Official (ISC)2ï¿½ Guide to the CAPï¿½ CBKï¿½

Name: Official (ISC)2ï¿½ Guide to the CAPï¿½ CBKï¿½
Availability: InStock
ISBN: 9781439820759

ISBN-10: 1439820759

ISBN-13: 9781439820759

Edition: 2nd 2013 (Revised)

Authors: Patrick D. Howard

List price: $105.99

This item qualifies for FREE shipping.

30 day, 100% satisfaction guarantee!

Sell

Get cash fast!

Semester Rental: $34.79 Due date: 8/13/2024

Rental notice: supplementary materials (access codes, CDs, etc.) are not guaranteed with rental orders.

Buy used: $49.80

Buy used: $54.09

Rent eBooks

180 day rental: $52.23 Expiration date: 10/16/2024

365 day rental: $61.72 Expiration date: 4/19/2025

Marketplace

3 new & used from $107.28

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

This volume demonstrates the effectiveness of certification and accreditation (C&A) as a risk management methodology for IT systems in public and private organizations. It provides an overview of C&A components, showing how to document the status of IT security controls and secure systems via repeatable processes.

Book details

List price: $105.99
Edition: 2nd
Copyright year: 2013
Publisher: Auerbach Publishers, Incorporated
Publication date: 7/18/2012
Binding: Hardcover
Pages: 462
Size: 7.00" wide x 10.00" long x 1.00" tall
Weight: 2.332
Language: English



Security Authorization of Information Systems


Introduction


Legal and Regulatory Framework for System Authorization


External Program Drivers


System-Level Security


Defining System Authorization


Resistance to System Authorization


Benefits of System Authorization


Key Elements of an Enterprise System Authorization Program


The Business Case


Goal Setting


Tasks and Milestones


Program Oversight


Visibility


Resources


Program Guidance


Special Issues


Program Integration


System Authorization Points of Contact


Measuring Progress


Managing Program Activities


Monitoring Compliance


Providing Advice and Assistance


Responding to Changes


Program Awareness, Training, and Education


Using Expert Systems


Waivers and Exceptions


NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems


Overview


Authority and Scope


Purpose and Applicability


Target Audience


Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1


Guidance on Organization-Wide Risk Management


Organization Level (Tier 1)


Mission/Business Process Level (Tier 2)


Information System Level (Tier 3)


Guidance on Risk Management in the System Development Life Cycle


NIST's Risk Management Framework


Guidance on System Boundary Definition


Guidance on Software Application Boundaries


Guidance on Complex Systems


Guidance on the Impact of Technological Changes on System Boundaries


Guidance on Dynamic Subsystems


Guidance on External Subsystems


Guidance on Security Control Allocation


Guidance on Applying the Risk Management Framework


Summary of NIST Guidance


System Authorization Roles and Responsibilities


Primary Roles and Responsibilities


Other Roles and Responsibilities


Additional Roles and Responsibilities from NIST SP 800-37, Revision 1


Documenting Roles and Responsibilities


Job Descriptions


Position Sensitivity Designations


Personnel Transition


Time Requirements


Expertise Requirements


Using Contractors


Routine Duties


Organizational Skills


Organizational Placement of the System Authorization Function


The System Authorization Life Cycle


Initiation Phase


Acquisition/Development Phase


Implementation Phase


Operations/Maintenance Phase


Disposition Phase


Challenges to Implementation


Why System Authorization Programs Fail


Program Scope


Assessment Focus


Short-Term Thinking


Long-Term Thinking


Poor Planning


Lack of Responsibility


Excessive Paperwork


Lack of Enforcement


Lack of Foresight


Poor Timing


Lack of Support


System Authorization Project Planning


Planning Factors


Dealing with People


Team Member Selection


Scope Definition


Assumptions


Risks


Project Agreements


Project Team Guidelines


Administrative Requirements


Reporting


Other Tasks


Project Kickoff


Wrap-Up


Observations


The System Inventory Process


Responsibility


System Identification


Small Systems


Complex Systems


Combining Systems


Accreditation Boundaries


The Process


Validation


Inventory Information


Inventory Tools


Using the Inventory


Maintenance


Observations


Interconnected Systems


The Solution


Agreements in the System Authorization Process


Trust Relationships


Initiation


Time Issues


Exceptions


Maintaining Agreements


Security Authorization of Information Systems: Review Questions


Information System Categorization


Introduction


Defining Sensitivity


Data Sensitivity and System Sensitivity


Sensitivity Assessment Process


Data Classification Approaches


Responsibility for Data Sensitivity Assessment


Ranking Data Sensitivity


National Security Information


Criticality


Criticality Assessment


Criticality in the View of the System Owner


Ranking Criticality


Changes in Criticality and Sensitivity


NIST Guidance on System Categorization


Task 1-1: Categorize and Document the Information System


Task 1-2: Describe the Information System


Task 1-3: Register the Information System


Information System Categorization: Review Questions


Establishment of the Security Control Baseline


Introduction


Minimum Security Baselines and Best Practices


Security Controls


Levels of Controls


Selecting Baseline Controls


Use of the Minimum Security Baseline Set


Common Controls


Observations


Assessing Risk


Background


Risk Assessment in System Authorization


The Risk Assessment Process


Step 1: System Characterization


Step 2: Threat Identification


Step 3: Vulnerability Identification


Step 4: Control Analysis


Step 5: Likelihood Determination


Step 6: Impact Analysis


Step 7: Risk Determination


Step 8: Control Recommendations


Step 9: Results Documentation


Conducting the Risk Assessment


Risk Categorization


Documenting Risk Assessment Results


Using the Risk Assessment


Overview of NIST Special Publication 800-30, Revision 1


Observations


System Security Plans


Applicability


Responsibility


Plan Contents


What a Security Plan Is Not


Plan Initiation


Information Sources


Security Plan Development Tools


Plan Format


Plan Approval


Plan Maintenance


Plan Security


Plan Metrics


Resistance to Security Planning


Observations


NIST Guidance on Security Controls Selection


Task 2-1: Identify Common Controls


Task 2-2: Select Security Controls


Task 2-3: Develop Monitoring Strategy


Task 2-4: Approve Security Plan


Establishment of the Security Control Baseline: Review Questions


Application of Security Controls


Introduction


Security Procedures


Purpose


The Problem with Procedures


Responsibility


Procedure Templates


Process for Developing Procedures


Style


Formatting


Access


Maintenance


Common Procedures


Procedures in the System Authorization Process


Observations


Remediation Planning


Managing Risk


Applicability of the Remediation Plan


Responsibility for the Plan


Risk Remediation Plan Scope


Plan Format


Using the Plan


When to Create the Plan


Risk Mitigation Meetings


Observations


NIST Guidance on Implementation of Security Controls


Task 3-1: Implement Security Controls


Task 3-2: Document Security Control Implementation


Application of Security Controls: Review Questions


Assessment of Security Controls


Introduction


Scope of Testing


Level of Effort


Assessor Independence


Developing the Test Plan


The Role of the Host


Test Execution


Documenting Test Results


NIST Guidance on Assessment of Security Control Effectiveness


Task 4-1: Prepare for Controls Assessment


Task 4-2: Assess Security Controls


Task 4-3: Prepare Security Assessment Report


Task 4-4: Conduct Remediation Actions


Assessment of Security Controls: Review Questions


Information System Authorization


Introduction


System Authorization Decision Making


The System Authorization Authority


Authorization Timing


The Authorization Letter


Authorization Decisions


Designation of Approving Authorities


Approving Authority Qualifications


Authorization Decision Process


Actions Following Authorization


Observations


Essential System Authorization Documentation


Authority


System Authorization Package Contents


Excluded Documentation


The Certification Statement


Transmittal Letter


Administration


Observations


NIST Guidance on Authorization of Information Systems


Task 5-1: Prepare Plan of Action and Milestones


Task 5-2: Prepare Security Authorization Package


Task 5-3: Conduct Risk Determination


Task 5-4: Perform Risk Acceptance


Security Controls Monitoring


Introduction


Continuous Monitoring


Configuration Management/Configuration Control


Security Controls Monitoring


Status Reporting and Documentation


Key Roles in Continuous Monitoring


Reaccreditation Decision


NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System


Task 6-1: Analyze Impact of Information System and Environment Changes


Task 6-2: Conduct Ongoing Security Control Assessments


Task 6-3: Perform Ongoing Remediation Actions


Task 6-4: Perform Key Updates


Task 6-5: Report Security Status


Task 6-6: Perform Ongoing Risk Determination and Acceptance


Task 6-7: Information System Removal and Decommissioning


Security Controls Monitoring: Review Questions


System Authorization Case Study


Situation


Action Plan


Lessons Learned


Tools


Document Templates


Coordination


Role of the Inspector General


Compliance Monitoring


Measuring Success


Project Milestones


Interim Accreditation


Management Support and Focus


Results and Future Challenges


The Future of Information System Authorization



References



Glossary



Sample Statement of Work



Sample Project Work Plan



Sample Project Kickoff Presentation Outline



Sample Project Wrap-Up Presentation Outline



Sample System Inventory Policy



Sample Business Impact Assessment



Sample Rules of Behavior (General Support System)



Sample Rules of Behavior (Major Application)



Sample System Security Plan Outline



Sample Memorandum of Understanding



Sample Interconnection Security Agreement



Sample Risk Assessment Outline



Sample Security Procedure



Sample Certification Test Results Matrix



Sample Risk Remediation Plan



Sample Certification Statement



Sample Accreditation Letter



Sample Interim Accreditation Letter



Certification and Accreditation Professional (CAPï¿½“) Common Body of Knowledge (CBKï¿½“)



Answers to Review Questions