Friday, July 15, 2011

Re: Nice - Free MDB Repair: Recovery Toolbox for Access

Sorry, this may be a demo version...
On Jul 15, 5:43 pm, socrtwo <socr...@gmail.com> wrote:
> http://www.mdbrepairfile.com/- "Recovery Toolbox for Access is a
> powerful Microsoft Access database repair tool spe-cifically designed
> for recovering data from damaged Microsoft Access database files and
> making easy recovery for Access possible. The program supports
> standard database files with *.mdb and *.accdb extensions."
--


Nice - Free MDB Repair: Recovery Toolbox for Access

http://www.mdbrepairfile.com/- "Recovery Toolbox for Access is a
powerful Microsoft Access database repair tool spe-cifically designed
for recovering data from damaged Microsoft Access database files and
making easy recovery for Access possible. The program supports
standard database files with *.mdb and *.accdb extensions."

Saturday, July 09, 2011

Mobile and Wireless Application Developers

Wireless projects are for mobile devices, PDA, Palm, smart phones, and Pocket PC. These devices are the targets of wireless projects among many application developers. Hence, wireless solutions such as wireless devices are flooding the market that will provide users with the right information and content at the right time. This in turn will boost productivity and will cut expenditures among users and product providers.


For starters, wireless is defined as wire-free technologies that are composed of both licensed and unlicensed technologies. Licensed technologies refer to cellular technologies used by the
public like GSM, TDMA, and CDMA. On the other hand, unlicensed technologies are those with short-range networks such as LAN, Bluetooth, and radio frequency or RF. Each technology varies in level of relevance and purpose.


The Current Situation of Wireless Applications


Developers have known the fact that, mobile devices with wireless connection surpass the number of computers that have internet connection. This is because mobile devices that are wireless are more secured if you are talking about transaction devices.


Hence, wireless and mobile application developers are continuously developing new applications that will bring wireless applications into a new level of significance. This is what developers do.

With the proper and timely knowledge, wireless developers can come up with a new application that is founded by existing mobile application systems. One job of developers in developing wireless application is to make sure that the users still experience the comfort and usability of the mobile devices as if the user is using wired application.


In the future, wireless developers will see to it that the thin line that separates wireless devices and wired mobile devices will be removed. If possible, wireless devices will even gain a higher level of usability over the wired devices.

File Types for Developer files










The Developer Files category contains files related to software development. These include programming project files, source code files, code libraries, header files, and class files. Compiled objects and components are also included in this category.

Common developer file extensions include .C, .CS, .M, and .JAVA.
















































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































ExtensionFile DescriptionPopularity
.$01DOS Pipe File
.001Multimedia Fusion Backup File
.4db4th Dimension Database Structure File
.aStatic Library
.a2wAlice World
.abApplix Builder File
.abcABC Source File
.abcActionScript Byte Code File
.acdRSLogix 5000 Program
.actDS Game Maker Action File
.actxDS Game Maker Action Description File
.adaAda Source Code
.adbAda Body File
.addinVisual Studio Add-in Definition File
.adsAda Specification File
.aepActiv E-Book Project
.agiAsterisk Gateway Interface File
.albAlpha Five Library
.am4AutoPlay Media Studio 4 Project File
.am5AutoPlay Media Studio 5 Project File
.am6AutoPlay Media Studio 6 Project
.am7AutoPlay Media Studio 7 Project
.apaRSView Development Project Archive
.artArtifacts Artifact File
.artprojArtifacts Project
.asActionScript File
.ascActionScript Communication File
.asiAlpha Five Variable File
.asmVisual Studio Assembler Source Code File
.asmAssembly Language Source Code File
.au3AutoIt v3 Script
.autAutoIt Script File
.bBASIC Source File
.basBASIC Source Code File
.bbBlitz Source Code File
.bbcBBC BASIC Data File
.bcpBorland C++ Makefile
.betBETA Source File
.bpgBorland Project Group
.bplBorland Package Library
.brxBREW Application Resource File
.bs2BASIC Stamp 2 Code File
.bscVisual Studio Source Browser Information File
.bshBeanShell Script
.cC/C++ Source Code File
.cLite-C Script
.capConstruct Game Development File
.carBrew Component Application Resource File
.cblCOBOL Program
.ccC++ Source Code File
.ccnCompressed Multimedia Fusion File
.cdVisual Studio Class Diagram
.cfcColdFusion Component File
.classJava Class File
.clsProgram Class File
.cobCOBOL Source Code File
.codCompiled Source Code
.configConfiguration File
.cpCaptivate Source File
.cpXcode C++ Source File
.cppC++ Source Code File
.csVisual C# Source Code File
.csiContentServ Include File
.csiEdLog Program Data File
.csnAdobe Code Snippet Document
.csprojVisual Studio C# Project
.cstContentServ Template
.ctlVisual Basic UserControl Object File
.ctpCakePHP Template
.ctxVisual Basic Control Binary File
.cxxC++ Source Code File
.dD Source Code File
.dbmlVisual Studio OR Design File
.dboDarkBASIC Object
.dbprojVisual Studio Database Project File
.dcpDelphi Compiled Package
.dcuDelphi Compiled Unit
.decDeclaration File
.defModule-Definition File
.devDev-C++ Project File
.dexDalvik Executable File
.df1Omnis Native Datafile
.dfmDelphi Form
.dobVisual Basic UserDocument
.doxVisual Basic Binary UserDocument
.doxDoxygen Documentation File
.dpkDelphi Package
.dplDelphi Package Library
.dprDelphi Project
.dskBorland Project Desktop File
.dspVisual C++ 6 Project
.dsymXcode Debug Symbols File
.dtdDocument Type Definition File
.dylibMach-O Dynamic Library
.edmAdobe Extension Data Markup Language File
.edmlAdobe Extension Data Markup Language Document
.edmxADO.NET Entity Data Model Designer File
.elEmacs Lisp Code File
.elcEmacs Compiled Lisp File
.entExternal Entity
.eqlEmbedded SQL File
.exEuphoria Source Code
.expSymbols Export File
.exwEuphoria Source code File
.fFortran Source Code
.f90Fortran 90 Source File
.fbpwxFormBuilder Project
.fceForeUI Custom Element File
.fclForeUI Custom Library File
.fdDataFlex Data File
.fglFifth Generation Language Source File
.filtersVisual C++ Project Filters File
.flaAdobe Flash Animation
.forFortran 77 Source File
.fpaFront Panel Encrypted Order File
.fpdFront Panel Order File
.fpmFPS Creator Map File
.fppFortran Source Code
.fppFront Panel Project
.frameworkMac OS X Application Framework
.frjFreeForm-J Project File
.frmVisual Basic Text Form
.frxVisual Basic Binary Form
.fsVisual F# Source File
.fsiVisual F# Signature File
.fsprojFireStarter Project File
.fsprojVisual F# Project File
.fsscriptVisual F# Script
.fsxVisual F# Script File
.ftlFreeMarker Template File
.fxplAdobe Flash FXP Library
.gbapDream Design Entertainment GLBasic Project File
.gbasDream Design Entertainment GLBasic Source File
.gedGame Editor Project File
.gemRubyGems Package
.gladeGlade Project File
.gldMPLAB C Compiler Linker Script File
.globalGlobal Makefile
.glsGLScript Game Script
.gm6Game Maker 6 Project File
.gmdGame Maker Program Code
.gmkGame Maker 7 File
.gmlGame Maker Language File
.gmoGNU Machine Object File
.gormGorm Interface Resource File
.gs3GameStarter File
.hC/C++ Header File
.halHansaWorld Application Language File
.hasHaskell Script
.hhC++ Header File
.hhhPower C Precompiled Header File
.hpfHigh Performance Fortran File
.hppC++ Header File
.hsHaskell Script
.hxxC++ Source Code Header File
.iVisual Studio Intermediate File
.iINTERCAL Source File
.idbVisual Studio Intermediate Debug File
.idlInterface Definition Language File
.imlIntelliJ IDEA Module
.incInclude File
.inlC++ Inline File
.ippInline Guard Macro File
.iprInstallShield Professional Project File
.iscXilinx Device Configuration File
.iseInstallShield Express Project File
.ismInstallShield Project File
.istInstallShield Project Template File
.iwsIntelliJ IDEA Web Page
.iwzInstallShield Express 2 Project File
.jJava Source File
.javJava Source File
.javaJava Source Code File
.jedXilinx JEDEC Programming File
.jicJTAG Indirect Configuration File
.jpdJava Process Definition
.jprJBuilder Project
.jpxJBuilder Project
.jsflFlash JavaScript File
.jsonJavaScript Object Notation File
.jsxincExtendScript Included Script File
.kbC++ Keyboard Script
.kdevdlgKDevelop Dialog Box File
.kdevelopKDevelop Project Data File
.kdevprjKDevelop Project File
.kdmpWindows Crash Dump File
.kplKids Programming Language File
.lbiDreamweaver Library Item
.lbsOmnis Library
.ldsLinux Compile Time Header File
.lgoLogo Instructions File
.lhsLiterate Haskell Script
.licensesVisual Studio Licensed Classes File
.licxVisual Studio License File
.lisVAX Program Listing
.litLiterate Haskell Script
.lntPC-lint/FlexeLint Configuration File
.lprojLocalized Project Folder
.lrfMicrosoft Linker Response File
.lspLisp Program Source Code
.luaLua Source File
.mObjective-C Implementation File
.m4Macro Processor Library
.magikMagik Source Code File
.makMakefile
.mdMachine Description File
.medRSView Development Project
.merRSView Development Runtime File
.mfJava Manifest File
.mfaMultimedia Fusion Development File
.mkMakefile
.mlML Source Code File
.mlbVisual FoxPro Library
.moMachine Object File
.modFortran Module File
.momManaged Object Model
.mprFoxPro Generated Menu Program
.mspMaxScript Page File
.mssMicroprocessor Software Specification File
.mvMivaScript File
.mvxMultimedia Fusion Movement Extension
.mxmlFlex MXML Component
.myappVisual Studio Application XML File
.ncbVisual C++ IntelliSense Database
.nibInterface Resources
.nqcNot Quite C Source Code File
.nxcNXC Source Code File
.oCompiled Object File
.ocaCustom Control Library Type File
.ocxActiveX Control
.omoOMake Object File
.orderedtestVisual Studio Ordered Test File
.owlOWL Source Code File
.pPascal Source Code
.pPython Pickle File
.pasPascal Source File
.pbPureBasic Source File
.pbprojProject Builder Project
.pbxbtreeXcode Auto-Complete File
.pchPrecompiled Header File
.pdeProcessing Development Environment Source Code File
.pdlPerl Data Language File
.pdmVB Project Information File
.pfgjEEPers Program Configuration File
.phPerl Header File
.plPerl Script
.plProlog Source Code File
.pl1PL/I Source Code
.plcPL/B Source File
.pleMessenger Plus! Live Encrypted Log File
.pliPL/I Source Code File
.pmPerl Module
.pntPanther Project
.poPortable Object
.podPerl POD File
.pomMaven Build File
.potPortable Object File
.pplFree Pascal Dynamic Library
.ppuFree Pascal Unit File
.prgRAPID Program File
.priQt Project Include File
.proQt Project File
.psd1Windows PowerShell Data File
.psm1Windows PowerShell Script Module File
.ptlRational Rose Petal File
.ptyRational Property Set
.pwnPawn Source Code File
.pyPython Script
.pydPython Dynamic Module
.pymPYM Macro Preprocessor File
.pywPython GUI Source File
.qprFoxPro Generated Query Program
.qxQuexal Source Code
.rMac OS X Resource File
.rREBOL Script
.rR Script File
.rbREALbasic Project
.rbRuby Source Code
.rbcRembo-C Script
.rbpREALbasic Project
.rcResource Script
.rdlcVisual Studio Client Report Definition File
.rebREBOL Script File
.resC++ Complied Resource Script
.resWindows Resource File
.resourcesVisual Studio Resource File
.resx.NET Managed Resources File
.riseRISE Editor Model File
.rncRELAX NG Compact Syntax File
.rpyPython Script
.rsrcMacintosh Resource File
.rssSymbian Application Resource File
.ruJavaSoft JRE 1.3 Library
.rulInstallShield Rules
.sSource Code File
.s19Motorola S19 File Record
.sasSAS Program File
.sbSmall Basic Source Code File
.sbScratch Project File
.sbrVisual Studio Source Browser Intermediate File
.scSuperCollider Source Code File
.sdefAppleScript Dictionary Document
.shBash Shell Script
.sjavaSynchronous Java File
.sllStatic Link Library
.slnVisual Studio Solution File
.smaAMX Mod Plugin Source File
.snippetVisual Studio IntelliSense Code Snippet
.soShared Library
.sptCypress Semiconductor Script
.sptESPL Programming File
.srcSource Code
.sscSourceSafe Status File
.ssiAdobe Dreamweaver Server Side Include File
.sudSuper Project Analyzer File
.suoVisual Studio Solution User Options File
.supSuper Project Definition File
.svn-baseSubversion Base File
.swcFlex Components Archive
.swdFlash Debug File
.tTuring Source Code File
.targetsMSBuild Targets File
.tccC++ Source Code File
.tclTcl Script
.tdsTurbo Debugger Symbols File
.testrunconfigVisual Studio Test Run Configuration File
.testsettingsVisual Studio Test Settings File
.tiprogramTI-Basic Program File
.tkTk Script
.tlhTypelib Generated C/C++ Header File
.tliTypelib Generated C/C++ Inline File
.tpuTurbo Pascal Unit
.tpxTurbo Pascal 7 Unit
.trxVisual Studio Test Results File
.ttVisual Studio Text Template
.tuTuring Source File
.turTuring Program Source File
.uiUser Interface File
.vCoq Source Code File
.vVerilog Source Code File
.vacOc2.316s Cakit File
.varVariable Data
.vbgVisual Basic Project Group File
.vbpVisual Basic Project File
.vbprojVisual Studio Visual Basic Project
.vbxVisual Basic Custom Control
.vbzVisual Basic Project Template
.vcVerge Code File
.vc4Visual C++ 4 File
.vcpeMbedded Visual C++ Project File
.vcprojVisual C++ Project File
.vcxVisual Fox Pro Class Library
.vcxprojVisual C++ Project
.vdmVEDIT Macro File
.vdmVDM Specification File
.vdpVisual Studio Deployment Project
.vdprojVisual Studio Setup and Deployment Project
.vgcViziGen Code Generation Template
.vhdVHDL Source File
.vicViziGen Code Import Mappings File
.vpcViziGen Configuration File
.vsmacrosVisual Studio Binary Macro Project
.vsmdiVisual Studio Test Metadata File
.vsmprojVisual Studio Text Macro Project
.vspsccVisual Studio Project Source Control File
.vsssccVisual Studio Solution Source Control File
.vtmVisual Tool Markup Language Document
.vtmlVisual Tool Markup Language File
.vtvAdobe Dreamweaver Validator Configuration File
.wOpenEdge Architect Source Code File
.wdlWorld Definition Language Script
.wscWindows Script Component
.xLex Source Code File
.xamlXAML File
.xapXACT Project
.xcodeXcode Project
.xcodeprojXcode Project
.xibInterface Builder File
.xomlWindows Workflow File
.xsdXML Schema Definition
.xsxVisual Studio XML Schema Layout File
.xtXdebug Trace File
.yabYabasic Source Code
.yml2YML Script
.ympYaST Metapackage File

Friday, July 08, 2011

Continuous Monitoring of Security Certification and Accreditation Process

Continuous Monitoring is the fourth phase of the security certification and accreditation process and comprises the following three principal activities:

 

·         Configuration management and control

 

·         Security control monitoring and impact analyses of changes to the information system

 

·         Status reporting and documentation

 

The objective of these tasks is to continuously observe and evaluate the information system security controls during the system life cycle to determine whether changes have occurred that will negatively impact the system security. This information is, then, reported to the authorizing official and the agency senior security officer. If necessary, reaccreditation is performed to ensure that the information system meets the requirements of the system security plan. NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” provides details of the continuous monitoring process, and NIST SP 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems,” offers guidance in evaluating information system security controls.

 

Continuous monitoring takes place after the initial system security accreditation and involves tracking changes to the information system that occur during its lifetime and determining the impact of those changes on system security. During the lifetime of an information system, necessary changes in hardware, software, and firmware will be implemented. These changes will affect the information system security posture; therefore, an evaluation of the results of these modifications has to be conducted to determine whether corresponding changes have to be made to security controls to return the system to the desired security state. Then, if necessary, appropriate upgrades are made to the security controls, the changes are documented, and the results are reported to the agency authorizing official and senior agency information security personnel. These documents can also be used to meet FISMA requirements for reporting modifications made to address security issues.

NIST SP 800-37 poses the following questions to be asked as part of the continuous monitoring process.

·         Could any of the changes to the information system affect the current, identified vulnerabilities in the system or introduce new vulnerabilities into the system?

 

·         If so, would the resulting risk to agency operations, agency assets, or individuals be unacceptable?

 

·         When will the information system need to be reaccredited in accordance with federal or agency policy?

 

Overall, continuous monitoring involves the following detailed steps:

·         Configuration management and control

 

o        Documentation of information system changes

 

o        Security impact analysis

 

·         Security control monitoring

 

o        Security control selection

 

o        Selected security control assessment

 

·         Status reporting and documentation

 

o        System security plan update

 

o        Plan of action and milestones update

 

o        Status reporting

 

Configuration management and control ensure the documentation of the proposed or actual changes to the information system. In addition, corresponding updates are made to the system security plan and plan of action. Recall that during the initial certification process, the plan of action and milestones are provided by the information system owner to the authorizing official for use in monitoring the correction of deficiencies discovered during certification. In continuous monitoring, SP 800-37 states that the plan of action and milestones should perform the following functions:

·         “Report progress made on the current outstanding items listed in the plan

 

·         Address vulnerabilities in the information system discovered during the security impact analysis or security control monitoring

 

·         Describe how the information system owner intends to address those vulnerabilities (i.e., reduce, eliminate, or accept the identified vulnerabilities)”

 

This updating of the security plan and plan of action is critical because the information system owner, certification agent, authorizing official, and senior agency information security officer base subsequent security certification and accreditation activities on these plans. Reaccreditation is required when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy.

It is usually not feasible or possible to continuously monitor the entirety of security controls in an information system. Therefore, a recommended course of action is for the information system owner to choose a subset of the controls that can be monitored at intervals, the frequency of which would be a function of the criticality of the information system and its information to the agency and its operations. FIPS 199 security categorizations are useful in determining the importance of different types of information to an agency.

Thus, security controls would be partitioned into two categories: those that are monitored continuously and those that are monitored periodically.

Monitoring Security Controls


Security control monitoring requires choosing the security controls to be monitored and assessing these controls according to methods determined by the owner of the information system. The selection of controls to be monitored can be supported by using FIPS 199 to determine the security categories of the information and information systems and identify the elements that are most critical to the organization. This categorization can, in turn, identify the security controls that, if compromised, would result in the most harm to the agency. The security controls selected for monitoring and the frequency of monitoring should be subject to the approval of the information system owner and authorizing officer.

 

Once the security controls to be monitored are determined, the next step is to assess whether the controls are performing as required in the system security plan. This task is the responsibility of the information system owner and can be implemented through audits, self-assessments, and other evaluation methods. NIST SP 800-53A provides a standard approach to the assessment of NIST SP 800-53 security controls.

NIST SP 800-53A recommends the following criteria for selecting assessment procedures for an information system’s security controls:

·         The specific security controls selected and employed by the organization to protect the information system

 

·         The FIPS 199/Special Publication 800-53 impact level of the information system

 

·         The assurance or level of confidence that the organization must have in determining the effectiveness of the security controls in the information system

 

NIST SP 800-53A describes three basic types of assessment methods: the interview, the examination, and testing. These approaches are intended to verify that the security control is operating as required, implemented properly, and fulfilling the desired security functions in protecting the information system. A summary of the three approaches is given in the following paragraphs.

The Interview


The interview consists of having focused meetings and interchanges with appropriate personnel in an agency to gain information and evidence relative the effectiveness of security controls. Examples of the individuals to be interviewed include:

 

·         Authorizing officials

 

·         Chief information officers

 

·         Facilities managers

 

·         Human resource managers

 

·         Information owners

 

·         Information system operators

 

·         Information system owners

 

·         Information system security managers

 

·         Information system security officers

 

·         Network and system administrators

 

·         Personnel officers

 

·         Physical security officers

 

·         Senior agency information security officers

 

·         Site managers

 

·         Training officers

 

·         Users

 

Depending on the level of assessment conducted, NIST SP 800-53A defines the following three types of interview:

·         Abbreviated - Informal, ad hoc interviews that consist of generalized, high-level discussions with selected organizational personnel on particular topics relating to the specifications, mechanisms, or activities associated with the security control being assessed

 

·         Substantial - Informal, structured interviews that consist of generalized, high-level discussions and specific discussions in targeted areas with selected organizational personnel on particular topics relating to the specifications, mechanisms, or activities associated with the security control being assessed

 

·         Comprehensive - Formal, structured interviews that consist of generalized, high-level discussions and specific, in-depth discussions with selected organizational personnel on particular topics relating to the specifications, mechanisms, or activities associated with the security control being assessed

 

The Examination


The examination assessment method is used to review, inspect, and analyze assessment objects such as policies, plans, requirements, designs, hardware, firmware, and security activities to determine the effectiveness of information system security controls. This activity is effective for looking into the details of security policies, reviewing audit trails and logs, evaluating backup procedures, examining contingency plans and practice drills, and evaluating incident response procedures. If the results of previous security control assessments are available, they should also be reviewed as part of the examination process. As in the interview process, the depth of the examination can be abbreviated, substantial, or comprehensive. The characteristics of these three depth levels are defined in NIST SP 800-53A as follows:

 

·         Abbreviated - Examinations that consist of brief, high-level reviews, observations, or inspections of selected specifications, mechanisms, or activities associated with the security control being assessed using a limited body of evidence or documentation. These types of examinations are typically conducted using only functional-level descriptions of specifications, mechanisms, or activities, and they employ checklists or other similar assessment techniques consistent with an abbreviated assessment period.

 

·         Substantial - Examinations that consist of detailed analyses, observations, or studies of selected specifications, mechanisms, or activities associated with the security control being assessed using a body of evidence or documentation that is greater than that available during abbreviated examinations. These types of examinations are typically conducted using functional-level descriptions of specifications, mechanisms, or activities and, where appropriate, high-level design information. Substantial examinations employ a variety of analysis techniques and require a longer assessment period than abbreviated examinations do.

 

·         Comprehensive - Examinations that consist of detailed and thorough analyses, observations, or studies of selected specifications, mechanisms, or activities associated with the security control being assessed using a body of evidence or documentation that is greater than that available during substantial examinations. These types of examinations are typically conducted using functional-level descriptions of specifications, mechanisms, or activities, and where appropriate, high-level design, low-level design, and implementation-related information (e.g., source code). Comprehensive examinations employ a variety of sophisticated analysis techniques and require a longer assessment period than substantial examinations do.

 

Testing


The testing form of assessment involves observing or conducting the operation of physical devices, hardware, software, and firmware and determining whether they exhibit the desired and expected behavior. Examples of testing assessment include tests of:

 

·         Encryption devices

 

·         Contingency plans

 

·         Information system penetration

 

·         Access control mechanisms

 

·         Previous test and audit results

 

·         System backups

 

The scope of a test is characterized by one of the following three definitions from NIST SP 800-53A:

·         Functional testing (black-box testing) - Assumes knowledge of the functional specifications, high-level design, and operating specifications of the item under assessment.

 

·         Structural testing (gray-box, white-box testing) - Assumes (some) explicit knowledge of the internal structure of the item under assessment (e.g., low-level design, source code implementation representation).

 

·         Penetration testing - A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under no constraints, attempt to circumvent the security features of an information system.

 

Figure, from NIST SP 800-53A, summarizes the attributes of assessment methods based on the information system impact level.

 
 Open table as spreadsheet ASSESSMENT METHODS: Interview, Examine, Test

 
 
 INFORMATION SYSTEM IMPACT LEVEL

 
 
 ATTRIBUTE

 
 
 VALUE

 
 
 LOW

 
 
 MODERATE

 
 
 HIGH

 

 
 Depth (Interview and examine methods only)

 
 
 Abbreviated

 
 
 ?

 
 
 - - -

 
 
 - - -

 
 
 Substantial

 
 
 - - -

 
 
 ?

 
 
 - - -

 
 
 Comprehensive

 
 
 - - -

 
 
 - - -

 
 
 ?

 
 
 Scope (Test method only)

 
 
 Functional (black-box)

 
 
 ?

 
 
 ?

 
 
 ?

 
 
 Penetration

 
 
 - - -

 
 
 ?

 
 
 ?

 
 
 Structural (gray-box, white-box)

 
 
 - - -

 
 
 - - -

 
 
 ?

 
 
 Coverage (All methods)

 
 
 Number and types of assessment objects determined by organizations in collaboration with assessors.21

 
 
 ?

 
 
 ?

 
 
 ?

 

If the assessment reveals that the security controls are not meeting the expected assurance requirements, the system security plan and plan of action have to be updated to indicate corrective actions required.

 

Configuration Management and Control


This task is concerned with documenting any proposed or actual changes to the agency information system and identifying the impact of those changes on the security of the affected information system and on its accreditation. The configuration management and control task is the responsibility of the information system owner.

 

The agency should apply standard configuration management methods and tools to track proposed or actual changes to the information system, including operating system patches, software upgrades, hardware and firmware changes, and other modifications to the computing environment.

Once the proposed or actual changes to information system are identified and placed under configuration management, the next step is to determine the impact of those changes on the security of the information system. This activity typically includes checking for weakening of existing controls, exposing new vulnerabilities, or identifying areas where additional security controls are required. If the impact analysis indicates that the security and accreditation posture of the information is or will be compromised by the information system changes, compensating controls should be initiated and the plan of action should be updated. Any changes should be coordinated with users and other relevant agency personnel.

NIST SP 800-37 defines security impact analysis as “The analysis conducted by an agency official, often during the continuous monitoring phase of the security certification and accreditation process, to determine the extent to which changes to the information system have affected the security posture of the system.”

 

Environment Monitoring


The information system owner is responsible for monitoring the information system environment for factors that can potentially negatively impact the security of the system and its accreditation. These factors can be the result of legal, political, weather-related, human-initiated, physical, and other types of events. Typical examples of such events are:

 

·         Power failures

 

·         Facility damage

 

·         Floods

 

·         Storms

 

·         Earthquakes

 

·         Sabotage

 

·         Strikes

 

·         Warfare

 

·         Terrorist acts

 

·         Legal actions

 

·         Political actions

 

·         Chemicals

 

·         Water damage

 

·         Pollution

 

·         Hackers

 

·         Viruses and other malware

 

·         Attacks originating from the Internet

 

·         Internal threats

 

If specific threats are applicable to a particular agency, then these threats should be used in the determination of security controls for the agency information systems. FIPS 199 security categories are useful in determining the impact level of a particular threat on the agency systems.

 

Documentation and Reporting


An important part of continuous monitoring is documenting the status of the information system and reporting this information to the authorizing official and agency information security officer. Documentation includes making any changes to the system security plan that delineate any changes made or proposed to be made to the information system and updating the plan of action and milestones. These reports are used to meet the FISMA reporting requirements and determining whether recertification is necessary.

 

The information system owner is responsible for updating the system security plan, which should include all changes made to the information system. This updating should be done at reasonable intervals to ensure that significant information system changes are reported.

Based on the changes to the information system described in the system security plan, the information system owner is also responsible for updating the plan of action and milestones document. The plan of action and milestones should include the handling of vulnerabilities identified by the security impact analysis and the status of outstanding issues listed in the plan. The authorizing official, senior agency information security officer, information system owner, and security assessor will be using the updated plans to guide future security assessment activities.

As with the system security plan, the frequency of generating the plan of action and milestones is at the discretion of the information system owner but should be done at reasonable intervals to ensure that significant changes to the security posture of the information system are reported. The continuous monitoring results should also be considered.

The plan of action and milestones are used by the senior agency information system security officer and the authorizing official to determine whether a security reaccreditation is required. If the decision is that reaccreditation is necessary, the authorizing official will inform the information system owner of the decision.

Reaccreditation should be initiated if one or more of the following events have occurred:

·         Modifications to the information system have negatively impacted the system security controls.

 

·         Modifications to the information system have introduced new vulnerabilities into the system.

 

·         The risk to agency operations, agency assets, or individuals has been increased.

 

·         A specified time period has elapsed, requiring the information system to be reauthorized in accordance with federal or agency policy (typically 3 years).

Removing a Bios - CMOS Password - Free Article

http://www.dewassoc.com/support/bios/bios_password.htm "Unfortunately, access to computers can, at times, be blocked for all of t...