| |
| |
Foreword | |
| |
| |
Preface | |
| |
| |
| |
What Is Certification and Accreditation? | |
| |
| |
Introduction | |
| |
| |
Terminology | |
| |
| |
Audit and Report Cards | |
| |
| |
A Standardized Process | |
| |
| |
Templates, Documents, and Paperwork | |
| |
| |
Certification and Accreditation Laws Summarized | |
| |
| |
Summary | |
| |
| |
Notes | |
| |
| |
| |
Types of Certification and Accreditation | |
| |
| |
Introduction | |
| |
| |
The NIACAP Process | |
| |
| |
The NIST Process | |
| |
| |
NIACAP and NIST Phases, Differences, and Similarities | |
| |
| |
NIACAP and NIST Compared | |
| |
| |
DITSCAP | |
| |
| |
DCID 6/3 | |
| |
| |
The Common Denominator of All C&A Methodologies | |
| |
| |
C&A for Private Enterprises | |
| |
| |
Summary | |
| |
| |
Notes | |
| |
| |
| |
Understanding the Certification and Accreditation Process | |
| |
| |
Introduction | |
| |
| |
Recognizing the Need for C&A | |
| |
| |
Roles and Responsibilities | |
| |
| |
Chief Information Officer | |
| |
| |
Authorizing Official | |
| |
| |
Senior Agency Information Security Officer | |
| |
| |
Senior Agency Privacy Official | |
| |
| |
Certification Agent/Evaluation Team | |
| |
| |
Business Owner | |
| |
| |
System Owner | |
| |
| |
Information Owner | |
| |
| |
Information System Security Officer | |
| |
| |
C&A Preparers | |
| |
| |
Agency Inspectors | |
| |
| |
GAO Inspectors | |
| |
| |
Levels of Audit | |
| |
| |
Stepping through the Process | |
| |
| |
The Initiation Phase | |
| |
| |
The Certification Phase | |
| |
| |
The Accreditation Phase | |
| |
| |
The Continuous Monitoring Phase | |
| |
| |
Summary | |
| |
| |
| |
Establishing a C&A Program | |
| |
| |
Introduction | |
| |
| |
C&A Handbook Development | |
| |
| |
What to Include in Your Handbook | |
| |
| |
Who Should Write the Handbook? | |
| |
| |
Template Development | |
| |
| |
Provide Package Delivery Instructions | |
| |
| |
Create an Evaluation Process | |
| |
| |
Authority and Endorsement | |
| |
| |
Improve Your C&A Program Each Year | |
| |
| |
Problems of Not Having a C&A Program | |
| |
| |
Missing Information | |
| |
| |
Lack of Organization | |
| |
| |
Inconsistencies in the Evaluation Process | |
| |
| |
Unknown Security Architecture and Configuration | |
| |
| |
Unknown Risks | |
| |
| |
Laws and Report Cards | |
| |
| |
Summary | |
| |
| |
| |
Developing a Certification Package | |
| |
| |
Introduction | |
| |
| |
Initiating Your C&A Project | |
| |
| |
Put Together a Contact List | |
| |
| |
Hold a Kick-Off Meeting | |
| |
| |
Obtain Any Existing Agency Guidelines | |
| |
| |
Analyze Your Research | |
| |
| |
Preparing the Documents | |
| |
| |
It's Okay to Be Redundant | |
| |
| |
Different Agencies Have Different Requirements | |
| |
| |
Including Multiple Applications and Systems in One Package | |
| |
| |
Verify Your Information | |
| |
| |
Retain Your Ethics | |
| |
| |
Summary | |
| |
| |
| |
Preparing the Hardware and Software Inventory | |
| |
| |
Introduction | |
| |
| |
Determining the Accreditation Boundaries | |
| |
| |
Collecting the Inventory Information | |
| |
| |
Structure of Inventory Information | |
| |
| |
Delivery of Inventory Document | |
| |
| |
Summary | |
| |
| |
| |
Determining the Certification Level | |
| |
| |
Introduction | |
| |
| |
What Are the C&A Levels? | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
Importance of Determining the C&A Level | |
| |
| |
Don't Make This Mistake | |
| |
| |
Criteria to Use for Determining the Levels | |
| |
| |
Confidentiality, Integrity, and Availability | |
| |
| |
Confidentiality | |
| |
| |
Determining the Confidentiality Level | |
| |
| |
Integrity | |
| |
| |
Determining the Integrity Level | |
| |
| |
Availability | |
| |
| |
Determining the Availability Level | |
| |
| |
How to Categorize Multiple Data Sets | |
| |
| |
Impact Levels and System Criticality | |
| |
| |
System Attribute Characteristics | |
| |
| |
Interconnection State (Interfacing Mode) | |
| |
| |
Access State (Processing Mode) | |
| |
| |
Accountability State (Attribution Mode) | |
| |
| |
Mission Criticality | |
| |
| |
Determining Level of Certification | |
| |
| |
Template for Levels of Determination | |
| |
| |
Rationale for the Security Level Recommendation | |
| |
| |
Process and Rationale for the C&A Level Recommendation | |
| |
| |
The Explanatory Memo | |
| |
| |
Template for Explanatory Memo | |
| |
| |
Summary | |
| |
| |
| |
Performing and Preparing the Self-Assessment | |
| |
| |
Introduction | |
| |
| |
Objectives | |
| |
| |
Designing the Survey | |
| |
| |
Levels of Compliance | |
| |
| |
Management Controls | |
| |
| |
Operational Controls | |
| |
| |
Technical Controls | |
| |
| |
Correlation with Security Policies and Laws | |
| |
| |
Answering the Questions | |
| |
| |
Questions for Self-Assessment Survey | |
| |
| |
Summary | |
| |
| |
Notes | |
| |
| |
| |
Addressing Security Awareness and Training Requirements | |
| |
| |
Introduction | |
| |
| |
Purpose of Security Awareness and Training | |
| |
| |
Security Training | |
| |
| |
Security Awareness | |
| |
| |
The Awareness and Training Message | |
| |
| |
Online Training Makes It Easy | |
| |
| |
Document Your Plan | |
| |
| |
Security Awareness and Training Checklist | |
| |
| |
Security Awareness Material Evaluation | |
| |
| |
Security Awareness Class Evaluation | |
| |
| |
Summary | |
| |
| |
Notes | |
| |
| |
| |
Addressing End-User Rules of Behavior | |
| |
| |
Introduction | |
| |
| |
Implementing Rules of Behavior | |
| |
| |
What Rules to Include | |
| |
| |
Rules for Applications, Servers, and Databases | |
| |
| |
Additional Rules for Handhelds | |
| |
| |
Additional Rules for Laptops and Desktop Systems | |
| |
| |
Additional Rules for Privileged Users | |
| |
| |
Consequences of Noncompliance | |
| |
| |
Rules of Behavior Checklist | |
| |
| |
Summary | |
| |
| |
| |
Addressing Incident Response | |
| |
| |
Introduction | |
| |
| |
Purpose and Applicability | |
| |
| |
Policies and Guidelines | |
| |
| |
Reporting Framework | |
| |
| |
Roles and Responsibilities | |
| |
| |
Agency CSIRC | |
| |
| |
Information System Owner and ISSO | |
| |
| |
Incident Response Manager | |
| |
| |
Definitions | |
| |
| |
Incident | |
| |
| |
Impact, Notification, and Escalation | |
| |
| |
Incident Handling | |
| |
| |
Detecting an Incident | |
| |
| |
Containment and Eradication | |
| |
| |
Recovery and Closure | |
| |
| |
Forensic Investigations | |
| |
| |
Incident Types | |
| |
| |
Incident Response Plan Checklist | |
| |
| |
Security Incident Reporting Form | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
Incident Response Organizations | |
| |
| |
Additional Resources | |
| |
| |
Articles and Papers on Incident Response | |
| |
| |
Notes | |
| |
| |
| |
Performing the Security Tests and Evaluation | |
| |
| |
Introduction | |
| |
| |
Types of Security Tests | |
| |
| |
Confidentiality Tests | |
| |
| |
Integrity Tests | |
| |
| |
Availability Tests | |
| |
| |
Types of Security Controls | |
| |
| |
Management Controls | |
| |
| |
Operational Controls | |
| |
| |
Technical Controls | |
| |
| |
Testing Methodology and Tools | |
| |
| |
Algorithm Testing | |
| |
| |
Code and Memory Analyzers | |
| |
| |
Network and Application Scanners | |
| |
| |
Port Scanners | |
| |
| |
Port Listeners | |
| |
| |
Modem Scanners | |
| |
| |
Wireless Network Scanner | |
| |
| |
Wireless Intrusion Detection Systems | |
| |
| |
Wireless Key Recovery | |
| |
| |
Password Auditing Tools | |
| |
| |
Database Vulnerability Testing Tools | |
| |
| |
Test Management Packages | |
| |
| |
Who Should Perform the Tests? | |
| |
| |
Documenting the Tests | |
| |
| |
Analyzing the Tests and Their Results | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
Books Related to Security Testing | |
| |
| |
Articles and Papers Related to Security Testing | |
| |
| |
Notes | |
| |
| |
| |
Conducting a Privacy Impact Assessment | |
| |
| |
Introduction | |
| |
| |
Privacy Laws, Regulations, and Rights | |
| |
| |
OMB Memoranda | |
| |
| |
Laws and Regulations | |
| |
| |
PIA Answers Questions | |
| |
| |
Personally Identifiable Information (PII) | |
| |
| |
Persistent Tracking Technologies | |
| |
| |
Determine Privacy Threats and Safeguards | |
| |
| |
Decommissioning of PII | |
| |
| |
System of Record Notice (SORN) | |
| |
| |
Posting the Privacy Policy | |
| |
| |
PIA Checklist | |
| |
| |
Summary | |
| |
| |
Books on Privacy | |
| |
| |
Notes | |
| |
| |
| |
Performing the Business Risk Assessment | |
| |
| |
Introduction | |
| |
| |
Determine the Mission | |
| |
| |
Create a Mission Map | |
| |
| |
Construct Risk Statements | |
| |
| |
Describe the Sensitivity Model | |
| |
| |
Impact Scale | |
| |
| |
Likelihood Scale | |
| |
| |
Calculating Risk Exposure | |
| |
| |
Lead the Team to Obtain the Metrics | |
| |
| |
Analyze the Risks | |
| |
| |
Make an Informed Decision | |
| |
| |
Accept the Risk | |
| |
| |
Transfer the Risk | |
| |
| |
Mitigate the Risk | |
| |
| |
Summary | |
| |
| |
Books and Articles on Risk Assessment | |
| |
| |
Notes | |
| |
| |
| |
Preparing the Business Impact Assessment | |
| |
| |
Introduction | |
| |
| |
Document Recovery Times | |
| |
| |
Establish Relative Recovery Priorities | |
| |
| |
Telecommunications | |
| |
| |
Infrastructure Systems | |
| |
| |
Secondary Systems | |
| |
| |
Define Escalation Thresholds | |
| |
| |
Record License Keys | |
| |
| |
BIA Organization | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
| |
Developing the Contingency Plan | |
| |
| |
Introduction | |
| |
| |
List Assumptions | |
| |
| |
Concept of Operations | |
| |
| |
System Description | |
| |
| |
Network Diagrams and Maps | |
| |
| |
Data Sources and Destinations | |
| |
| |
Roles and Responsibilities | |
| |
| |
Contingency Planning Coordinator | |
| |
| |
Damage Assessment Coordinator | |
| |
| |
Emergency Relocation Site Adviser and Coordinator | |
| |
| |
Information Systems Operations Coordinator | |
| |
| |
Logistics Coordinator | |
| |
| |
Security Coordinator | |
| |
| |
Telecommunications Coordinator | |
| |
| |
Levels of Disruption | |
| |
| |
Procedures | |
| |
| |
Backup and Restoration Procedures | |
| |
| |
Procedures to Access Off-site Storage | |
| |
| |
Operating System Recovery Procedures | |
| |
| |
Application Recovery Procedures | |
| |
| |
Connectivity Recovery Procedures | |
| |
| |
Key Recovery Procedures | |
| |
| |
Power Recovery Procedures | |
| |
| |
Recovering and Assisting Personnel | |
| |
| |
Notification and Activation | |
| |
| |
Line of Succession | |
| |
| |
Service Level Agreements | |
| |
| |
Contact Lists | |
| |
| |
Testing the Contingency Plan | |
| |
| |
Appendices | |
| |
| |
Contingency Plan Checklist | |
| |
| |
Additional Resources | |
| |
| |
| |
Performing a System Risk Assessment | |
| |
| |
Introduction | |
| |
| |
Risk Assessment Creates Focus | |
| |
| |
Determine Vulnerabilities | |
| |
| |
Threats | |
| |
| |
Threats Initiated by People | |
| |
| |
Threats Initiated by Computers or Devices | |
| |
| |
Threats from Natural Disasters | |
| |
| |
Qualitative Risk Assessment | |
| |
| |
Quantitative Risk Assessment | |
| |
| |
Qualitative versus Quantitative Risk Assessment | |
| |
| |
Present the Risks | |
| |
| |
Make Decisions | |
| |
| |
Checklist | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
Notes | |
| |
| |
| |
Developing a Configuration Management Plan | |
| |
| |
Introduction | |
| |
| |
Establish Definitions | |
| |
| |
Describe Assets Controlled by the Plan | |
| |
| |
Describe the Configuration Management System | |
| |
| |
Define Roles and Responsibilities | |
| |
| |
Establish Baselines | |
| |
| |
Change Control Process | |
| |
| |
Change Request Procedures | |
| |
| |
Emergency Change Request Procedures | |
| |
| |
Change Request Parameters | |
| |
| |
Configuration Control Board | |
| |
| |
Configuration Management Audit | |
| |
| |
Configuration and Change Management Tools | |
| |
| |
Configuration Management Plan Checklist | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
| |
Preparing the System Security Plan | |
| |
| |
Introduction | |
| |
| |
Laws, Regulations, and Policies | |
| |
| |
The System Description | |
| |
| |
System Boundaries | |
| |
| |
System Mission | |
| |
| |
Data Flows | |
| |
| |
Security Requirements and Controls | |
| |
| |
Management Controls | |
| |
| |
Risk Mitigation | |
| |
| |
Reporting and Review by Management | |
| |
| |
System Lifecycle Requirements | |
| |
| |
Security Planning | |
| |
| |
Documentation for Managers | |
| |
| |
Operational Controls | |
| |
| |
Personnel Security | |
| |
| |
Physical and Environmental Controls and Safeguards | |
| |
| |
Administration and Implementation | |
| |
| |
Preventative Maintenance | |
| |
| |
Contingency and Disaster Recovery Planning | |
| |
| |
Training and Security Awareness | |
| |
| |
Incident Response Procedures | |
| |
| |
Preservation of Data Integrity | |
| |
| |
Network and System Security Operations | |
| |
| |
Technical Controls | |
| |
| |
Authentication and Identity Verification | |
| |
| |
Logical Access Controls | |
| |
| |
Secure Configurations | |
| |
| |
Interconnectivity Security | |
| |
| |
Audit Mechanisms | |
| |
| |
ISSO Appointment Letter | |
| |
| |
System Security Plan Checklist | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
Notes | |
| |
| |
| |
Submitting the C&A Package | |
| |
| |
Introduction | |
| |
| |
Structure of Documents | |
| |
| |
Who Puts the Package Together? | |
| |
| |
Markings and Format | |
| |
| |
Signature Pages | |
| |
| |
A Word About "Not Applicable" Information | |
| |
| |
Submission and Revision | |
| |
| |
Defending the Certification Package | |
| |
| |
Checklist | |
| |
| |
Summary | |
| |
| |
Additional Resources | |
| |
| |
| |
Evaluating the | |
| |
| |
Certification Package for Accreditation | |
| |
| |
Introduction | |
| |
| |
The Security Assessment Report | |
| |
| |
Checklists for Compliance | |
| |
| |
Compliance Checklist for Management Controls | |
| |
| |
Compliance Checklist for Operational Controls | |
| |
| |
Compliance Checklist for Technical Controls | |
| |
| |
Recommendation to Accredit or Not | |
| |
| |
Accreditation and Authority to Operate | |
| |
| |
Interim Authority to Operate | |
| |
| |
Evaluations by an OIG | |
| |
| |
Evaluations by the GAO | |
| |
| |
Checklist | |
| |
| |
Summary | |
| |
| |
| |
Addressing C&A Findings | |
| |
| |
Introduction | |
| |
| |
POA&Ms | |
| |
| |
Development and Approval | |
| |
| |
POA&M Elements | |
| |
| |
A Word to the Wise | |
| |
| |
Checklist | |
| |
| |
Summary | |
| |
| |
| |
Improving Your Federal Computer Security Report Card Scores | |
| |
| |
Introduction | |
| |
| |
Elements of the Report Card | |
| |
| |
Actions for Improvement | |
| |
| |
Trends | |
| |
| |
Summary | |
| |
| |
| |
Resources | |
| |
| |
Acronyms | |
| |
| |
| |
FISMA | |
| |
| |
| |
OMB Circular A-130: Appendix III | |
| |
| |
| |
FIPS 199 | |
| |
| |
Index | |