FISMA Certification and Accreditation Handbook

Name: FISMA Certification and Accreditation Handbook
Price: 61.98 USD
Availability: InStock
ISBN: 9781597491167

ISBN-10: 1597491160

ISBN-13: 9781597491167

Edition: 2006

Authors: L. Taylor, Laura P. Taylor

List price: $73.95

30 day, 100% satisfaction guarantee!

Marketplace

1 new & used from $61.98

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

Description:

The only book that instructs IT Managers to adhere to federally mandated certification and accreditation requirements. This book will explain what is meant by Certification and Accreditation and why the process is mandated by federal law. The different Certification and Accreditation laws will be cited and discussed including the three leading types of C&A: NIST, NIAP, and DITSCAP. Next, the book explains how to prepare for, perform, and document a C&A project. The next section to the book illustrates addressing security awareness, end-user rules of behavior, and incident response requirements. Once this phase of the C&A project is complete, the reader will learn to perform the security…

Book details

List price: $73.95
Copyright year: 2006
Publisher: Elsevier Science & Technology Books
Publication date: 12/18/2006
Binding: Paperback
Pages: 504
Size: 7.00" wide x 9.00" long x 1.36" tall
Weight: 1.518
Language: English

Laura Taylor leads the technical development of FedRAMP, the U.S. government's initiative to apply the Federal Information Security Management Act to cloud computing. In 2006, Taylor's FISMA Certification and Accreditation Handbook was the first book published on FISMA. Taylor has contributed to four other books on information security and has authored hundreds of articles and white papers on infosec topics for a variety of web publications and magazines. Specializing in assisting federal agencies and private industry comply with computer security laws, Taylor is a thought leader on cyber security compliance. Taylor has led large technology migrations, developed enterprise wide information…



Foreword


Preface



What Is Certification and Accreditation?


Introduction


Terminology


Audit and Report Cards


A Standardized Process


Templates, Documents, and Paperwork


Certification and Accreditation Laws Summarized


Summary


Notes



Types of Certification and Accreditation


Introduction


The NIACAP Process


The NIST Process


NIACAP and NIST Phases, Differences, and Similarities


NIACAP and NIST Compared


DITSCAP


DCID 6/3


The Common Denominator of All C&A Methodologies


C&A for Private Enterprises


Summary


Notes



Understanding the Certification and Accreditation Process


Introduction


Recognizing the Need for C&A


Roles and Responsibilities


Chief Information Officer


Authorizing Official


Senior Agency Information Security Officer


Senior Agency Privacy Official


Certification Agent/Evaluation Team


Business Owner


System Owner


Information Owner


Information System Security Officer


C&A Preparers


Agency Inspectors


GAO Inspectors


Levels of Audit


Stepping through the Process


The Initiation Phase


The Certification Phase


The Accreditation Phase


The Continuous Monitoring Phase


Summary



Establishing a C&A Program


Introduction


C&A Handbook Development


What to Include in Your Handbook


Who Should Write the Handbook?


Template Development


Provide Package Delivery Instructions


Create an Evaluation Process


Authority and Endorsement


Improve Your C&A Program Each Year


Problems of Not Having a C&A Program


Missing Information


Lack of Organization


Inconsistencies in the Evaluation Process


Unknown Security Architecture and Configuration


Unknown Risks


Laws and Report Cards


Summary



Developing a Certification Package


Introduction


Initiating Your C&A Project


Put Together a Contact List


Hold a Kick-Off Meeting


Obtain Any Existing Agency Guidelines


Analyze Your Research


Preparing the Documents


It's Okay to Be Redundant


Different Agencies Have Different Requirements


Including Multiple Applications and Systems in One Package


Verify Your Information


Retain Your Ethics


Summary



Preparing the Hardware and Software Inventory


Introduction


Determining the Accreditation Boundaries


Collecting the Inventory Information


Structure of Inventory Information


Delivery of Inventory Document


Summary



Determining the Certification Level


Introduction


What Are the C&A Levels?














Importance of Determining the C&A Level


Don't Make This Mistake


Criteria to Use for Determining the Levels


Confidentiality, Integrity, and Availability


Confidentiality


Determining the Confidentiality Level


Integrity


Determining the Integrity Level


Availability


Determining the Availability Level


How to Categorize Multiple Data Sets


Impact Levels and System Criticality


System Attribute Characteristics


Interconnection State (Interfacing Mode)


Access State (Processing Mode)


Accountability State (Attribution Mode)


Mission Criticality


Determining Level of Certification


Template for Levels of Determination


Rationale for the Security Level Recommendation


Process and Rationale for the C&A Level Recommendation


The Explanatory Memo


Template for Explanatory Memo


Summary



Performing and Preparing the Self-Assessment


Introduction


Objectives


Designing the Survey


Levels of Compliance


Management Controls


Operational Controls


Technical Controls


Correlation with Security Policies and Laws


Answering the Questions


Questions for Self-Assessment Survey


Summary


Notes



Addressing Security Awareness and Training Requirements


Introduction


Purpose of Security Awareness and Training


Security Training


Security Awareness


The Awareness and Training Message


Online Training Makes It Easy


Document Your Plan


Security Awareness and Training Checklist


Security Awareness Material Evaluation


Security Awareness Class Evaluation


Summary


Notes



Addressing End-User Rules of Behavior


Introduction


Implementing Rules of Behavior


What Rules to Include


Rules for Applications, Servers, and Databases


Additional Rules for Handhelds


Additional Rules for Laptops and Desktop Systems


Additional Rules for Privileged Users


Consequences of Noncompliance


Rules of Behavior Checklist


Summary



Addressing Incident Response


Introduction


Purpose and Applicability


Policies and Guidelines


Reporting Framework


Roles and Responsibilities


Agency CSIRC


Information System Owner and ISSO


Incident Response Manager


Definitions


Incident


Impact, Notification, and Escalation


Incident Handling


Detecting an Incident


Containment and Eradication


Recovery and Closure


Forensic Investigations


Incident Types


Incident Response Plan Checklist


Security Incident Reporting Form


Summary


Additional Resources


Incident Response Organizations


Additional Resources


Articles and Papers on Incident Response


Notes



Performing the Security Tests and Evaluation


Introduction


Types of Security Tests


Confidentiality Tests


Integrity Tests


Availability Tests


Types of Security Controls


Management Controls


Operational Controls


Technical Controls


Testing Methodology and Tools


Algorithm Testing


Code and Memory Analyzers


Network and Application Scanners


Port Scanners


Port Listeners


Modem Scanners


Wireless Network Scanner


Wireless Intrusion Detection Systems


Wireless Key Recovery


Password Auditing Tools


Database Vulnerability Testing Tools


Test Management Packages


Who Should Perform the Tests?


Documenting the Tests


Analyzing the Tests and Their Results


Summary


Additional Resources


Books Related to Security Testing


Articles and Papers Related to Security Testing


Notes



Conducting a Privacy Impact Assessment


Introduction


Privacy Laws, Regulations, and Rights


OMB Memoranda


Laws and Regulations


PIA Answers Questions


Personally Identifiable Information (PII)


Persistent Tracking Technologies


Determine Privacy Threats and Safeguards


Decommissioning of PII


System of Record Notice (SORN)


Posting the Privacy Policy


PIA Checklist


Summary


Books on Privacy


Notes



Performing the Business Risk Assessment


Introduction


Determine the Mission


Create a Mission Map


Construct Risk Statements


Describe the Sensitivity Model


Impact Scale


Likelihood Scale


Calculating Risk Exposure


Lead the Team to Obtain the Metrics


Analyze the Risks


Make an Informed Decision


Accept the Risk


Transfer the Risk


Mitigate the Risk


Summary


Books and Articles on Risk Assessment


Notes



Preparing the Business Impact Assessment


Introduction


Document Recovery Times


Establish Relative Recovery Priorities


Telecommunications


Infrastructure Systems


Secondary Systems


Define Escalation Thresholds


Record License Keys


BIA Organization


Summary


Additional Resources



Developing the Contingency Plan


Introduction


List Assumptions


Concept of Operations


System Description


Network Diagrams and Maps


Data Sources and Destinations


Roles and Responsibilities


Contingency Planning Coordinator


Damage Assessment Coordinator


Emergency Relocation Site Adviser and Coordinator


Information Systems Operations Coordinator


Logistics Coordinator


Security Coordinator


Telecommunications Coordinator


Levels of Disruption


Procedures


Backup and Restoration Procedures


Procedures to Access Off-site Storage


Operating System Recovery Procedures


Application Recovery Procedures


Connectivity Recovery Procedures


Key Recovery Procedures


Power Recovery Procedures


Recovering and Assisting Personnel


Notification and Activation


Line of Succession


Service Level Agreements


Contact Lists


Testing the Contingency Plan


Appendices


Contingency Plan Checklist


Additional Resources



Performing a System Risk Assessment


Introduction


Risk Assessment Creates Focus


Determine Vulnerabilities


Threats


Threats Initiated by People


Threats Initiated by Computers or Devices


Threats from Natural Disasters


Qualitative Risk Assessment


Quantitative Risk Assessment


Qualitative versus Quantitative Risk Assessment


Present the Risks


Make Decisions


Checklist


Summary


Additional Resources


Notes



Developing a Configuration Management Plan


Introduction


Establish Definitions


Describe Assets Controlled by the Plan


Describe the Configuration Management System


Define Roles and Responsibilities


Establish Baselines


Change Control Process


Change Request Procedures


Emergency Change Request Procedures


Change Request Parameters


Configuration Control Board


Configuration Management Audit


Configuration and Change Management Tools


Configuration Management Plan Checklist


Summary


Additional Resources



Preparing the System Security Plan


Introduction


Laws, Regulations, and Policies


The System Description


System Boundaries


System Mission


Data Flows


Security Requirements and Controls


Management Controls


Risk Mitigation


Reporting and Review by Management


System Lifecycle Requirements


Security Planning


Documentation for Managers


Operational Controls


Personnel Security


Physical and Environmental Controls and Safeguards


Administration and Implementation


Preventative Maintenance


Contingency and Disaster Recovery Planning


Training and Security Awareness


Incident Response Procedures


Preservation of Data Integrity


Network and System Security Operations


Technical Controls


Authentication and Identity Verification


Logical Access Controls


Secure Configurations


Interconnectivity Security


Audit Mechanisms


ISSO Appointment Letter


System Security Plan Checklist


Summary


Additional Resources


Notes



Submitting the C&A Package


Introduction


Structure of Documents


Who Puts the Package Together?


Markings and Format


Signature Pages


A Word About "Not Applicable" Information


Submission and Revision


Defending the Certification Package


Checklist


Summary


Additional Resources



Evaluating the


Certification Package for Accreditation


Introduction


The Security Assessment Report


Checklists for Compliance


Compliance Checklist for Management Controls


Compliance Checklist for Operational Controls


Compliance Checklist for Technical Controls


Recommendation to Accredit or Not


Accreditation and Authority to Operate


Interim Authority to Operate


Evaluations by an OIG


Evaluations by the GAO


Checklist


Summary



Addressing C&A Findings


Introduction


POA&Ms


Development and Approval


POA&M Elements


A Word to the Wise


Checklist


Summary



Improving Your Federal Computer Security Report Card Scores


Introduction


Elements of the Report Card


Actions for Improvement


Trends


Summary



Resources


Acronyms



FISMA



OMB Circular A-130: Appendix III



FIPS 199


Index