Authorizing Official Job Profile

What is an Authorizing Official?

Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and system users.

Professional Certifications

Core Competencies of Authorizing Official

  • Information Systems/Network Security
  • Vulnerability Assessment
  • Enterprise Architecture
  • Information Assurance
  • Identity Management
  • Network Management
  • Risk Management
  • Criminal Law
  • Cryptography

Authorizing Official must know

  • computer networking concepts and protocols, and network security methodologies.
  • risk management processes (e.g., methods for assessing and mitigating risk).
  • laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • cybersecurity and privacy principles.
  • cyber threats and vulnerabilities.
  • specific operational impacts of cybersecurity lapses.
  • cyber defense and vulnerability assessment tools and their capabilities.
  • cryptography and cryptographic key management concepts
  • organization’s enterprise information security architecture.
  • organization’s evaluation and validation requirements.
  • Security Assessment and Authorization process.
  • cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
  • vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
  • cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • Risk Management Framework (RMF) requirements.
  • information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
  • current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
  • new and emerging information technology (IT) and cybersecurity technologies.
  • system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • structured analysis principles and methods.
  • systems diagnostic tools and fault identification techniques.
  • the organization’s enterprise information technology (IT) goals and objectives.
  • Supply Chain Risk Management Practices (NIST SP 800-161)
  • the organization’s core business/mission processes.
  • applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.
  • critical infrastructure systems with information communication technology that were designed without system security considerations.
  • network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  • security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
  • security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  • Personally Identifiable Information (PII) data security standards.
  • Payment Card Industry (PCI) data security standards.
  • Personal Health Information (PHI) data security standards.
  • laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
  • confidentiality, integrity, and availability principles.
  • penetration testing principles, tools, and techniques.
  • controls related to the use, processing, storage, and transmission of data.
  • Application Security Risks (e.g. Open Web Application Security Project Top 10 list)

Key Skills of the Authorizing Official includes

  • Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Authorizing Official must be able to

  • assess and forecast manpower requirements to meet organizational objectives.
  • develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
  • coordinate cyber operations with other organization functions or support activities.
  • identify external partners with common cyber operations interests.
  • interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
  • work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
  • relate strategy, business, and technology in the context of organizational dynamics.
  • understand technology, management, and leadership issues related to organization processes and problem solving.
  • understand the basic concepts and issues related to cyber and its organizational impact.
  • apply ybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel