Skip to content

Official (ISC)2� Guide to the CAP� CBK�

Spend $50 to get a free DVD!

ISBN-10: 1439820759

ISBN-13: 9781439820759

Edition: 2nd 2013 (Revised)

Authors: Patrick D. Howard

List price: $105.99
Blue ribbon 30 day, 100% satisfaction guarantee!
Rent eBooks
Buy eBooks
what's this?
Rush Rewards U
Members Receive:
Carrot Coin icon
XP icon
You have reached 400 XP and carrot coins. That is the daily max!


This volume demonstrates the effectiveness of certification and accreditation (C&A) as a risk management methodology for IT systems in public and private organizations. It provides an overview of C&A components, showing how to document the status of IT security controls and secure systems via repeatable processes.
Customers also bought

Book details

List price: $105.99
Edition: 2nd
Copyright year: 2013
Publisher: Auerbach Publishers, Incorporated
Publication date: 7/18/2012
Binding: Hardcover
Pages: 462
Size: 7.00" wide x 10.00" long x 1.00" tall
Weight: 2.420

Security Authorization of Information Systems
Legal and Regulatory Framework for System Authorization
External Program Drivers
System-Level Security
Defining System Authorization
Resistance to System Authorization
Benefits of System Authorization
Key Elements of an Enterprise System Authorization Program
The Business Case
Goal Setting
Tasks and Milestones
Program Oversight
Program Guidance
Special Issues
Program Integration
System Authorization Points of Contact
Measuring Progress
Managing Program Activities
Monitoring Compliance
Providing Advice and Assistance
Responding to Changes
Program Awareness, Training, and Education
Using Expert Systems
Waivers and Exceptions
NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
Authority and Scope
Purpose and Applicability
Target Audience
Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
Guidance on Organization-Wide Risk Management
Organization Level (Tier 1)
Mission/Business Process Level (Tier 2)
Information System Level (Tier 3)
Guidance on Risk Management in the System Development Life Cycle
NIST's Risk Management Framework
Guidance on System Boundary Definition
Guidance on Software Application Boundaries
Guidance on Complex Systems
Guidance on the Impact of Technological Changes on System Boundaries
Guidance on Dynamic Subsystems
Guidance on External Subsystems
Guidance on Security Control Allocation
Guidance on Applying the Risk Management Framework
Summary of NIST Guidance
System Authorization Roles and Responsibilities
Primary Roles and Responsibilities
Other Roles and Responsibilities
Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
Documenting Roles and Responsibilities
Job Descriptions
Position Sensitivity Designations
Personnel Transition
Time Requirements
Expertise Requirements
Using Contractors
Routine Duties
Organizational Skills
Organizational Placement of the System Authorization Function
The System Authorization Life Cycle
Initiation Phase
Acquisition/Development Phase
Implementation Phase
Operations/Maintenance Phase
Disposition Phase
Challenges to Implementation
Why System Authorization Programs Fail
Program Scope
Assessment Focus
Short-Term Thinking
Long-Term Thinking
Poor Planning
Lack of Responsibility
Excessive Paperwork
Lack of Enforcement
Lack of Foresight
Poor Timing
Lack of Support
System Authorization Project Planning
Planning Factors
Dealing with People
Team Member Selection
Scope Definition
Project Agreements
Project Team Guidelines
Administrative Requirements
Other Tasks
Project Kickoff
The System Inventory Process
System Identification
Small Systems
Complex Systems
Combining Systems
Accreditation Boundaries
The Process
Inventory Information
Inventory Tools
Using the Inventory
Interconnected Systems
The Solution
Agreements in the System Authorization Process
Trust Relationships
Time Issues
Maintaining Agreements
Security Authorization of Information Systems: Review Questions
Information System Categorization
Defining Sensitivity
Data Sensitivity and System Sensitivity
Sensitivity Assessment Process
Data Classification Approaches
Responsibility for Data Sensitivity Assessment
Ranking Data Sensitivity
National Security Information
Criticality Assessment
Criticality in the View of the System Owner
Ranking Criticality
Changes in Criticality and Sensitivity
NIST Guidance on System Categorization
Task 1-1: Categorize and Document the Information System
Task 1-2: Describe the Information System
Task 1-3: Register the Information System
Information System Categorization: Review Questions
Establishment of the Security Control Baseline
Minimum Security Baselines and Best Practices
Security Controls
Levels of Controls
Selecting Baseline Controls
Use of the Minimum Security Baseline Set
Common Controls
Assessing Risk
Risk Assessment in System Authorization
The Risk Assessment Process
Step 1: System Characterization
Step 2: Threat Identification
Step 3: Vulnerability Identification
Step 4: Control Analysis
Step 5: Likelihood Determination
Step 6: Impact Analysis
Step 7: Risk Determination
Step 8: Control Recommendations
Step 9: Results Documentation
Conducting the Risk Assessment
Risk Categorization
Documenting Risk Assessment Results
Using the Risk Assessment
Overview of NIST Special Publication 800-30, Revision 1
System Security Plans
Plan Contents
What a Security Plan Is Not
Plan Initiation
Information Sources
Security Plan Development Tools
Plan Format
Plan Approval
Plan Maintenance
Plan Security
Plan Metrics
Resistance to Security Planning
NIST Guidance on Security Controls Selection
Task 2-1: Identify Common Controls
Task 2-2: Select Security Controls
Task 2-3: Develop Monitoring Strategy
Task 2-4: Approve Security Plan
Establishment of the Security Control Baseline: Review Questions
Application of Security Controls
Security Procedures
The Problem with Procedures
Procedure Templates
Process for Developing Procedures
Common Procedures
Procedures in the System Authorization Process
Remediation Planning
Managing Risk
Applicability of the Remediation Plan
Responsibility for the Plan
Risk Remediation Plan Scope
Plan Format
Using the Plan
When to Create the Plan
Risk Mitigation Meetings
NIST Guidance on Implementation of Security Controls
Task 3-1: Implement Security Controls
Task 3-2: Document Security Control Implementation
Application of Security Controls: Review Questions
Assessment of Security Controls
Scope of Testing
Level of Effort
Assessor Independence
Developing the Test Plan
The Role of the Host
Test Execution
Documenting Test Results
NIST Guidance on Assessment of Security Control Effectiveness
Task 4-1: Prepare for Controls Assessment
Task 4-2: Assess Security Controls
Task 4-3: Prepare Security Assessment Report
Task 4-4: Conduct Remediation Actions
Assessment of Security Controls: Review Questions
Information System Authorization
System Authorization Decision Making
The System Authorization Authority
Authorization Timing
The Authorization Letter
Authorization Decisions
Designation of Approving Authorities
Approving Authority Qualifications
Authorization Decision Process
Actions Following Authorization
Essential System Authorization Documentation
System Authorization Package Contents
Excluded Documentation
The Certification Statement
Transmittal Letter
NIST Guidance on Authorization of Information Systems
Task 5-1: Prepare Plan of Action and Milestones
Task 5-2: Prepare Security Authorization Package
Task 5-3: Conduct Risk Determination
Task 5-4: Perform Risk Acceptance
Security Controls Monitoring
Continuous Monitoring
Configuration Management/Configuration Control
Security Controls Monitoring
Status Reporting and Documentation
Key Roles in Continuous Monitoring
Reaccreditation Decision
NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
Task 6-1: Analyze Impact of Information System and Environment Changes
Task 6-2: Conduct Ongoing Security Control Assessments
Task 6-3: Perform Ongoing Remediation Actions
Task 6-4: Perform Key Updates
Task 6-5: Report Security Status
Task 6-6: Perform Ongoing Risk Determination and Acceptance
Task 6-7: Information System Removal and Decommissioning
Security Controls Monitoring: Review Questions
System Authorization Case Study
Action Plan
Lessons Learned
Document Templates
Role of the Inspector General
Compliance Monitoring
Measuring Success
Project Milestones
Interim Accreditation
Management Support and Focus
Results and Future Challenges
The Future of Information System Authorization
Sample Statement of Work
Sample Project Work Plan
Sample Project Kickoff Presentation Outline
Sample Project Wrap-Up Presentation Outline
Sample System Inventory Policy
Sample Business Impact Assessment
Sample Rules of Behavior (General Support System)
Sample Rules of Behavior (Major Application)
Sample System Security Plan Outline
Sample Memorandum of Understanding
Sample Interconnection Security Agreement
Sample Risk Assessment Outline
Sample Security Procedure
Sample Certification Test Results Matrix
Sample Risk Remediation Plan
Sample Certification Statement
Sample Accreditation Letter
Sample Interim Accreditation Letter
Certification and Accreditation Professional (CAP�“) Common Body of Knowledge (CBK�“)
Answers to Review Questions