book

Risk Management Framework

Name: Risk Management Framework
Author: James Broad
ISBN: 9780124047235

by James Broad

July 2013

Intermediate to advanced

316 pages

8h 29m

English

Syngress

Read now

Unlock full access

Cover image
Title page
Table of Contents
Copyright page
Dedication
Acknowledgments
About the Author
Technical Editor
Companion Website
Chapter 1: Introduction
Book Overview and Key Learning PointsBook AudienceThe Risk Management Framework (RMF)Why This Book Is DifferentA Note about National Security SystemsBook Organization

Part 1
Introduction
Chapter 2: Laws, Regulations, and Guidance
AbstractChapter Overview and Key Learning PointsThe Case for Legal and Regulatory RequirementsLegal and Regulatory OrganizationsLaws, Policies, and RegulationsNational Institute of Standards and Technology (NIST) Publications
Chapter 3: Integrated Organization-Wide Risk Management
AbstractChapter Overview and Key Learning PointsRisk ManagementRisk Management and the RMFComponents of Risk ManagementMulti-tiered Risk ManagementRisk Executive (Function)
Chapter 4: The Joint Task Force Transformation Initiative
AbstractChapter Overview and Key Learning PointsBefore the Joint Task Force Transformation InitiativeThe Joint Task Force Transformation Initiative
Chapter 5: System Development Life Cycle (SDLC)
AbstractSystem Development Life Cycle (SDLC)Traditional Systems Development Life Cycle (SDLC)Traditional SDLC ConsiderationsAgile System Development
Chapter 6: Transitioning from the C&A Process to RMF
AbstractChapter Overview and Key Learning PointsC&A to RMFThe Certification and Accreditation (C&A) ProcessIntroducing the RMF (A High-Level View)Transition
Chapter 7: Key Positions and Roles
AbstractChapter Overview and Key Learning PointsKey Roles to Implement the RMF
Part 2
Introduction
Chapter 8: Lab Organization
AbstractChapter Overview and Key Learning PointsThe Department of Social Media (DSM)Organizational StructureRisk Executive (Function)
Chapter 9: RMF Phase 1: Categorize the Information System
AbstractChapter Overview and Key Learning PointsPhase 1, Task 1: Security CategorizationPhase 1, Task 2: Information Systems DescriptionCommon Control ProvidersPhase 1, Task 3: Information System RegistrationChapter 9 Lab Exercises: Information System Categorization
Chapter 10: RMF Phase 2: Selecting Security Controls
AbstractChapter Overview and Key Learning PointsSelecting Security ControlsChapter 10 Lab Exercises: Selecting Security Controls
Chapter 11: RMF Phase 3: Implementing Security Controls
AbstractChapter Overview and Key Learning PointsPhase 3, Task 1: Security Control ImplementationPhase 3, Task 2: Security Control DocumentationChapter 11 Lab Exercises: Selecting Security Controls
Chapter 12: RMF Phase 4: Assess Security Controls
AbstractChapter Overview and Key Learning PointsAssessing Security ControlsChapter 12 Lab Exercises: Assessing Security Controls
Chapter 13: RMF Phase 5: Authorizing the Information System
AbstractChapter Overview and Key Learning PointsPhase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)Phase 5, Task 2: Assembly of the Authorization PackagePhase 5, Task 3: Determining RiskPhase 5, Task 4: Accepting RiskChapter 13 Lab Exercises: Authorizing the Information System
Chapter 14: RMF Phase 6: Monitoring Security Controls
AbstractChapter Overview and Key Learning PointsPhase 6, Task 1: Monitoring Information System and Environment ChangesPhase 6, Task 2: Ongoing Security Control AssessmentPhase 6, Task 3: Ongoing Remediation ActionsPhase 6, Task 4: Updating the Security DocumentationPhase 6, Task 5: Security Status ReportingPhase 6, Task 6: Ongoing Risk Determination and AcceptancePhase 6, Task 7: System Removal and DecommissioningChapter 14 Lab Exercises: Monitoring Security Controls
Chapter 15: The Expansion of the RMF
AbstractChapter Overview and Key Learning PointsThe Transition to the RMFFuture Updates to the RMF ProcessUsing the RMF with Other Control Sets and RequirementsConclusion
Appendix A: Answers to Exercises in Chapters 9 through 14
Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14
Appendix B: Control Families and Classes
Appendix C: Security Control Assessment Requirements
NIST SP 800-53A Assessment MethodsSecurity Control Baseline CategorizationCNSSI 1253 Baseline CategorizationNew Controls Planned in Revision 4FedRAMP ControlsSP 800-53 Security Controls to HIPAA Security RulePCI DSS Standards
Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
Glossary
Common Acronyms in this Book
References
Index

Content preview from Risk Management Framework

Chapter 12

RMF Phase 4

Assess Security Controls

Abstract

This chapter introduces the fourth phase of the RMF, which is when the implemented security controls are assessed. Phase 4 includes developing an assessment strategy, assessing the controls, and producing the security assessment report (SAR).

Keywords

security control assessment

security control assessor

SCA

security assessment report

SAR

test plan

assessment test case

Table of Contents

Chapter Overview and Key Learning Points

Assessing Security Controls

Phase 4, Task 1: Security Control Assessment Plan

Phase 4, Task 2: Security Control Assessment

Phase 4, Task 3: Security Assessment Report

Phase 4, Task 4: Remediation Actions

Chapter 12 Lab Exercises: Assessing Security Controls

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781597499958

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design