Book description
Providing an overview of certification and accreditation, the second edition of this officially sanctioned guide demonstrates the effectiveness of C&A as a risk management methodology for IT systems in public and private organizations. It enables readers to document the status of their security controls and learn how to secure IT systems via standard, repeatable processes. The text describes what it takes to build a certification and accreditation program at the organization level and analyzes various C&A processes and how they interrelate. A case study illustrates the successful implementation of certification and accreditation in a major U.S. government department.
Table of contents
- Preface
- Acknowledgments
- About the Author
-
Chapter 1: Security Authorization of Information Systems
- Introduction
-
Key Elements of an Enterprise System Authorization Program
- The Business Case
- Goal Setting
- Tasks and Milestones
- Program Oversight
- Visibility
- Resources
- Program Guidance
- Special Issues
- Program Integration
- System Authorization Points of Contact
- Measuring Progress
- Managing Program Activities
- Monitoring Compliance
- Providing Advice and Assistance
- Responding to Changes
- Program Awareness, Training, and Education
- Using Expert Systems
- Waivers and Exceptions
- NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
-
Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
- Guidance on Organization-Wide Risk Management
- Organization Level (Tier 1)
- Mission/Business Process Level (Tier 2)
- Information System Level (Tier 3)
- Guidance on Risk Management in the System Development Life Cycle
- NIST’s Risk Management Framework
- Guidance on System Boundary Definition
- Guidance on Software Application Boundaries
- Guidance on Complex Systems
- Guidance on the Impact of Technological Changes on System Boundaries
- Guidance on Dynamic Subsystems
- Guidance on External Subsystems
- Guidance on Security Control Allocation
- Guidance on Applying the Risk Management Framework
- Summary of NIST Guidance
-
System Authorization Roles and Responsibilities
- Primary Roles and Responsibilities
- Other Roles and Responsibilities
- Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
- Documenting Roles and Responsibilities
- Job Descriptions
- Position Sensitivity Designations
- Personnel Transition
- Time Requirements
- Expertise Requirements
- Using Contractors
- Routine Duties
- Organizational Skills
- Organizational Placement of the System Authorization Function
- The System Authorization Life Cycle
- Why System Authorization Programs Fail
- System Authorization Project Planning
- The System Inventory Process
- Interconnected Systems
-
Chapter 2: Information System Categorization
- Introduction
- Defining Sensitivity
- Data Sensitivity and System Sensitivity
- Sensitivity Assessment Process
- Data Classification Approaches
- Responsibility for Data Sensitivity Assessment
- Ranking Data Sensitivity
- National Security Information
- Criticality
- Criticality Assessment
- Criticality in the View of the System Owner
- Ranking Criticality
- Changes in Criticality and Sensitivity
- NIST Guidance on System Categorization
-
Chapter 3: Establishment of the Security Control Baseline
- Introduction
- Minimum Security Baselines and Best Practices
-
Assessing Risk
- Background
- Risk Assessment in System Authorization
- The Risk Assessment Process
- Step 1: System Characterization
- Step 2: Threat Identification
- Step 3: Vulnerability Identification
- Step 4: Control Analysis
- Step 5: Likelihood Determination
- Step 6: Impact Analysis
- Step 7: Risk Determination
- Step 8: Control Recommendations
- Step 9: Results Documentation
- Conducting the Risk Assessment
- Risk Categorization
- Documenting Risk Assessment Results
- Using the Risk Assessment
- Overview of NIST Special Publication 800-30, Revision 1
- Observations
- System Security Plans
- NIST Guidance on Security Controls Selection
- Chapter 4: Application of Security Controls
- Chapter 5: Assessment of Security Controls
- Chapter 6: Information System Authorization
-
Chapter 7: Security Controls Monitoring
- Introduction
- Continuous Monitoring
-
NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
- Task 6-1: Analyze Impact of Information System and Environment Changes
- Task 6-2: Conduct Ongoing Security Control Assessments
- Task 6-3: Perform Ongoing Remediation Actions
- Task 6-4: Perform Key Updates
- Task 6-5: Report Security Status
- Task 6-6: Perform Ongoing Risk Determination and Acceptance
- Task 6-7: Information System Removal and Decommissioning
- Chapter 8: System Authorization Case Study
- Chapter 9: The Future of Information System Authorization
- Appendix A: References
- Appendix B: Glossary
- Appendix C: Sample Statement of Work
- Appendix D: Sample Project Work Plan
-
Appendix E: Sample Project Kickoff Presentation Outline
- Title Slide
- Briefing Agenda
- XYZ Company C&A Program Overview
- ABC System C&A Project Objectives
- Deliverable Standards
- ABC System C&A Project Plan
- Project Organization
- Immediate Objective
- Documentation Review
- Interviews
- Vulnerability Scanning
- Other Data Collection Goals
- Project Schedule
- Administrative Requirements
- Next Steps
- Other Comments
- Team Contact Information
- Questions
- Appendix F: Sample Project Wrap-Up Presentation Outline
- Appendix G: Sample System Inventory Policy
- Appendix H: Sample Business Impact Assessment
- Appendix I: Sample Rules of Behavior (General Support System)
- Appendix J: Sample Rules of Behavior (Major Application)
- Appendix K: Sample System Security Plan Outline
- Appendix L: Sample Memorandum of Understanding
- Appendix M: Sample Interconnection Security Agreement
- Appendix N: Sample Risk Assessment Outline
- Appendix O: Sample Security Procedure
- Appendix P: Sample Certification Test Results Matrix
- Appendix Q: Sample Risk Remediation Plan
- Appendix R: Sample Certification Statement
- Appendix S: Sample Accreditation Letter
- Appendix T: Sample Interim Accreditation Letter
-
Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
- Domain 1: Understanding the Security Authorization of Information Systems
- Domain 2: Categorize Information Systems
- Domain 3: Establish the Security Control Baseline
- Domain 4: Apply Security Controls
- Domain 5: Assess Security Controls
- Domain 6: Authorize Information System
- Domain 7: Monitor Security Controls
- Appendix V: Answers to Review Questions
Product information
- Title: Official (ISC)2® Guide to the CAP® CBK®, 2nd Edition
- Author(s):
- Release date: April 2016
- Publisher(s): Auerbach Publications
- ISBN: 9781439820766
You might also like
book
Official (ISC)2® Guide to the ISSAP® CBK, 2nd Edition
Candidates for the CISSP-ISSAP professional certification need to not only demonstrate a thorough understanding of the …
video
GenAI Essentials for Everyone - Overview
Our team of experts has hand-selected and organized the most crucial concepts and practical applications of …
article
Have ChatGPT Ask You Questions
ChatGPT Shortcuts shows future prompt engineers how to harness the full potential of the state-of-the-art AI …
book
Automating Active Directory® Administration with Windows PowerShell® 2.0
Focused content on automating the user authentication and authorization tool for Windows environments Automation helps make …