  00:01:46,470
your organization will have a clear set of responses
36

36

00:01:46,470  -->  00:01:50,490
for the risks that were documented in the previous task.
37

37

00:01:50,490  -->  00:01:52,350
After risk determination,
38

38

00:01:52,350  -->  00:01:55,830
your organization can do one of two things,
39

39

00:01:55,830  -->  00:01:59,790
you can either accept the risk, that is to not do anything
40

40

00:01:59,790  -->  00:02:02,190
and hope that nothing bad happens,
41

41

00:02:02,190  -->  00:02:04,500
or you can mitigate the risk.
42

42

00:02:04,500  -->  00:02:06,960
It may be appropriate to accept a risk
43

43

00:02:06,960  -->  00:02:09,300
if the cost to mitigate it would be higher
44

44

00:02:09,300  -->  00:02:13,020
than the possible harm the risk could cause.
45

45

00:02:13,020  -->  00:02:16,710
When accepting a risk, make sure to keep documentation of it
46

46

00:02:16,710  -->  00:02:19,890
and continue to monitor the source of the risk
47

47

00:02:19,890  -->  00:02:21,630
for any changes.
48

48

00:02:21,630  -->  00:02:24,240
However, please remember that the only person
49

49

00:02:24,240  -->  00:02:28,140
who can approve of a risk being mitigated or accepted
50

50

00:02:28,140  -->  00:02:30,660
is the authorizing official.
51

51

00:02:30,660  -->  00:02:33,330
When mitigating a risk, your planned mitigation
52

52

00:02:33,330  -->  00:02:37,350
should be included in and tracked using your POAM,
53

53

00:02:37,350  -->  00:02:41,220
which stands for Plan of Action and Milestones.
54

54

00:02:41,220  -->  00:02:43,410
Once mitigated, your assessment team
55

55

00:02:43,410  -->  00:02:45,780
will reassess the controls in play,
56

56

00:02:45,780  -->  00:02:48,300
then update the assessment reports
57

57

00:02:48,300  -->  00:02:51,120
without getting rid of the original ones.
58

58

00:02:51,120  -->  00:02:53,190
When you complete Task R-4,
59

59

00:02:53,190  -->  00:02:55,650
your new system will either have an authorization
60

60

00:02:55,650  -->  00:02:59,550
or a denial from your authorizing official.
61

61

00:02:59,550  -->  00:03:02,850
Again, no one besides the authorizing official
62

62

00:03:02,850  -->  00:03:06,330
should be able to approve or deny the authorization
63

63

00:03:06,330  -->  00:03:07,980
to operate your system.
64

64

00:03:07,980  -->  00:03:10,740
You can expect that the authorizing official will talk
65

65

00:03:10,740  -->  00:03:13,200
with your senior risk management officer
66

66

00:03:13,200  -->  00:03:16,080
before making the final authorization decision
67

67

00:03:16,080  -->  00:03:18,690
for the system and it's controls.
68

68

00:03:18,690  -->  00:03:21,720
Once decided, your authorizing official
69

69

00:03:21,720  -->  00:03:26,460
will tell the system owner or the common control provider
70

70

00:03:26,460  -->  00:03:30,750
of their decision along with the terms and conditions
71

71

00:03:30,750  -->  00:03:34,710
for the system to operate with authorization.
72

72

00:03:34,710  -->  00:03:38,460
They will also set the authorization termination date,
73

73

00:03:38,460  -->  00:03:41,310
which is when the system will no longer be authorized
74

74

00:03:41,310  -->  00:03:43,860
and will need to be reviewed once again.
75

75

00:03:43,860  -->  00:03:47,070
Finally, when you finish Task R-5,
76

76

00:03:47,070  -->  00:03:50,550
you'll have a report that states the authorization decision
77

77

00:03:50,550  -->  00:03:53,640
for your system or set of common controls
78

78

00:03:53,640  -->  00:03:58,230
along with an annotation of its authorization status
79

79

00:03:58,230  -->  00:04:01,443
in your organization's system registry.