book

FISMA Compliance Handbook

Name: FISMA Compliance Handbook
Author: Laura P. Taylor
ISBN: 9780124059153

by Laura P. Taylor

August 2013

Intermediate to advanced

350 pages

10h 52m

English

Syngress

Read now

Unlock full access

Cover image
Title page
Table of Contents
Copyright
Dedication
Author Acknowledgments
About the Author
Foreword
Chapter 1. FISMA Compliance Overview
AbstractTopics in this chapterIntroductionTerminologyProcesses and paperworkTemplates streamline the processFISMA oversight and governanceSupporting government security regulationsSummaryReferences
Chapter 2. FISMA Trickles into the Private Sector
AbstractTopics in this chapterIntroduction and authoritiesInspector General reportsWhat should NGOs do regarding FISMA?FISMA compliance toolsSummary
Chapter 3. FISMA Compliance Methodologies
AbstractTopics in this chapterIntroductionThe NIST risk management framework (RMF)Defense information assurance C&A process (DIACAP)Department of defense (DoD) risk management framework (RMF)ICD 503 and DCID 6/3The common denominator of FISMA compliance methodologiesFISMA compliance for private enterprisesLegacy methodologiesSummaryNotes

Chapter 4. Understanding the FISMA Compliance Process
AbstractTopics in this chapterIntroductionRecognizing the need for FISMA complianceRoles and responsibilitiesStepping through the processFISMA project managementSummary
Chapter 5. Establishing a FISMA Compliance Program
AbstractTopics in this chapterIntroductionCompliance handbook developmentCreate a standardized security assessment processProvide package delivery instructionsAuthority and endorsementImprove your compliance program each yearProblems of not having a compliance programSummary
Chapter 6. Getting Started on Your FISMA Project
AbstractTopics in this chapterIntroductionInitiate your projectAnalyze your researchDevelop the documentsVerify your informationRetain your ethicsSummary
Chapter 7. Preparing the Hardware and Software Inventory
AbstractTopics in this chapterIntroductionDetermining the system boundariesCollecting the inventory informationStructure of inventory informationDelivery of inventory documentSummary
Chapter 8. Categorizing Data Sensitivity
AbstractTopics in this chapterIntroductionHeed this warning before you startConfidentiality, Integrity, and AvailabilityTemplate for FIPS 199 ProfileThe explanatory memoNational Security SystemsSummary
Chapter 9. Addressing Security Awareness and Training
AbstractTopics in this chapterIntroduction and authoritiesPurpose of security awareness and trainingElements of the security awareness and training planSpecialized security trainingSecurity awarenessThe awareness and training messageSecurity awareness and training checklistSecurity awareness course evaluationSummaryReference
Chapter 10. Addressing Rules of Behavior
AbstractTopics in this chapterIntroductionImplementing Rules of BehaviorRules for internal and external usersWhat rules to includeConsequences of noncomplianceRules of Behavior checklistSummary
Chapter 11. Developing an Incident Response Plan
AbstractTopics in this chapterIntroductionPurpose and applicabilityPolicies, procedures, and guidelinesReporting frameworkRoles and responsibilitiesDefinitionsIncident handlingForensic investigationsIncident typesIncident Response Plan checklistSecurity Incident Reporting FormSummaryAdditional resourcesIncident response organizationsBooks on incident responseArticles and papers on incident response
Chapter 12. Conducting a Privacy Impact Assessment
AbstractTopics in this chapterIntroductionPrivacy laws, regulations, and rightsOMB Memoranda with privacy implicationsLaws and regulationsWhen to conduct a PIA?Questions for a privacy impact assessmentPersonally identifiable information (PII)Persistent tracking technologiesDecommissioning of PIISystem of record notice (SORN)Posting the privacy policyPIA checklistSummaryBooks on privacyReferences
Chapter 13. Preparing the Business Impact Analysis
AbstractTopics in this chapterIntroductionTerminologyDocument actual recovery timesEstablish relative recovery prioritiesDefine escalation thresholdsRecord license keysBIA OrganizationSummaryAdditional resources
Chapter 14. Developing the Contingency Plan
AbstractTopics in this chapterIntroductionList assumptionsConcept of operationsRoles and responsibilitiesLevels of disruptionProceduresLine of successionService-Level AgreementsContact listsTesting the Contingency PlanAppendicesContingency Plan checklistAdditional resources
Chapter 15. Developing a Configuration Management Plan
AbstractTopics in this chapterIntroductionEstablish definitionsDescribe assets controlled by the planDescribe the configuration management systemDefine roles and responsibilitiesDescribe baselinesChange control processConfiguration management auditConfiguration and change management toolsConfiguration Management Plan checklistSummaryAdditional resources
Chapter 16. Preparing the System Security Plan
AbstractTopics in this chapterIntroductionLaws, regulations, and policiesThe system descriptionSecurity controls and requirementsManagement controlsOperational controlsTechnical controlsISSO appointment letterSystem security plan checklistSummaryAdditional resourcesNote
Chapter 17. Performing the Business Risk Assessment
AbstractTopics in this chapterIntroductionDetermine the missionCreate a mission mapConstruct risk statementsDescribe the sensitivity modelQuantitative risk assessmentQualitative versus quantitative risk assessmentMake an informed decisionSummaryBooks and articles on risk assessmentReferences
Chapter 18. Getting Ready for Security Testing
AbstractTopics in this chapterIntroduction and authoritiesPlanningScopingAssumptions and constraintsScheduleRules of EngagementLimitation of LiabilityEnd of testingSummaryAdditional resources
Chapter 19. Submitting the Security Package
AbstractTopics in this chapterIntroductionStructure of documentsWho puts the package together?Markings and formatSignature pagesA word about “Not Applicable” informationSubmission and revisionDefending the Security PackageChecklistSummaryAdditional resources
Chapter 20. Independent Assessor Audit Guide
AbstractTopics in this chapterIntroductionTest against the System’s security control baselineHow does confidentiality, integrity, and availability fit in?Manual and automated testingSecurity testing toolsInfrastructure scannersEvaluations by Inspector GeneralsEvaluations by the Government Accountability OfficeSummary
Chapter 21. Developing the Security Assessment Report
AbstractTopics in this chapterIntroductionAnalysis of test resultsRisk assessment methodologyPresent the risksChecklistMake decisionsCertificationAuthority to operateInterim authority to operateSummaryAdditional resources
Chapter 22. Addressing FISMA Findings
AbstractTopics in this chapterIntroductionPOA&MsDevelopment and approvalPOA&M elementsA word to the wiseChecklistSummary
Chapter 23. FedRAMP: FISMA for the Cloud
AbstractTopics in this chapterIntroductionWhat is cloud computing?Looking at virtual machines another wayShardingContent delivery networksFedRAMP security independent assessorsFedRAMP security assessmentsThe great value of FedRAMPFedRAMP organizationSummaryResources
Appendix A. FISMA
Title III—Information Security
Appendix B. OMB Circular A-130 Appendix III
Security of federal automated information resources
Appendix C. FIPS 199
ForewordAuthorityTable of contents1 Purpose2 Applicability3 Categorization of information and information systemsAPPENDIX A Terms and definitionsAPPENDIX B References
Index

Content preview from FISMA Compliance Handbook

Chapter 20

Independent Assessor Audit Guide

Abstract

Independent assessors review the Security Package and test the security controls for compliance. Tests for confidentiality, integrity, and availability are performed. Tests can be manual or automated, or a combination of both. Independent assessors commonly use checklists for performing security reviews and audits. Audits are also performed by Inspector Generals and the Government Accountability Office.

Keywords

Independent assessor; Integrity; Confidentiality; Availability; Audit; Scanners; Security testing tools; Tools; GAO; Government Accountability Office

To give no trust is to get no trust.

—Lao-Tzu (sixth century B.C.)

Topics in this chapter

• Testing against the system’s security control baseline ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780124058712

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

FISMA Compliance Handbook

by Laura P. Taylor

Independent Assessor Audit Guide