E-Book, Englisch, 462 Seiten
Reihe: (ISC)2 Press
Howard Official (ISC)2® Guide to the CAP® CBK®, Second Edition
2. Auflage 2013
ISBN: 978-1-4398-2076-6
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
E-Book, Englisch, 462 Seiten
Reihe: (ISC)2 Press
ISBN: 978-1-4398-2076-6
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC)2® Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.
Derived from the author’s decades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C&A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book:
- Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria
- Explains how to combine disparate processes into a unified risk management methodology
- Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®)
- Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS
- Reviews the tasks involved in certifying and accrediting U.S. government information systems
Chapters 1 through 7 describe each of the domains of the (ISC)2® CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book’s appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems.
Zielgruppe
Candidates for CAP certification, enterprise information security managers and staff, security professionals, IT auditors, and Infosec consultants
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Security Authorization of Information Systems
Introduction Legal and Regulatory Framework for System Authorization External Program Drivers System-Level Security Defining System Authorization Resistance to System Authorization Benefits of System Authorization
Key Elements of an Enterprise System Authorization Program The Business Case Goal Setting Tasks and Milestones Program Oversight Visibility Resources Program Guidance Special Issues Program Integration System Authorization Points of Contact Measuring Progress Managing Program Activities Monitoring Compliance Providing Advice and Assistance Responding to Changes Program Awareness, Training, and Education Using Expert Systems Waivers and Exceptions
NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems Overview Authority and Scope Purpose and Applicability Target Audience
Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1 Guidance on Organization-Wide Risk Management Organization Level (Tier 1) Mission/Business Process Level (Tier 2) Information System Level (Tier 3) Guidance on Risk Management in the System Development Life Cycle NIST’s Risk Management Framework Guidance on System Boundary Definition Guidance on Software Application Boundaries Guidance on Complex Systems Guidance on the Impact of Technological Changes on System Boundaries Guidance on Dynamic Subsystems Guidance on External Subsystems Guidance on Security Control Allocation Guidance on Applying the Risk Management Framework Summary of NIST Guidance
System Authorization Roles and Responsibilities Primary Roles and Responsibilities Other Roles and Responsibilities Additional Roles and Responsibilities from NIST SP 800-37, Revision 1 Documenting Roles and Responsibilities Job Descriptions Position Sensitivity Designations Personnel Transition Time Requirements Expertise Requirements Using Contractors Routine Duties Organizational Skills Organizational Placement of the System Authorization Function
The System Authorization Life Cycle Initiation Phase Acquisition/Development Phase Implementation Phase Operations/Maintenance Phase Disposition Phase Challenges to Implementation
Why System Authorization Programs Fail Program Scope Assessment Focus Short-Term Thinking Long-Term Thinking Poor Planning Lack of Responsibility Excessive Paperwork Lack of Enforcement Lack of Foresight Poor Timing Lack of Support
System Authorization Project Planning Planning Factors Dealing with People Team Member Selection Scope Definition Assumptions Risks Project Agreements Project Team Guidelines Administrative Requirements Reporting Other Tasks Project Kickoff Wrap-Up Observations
The System Inventory Process Responsibility System Identification Small Systems Complex Systems Combining Systems Accreditation Boundaries The Process Validation Inventory Information Inventory Tools Using the Inventory Maintenance Observations
Interconnected Systems The Solution Agreements in the System Authorization Process Trust Relationships Initiation Time Issues Exceptions Maintaining Agreements Security Authorization of Information Systems: Review Questions
Information System Categorization Introduction Defining Sensitivity Data Sensitivity and System Sensitivity Sensitivity Assessment Process Data Classification Approaches Responsibility for Data Sensitivity Assessment Ranking Data Sensitivity National Security Information Criticality Criticality Assessment Criticality in the View of the System Owner Ranking Criticality Changes in Criticality and Sensitivity
NIST Guidance on System Categorization Task 1-1: Categorize and Document the Information System Task 1-2: Describe the Information System Task 1-3: Register the Information System Information System Categorization: Review Questions
Establishment of the Security Control Baseline Introduction Minimum Security Baselines and Best Practices Security Controls Levels of Controls Selecting Baseline Controls Use of the Minimum Security Baseline Set Common Controls Observations
Assessing Risk Background Risk Assessment in System Authorization The Risk Assessment Process Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation Conducting the Risk Assessment Risk Categorization Documenting Risk Assessment Results Using the Risk Assessment Overview of NIST Special Publication 800-30, Revision 1 Observations
System Security Plans Applicability Responsibility Plan Contents What a Security Plan Is Not Plan Initiation Information Sources Security Plan Development Tools Plan Format Plan Approval Plan Maintenance Plan Security Plan Metrics Resistance to Security Planning Observations
NIST Guidance on Security Controls Selection Task 2-1: Identify Common Controls Task 2-2: Select Security Controls Task 2-3: Develop Monitoring Strategy Task 2-4: Approve Security Plan Establishment of the Security Control Baseline: Review Questions
Application of Security Controls
Introduction
Security Procedures Purpose The Problem with Procedures Responsibility Procedure Templates Process for Developing Procedures Style Formatting Access Maintenance Common Procedures Procedures in the System Authorization Process Observations
Remediation Planning Managing Risk Applicability of the Remediation Plan Responsibility for the Plan Risk Remediation Plan Scope Plan Format Using the Plan When to Create the Plan Risk Mitigation Meetings Observations
NIST Guidance on Implementation of Security Controls Task 3-1: Implement Security Controls Task 3-2: Document Security Control Implementation Application of Security Controls: Review Questions
Assessment of Security Controls Introduction Scope of Testing Level of Effort Assessor Independence Developing the Test Plan The Role of the Host Test Execution Documenting Test Results
NIST Guidance on Assessment of Security Control Effectiveness Task 4-1: Prepare for Controls Assessment Task 4-2: Assess Security Controls Task 4-3: Prepare Security Assessment Report Task 4-4: Conduct Remediation Actions Assessment of Security Controls: Review Questions
Information System Authorization
Introduction
System Authorization Decision Making The System Authorization Authority Authorization Timing The Authorization Letter Authorization Decisions Designation of Approving Authorities Approving Authority Qualifications Authorization Decision Process Actions Following Authorization Observations
Essential System Authorization Documentation Authority System Authorization Package Contents Excluded Documentation The Certification Statement Transmittal Letter Administration Observations
NIST Guidance on Authorization of Information Systems Task 5-1: Prepare Plan of Action and Milestones Task 5-2: Prepare Security Authorization Package Task 5-3: Conduct Risk Determination Task 5-4: Perform Risk Acceptance
Security Controls Monitoring
Introduction
Continuous Monitoring Configuration Management/Configuration Control Security Controls Monitoring Status Reporting and Documentation Key Roles in Continuous Monitoring Reaccreditation Decision
NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System Task 6-1: Analyze Impact of Information System and Environment Changes Task 6-2: Conduct Ongoing Security Control Assessments Task 6-3: Perform Ongoing Remediation Actions Task 6-4: Perform Key Updates Task 6-5: Report Security Status Task 6-6: Perform Ongoing Risk Determination and Acceptance Task 6-7: Information System Removal and Decommissioning Security Controls Monitoring: Review Questions
System Authorization Case Study
Situation
Action Plan
Lessons Learned
Tools
Document Templates
Coordination
Role of the Inspector General
Compliance Monitoring
Measuring Success
Project Milestones
Interim Accreditation
Management Support and Focus
Results and Future Challenges
The Future of Information System Authorization
Appendix A: References
Appendix B: Glossary
Appendix C: Sample Statement of Work
Appendix D: Sample Project Work Plan
Appendix E: Sample Project Kickoff Presentation Outline
Appendix F: Sample Project Wrap-Up Presentation Outline
Appendix G: Sample System Inventory Policy
Appendix H: Sample Business Impact Assessment
Appendix I: Sample Rules of Behavior (General Support System)
Appendix J: Sample Rules of Behavior (Major Application)
Appendix K: Sample System Security Plan Outline
Appendix L: Sample Memorandum of Understanding
Appendix M: Sample Interconnection Security Agreement
Appendix N: Sample Risk Assessment Outline
Appendix O: Sample Security Procedure
Appendix P: Sample Certification Test Results Matrix
Appendix Q: Sample Risk Remediation Plan
Appendix R: Sample Certification Statement
Appendix S: Sample Accreditation Letter
Appendix T: Sample Interim Accreditation Letter
Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
Appendix V: Answers to Review Questions
