Domain 2 of 8 · Chapter 3 of 6

Secure Provisioning

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The asset-management loop: own it, build it to baseline, inventory it
  • Ownership as a provisioning control: owner decides, custodian implements
  • Provisioning to a baseline: harden first, least functionality, change control
  • Asset inventory and the CMDB: you cannot protect what you cannot see
  • Exam-pattern recognition: how secure-provisioning questions are framed

Asset-security roles: who decides versus who implements

AspectInformation ownerSystem ownerCustodian
AltitudeSenior business / data stewardSenior business / system managerIT / operations
Core responsibilitySets controls and classification for specified informationDevelops, operates, maintains, and disposes of the systemImplements and runs the controls the owner specifies
Accountable or responsibleAccountable (cannot be delegated)Accountable (cannot be delegated)Responsible for performing the work
Provisioning decisionWhat protection the data requiresHow the system is built and maintained to deliver itApplies the hardened baseline and keeps it current
Inventory roleOwns the data assets recordedOwns the system components recorded (CM-8)Maintains inventory accuracy on install/removal

Cheat sheet

  • Provision to a hardened baseline before deploy, not after
  • A baseline configuration changes only through change control
  • Least functionality means provision only essential capabilities
  • The information owner is accountable for setting an asset's controls
  • The system owner is responsible for the system across its whole life
  • The custodian implements the controls the owner specifies
  • Accountability cannot be delegated, only the responsibility to perform
  • An asset is anything of value, tangible or intangible
  • Inventory intangible assets too. Licenses and IP carry compliance risk
  • CM-8 requires a complete, accurate, non-duplicating component inventory
  • Update the inventory on every install, removal, and system update
  • The inventory carries the owner field that makes accountability queryable
  • A CMDB is the system of record tying identity, owner, and baseline together
  • You cannot protect what you cannot see. Inventory is the foundation
  • Ownership is the gate that makes a secure build possible
  • Provision from a standardized hardened image (golden / CIS Hardened Image)

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST glossary: asset (NIST SP 800-160 Vol. 2 Rev. 1) Whitepaper
  2. NIST glossary: information owner (FIPS 200 / SP 800-37 / SP 800-53) Whitepaper
  3. NIST glossary: system owner (CNSSI 4009-2015) Whitepaper
  4. NIST glossary: baseline configuration (NIST SP 800-128) Whitepaper
  5. NIST SP 800-53 Rev. 5 (CM-2, CM-6, CM-7, CM-8 Configuration Management family) Whitepaper