ebook img

Official (ISC)² guide to the CAP CBK PDF

452 Pages·2012·3.589 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Official (ISC)² guide to the CAP CBK

Information Technology / Security & Auditing / Certification OFFICIAL (ISC)2® GUIDE TO THE CAP® CBK® T O O Second Edition F F T I Significant developments since the publication of its bestselling predecessor, Building and H C OFFICIAL (ISC)2® Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) I E A Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC)2® Guide to the GUIDE TO CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT C L systems via standard, repeatable processes. A Derived from the author’s decades of experience, including time as the CISO for the Nuclear ( THE CAP® CBK® I Regulatory Commission, the Department of Housing and Urban Development, and the National P S Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It ® C Second Edition analyzes the full range of system security authorization (formerly C&A) processes and explains how they C ) interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book: 2 B ® • Details an approach that simplifies the authorization process, yet still satisfies current federal K G government criteria U ® • Explains how to combine disparate processes into a unified risk management methodology S e • Covers all the topics included in the Certified Authorization Professional (CAP®) Common co I Body of Knowledge (CBK®) n D d E • Examines U.S. federal policies, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and d E 8500.2, and NIST FIPS it io n • Reviews the tasks involved in certifying and accrediting U.S. government information systems Chapters 1 through 7 describe each of the domains of the (ISC)2® CAP® CBK®. This is followed The most complete compendium of industry knowledge by a case study on the establishment of a successful system authorization program in a major U.S. compiled by the foremost experts in global security. government department. The final chapter considers the future of system authorization. The book’s Howard A must-have for those seeking to attain the Certified appendices include a collection of helpful samples and additional information to provide you with the Authorization Professional (CAP)® credential. tools to effectively secure your IT systems. Patrick D. Howard, CISSP, CISM K11099 ISBN: 978-1-4398-2075-9 90000 9 781439 820759 K11099_Cover_final.indd 1 6/20/12 9:20 AM OFFICIAL (ISC)2® GUIDE TO THE CAP® CBK® Second Edition OTHER BOOKS IN THE (ISC)2® PRESS SERIES Official (ISC)2® Guide to the CAP® CBK®, Second Edition Patrick D. Howard ISBN: 978-1-4398-2075-9 Official (ISC)2® Guide to the SSCP® CBK®, Second Edition Harold F. Tipton, Editor ISBN: 978-1-4398-0483-4 Official (ISC)2® Guide to the ISSAP® CBK® Harold F. Tipton, Editor ISBN: 978-1-4398-0093-5 Official (ISC)2® Guide to the ISSMP® CBK® Harold F. Tipton, Editor ISBN: 978-1-4200-9443-5 Official (ISC)2® Guide to the CISSP® CBK®, Second Edition Harold F. Tipton, Editor ISBN: 978-1-4398-0959-3 CISO Leadership: Essential Principles for Success Todd Fitzgerald and Micki Krause, Editors ISBN: 978-0-8493-7943-X Patrick D. Howard, CISSP, CISM CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2013 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20120326 International Standard Book Number-13: 978-1-4398-2076-6 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material repro- duced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copy- right.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identifica- tion and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Preface..............................................................................................................xxv Acknowledgments.........................................................................................xxix About the Author...........................................................................................xxxi Chapter 1 Security Authorization of Information Systems..............................................1 Introduction...................................................................................................2 Legal.and.Regulatory.Framework.for.System.Authorization.......................4 External.Program.Drivers...........................................................................5 System-Level.Security................................................................................5 Defining.System.Authorization....................................................................6 Resistance.to.System.Authorization...........................................................6 Benefits.of.System.Authorization................................................................7 Key Elements of an Enterprise System Authorization Program......8 The.Business.Case.....................................................................................8 Goal.Setting................................................................................................9 Tasks.and.Milestones...............................................................................11 Program.Oversight....................................................................................11 Visibility.....................................................................................................12 Resources.................................................................................................13 v vi  ◾  Contents Program.Guidance....................................................................................14 Special.Issues...........................................................................................17 Program.Integration..................................................................................19 System.Authorization.Points.of.Contact...................................................19 Measuring.Progress..................................................................................19 Managing.Program.Activities....................................................................21 Monitoring.Compliance.............................................................................22 Providing.Advice.and.Assistance..............................................................23 Responding.to.Changes...........................................................................25 Program.Awareness,.Training,.and.Education..........................................25 Using.Expert.Systems..............................................................................26 Waivers.and.Exceptions...........................................................................27 NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems........28 Overview...................................................................................................30 Authority.and.Scope.................................................................................30 Purpose.and.Applicability.........................................................................31 Target.Audience........................................................................................31 Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1............................................32 Guidance.on.Organization-Wide.Risk.Management................................33 Organization.Level.(Tier.1).......................................................................33 Mission/Business.Process.Level.(Tier.2)..................................................35 Information.System.Level.(Tier.3).............................................................36 Guidance.on.Risk.Management.in.the.System.Development.Life.Cycle.....36 Contents  ◾  vii NIST’s.Risk.Management.Framework......................................................37 Guidance.on.System.Boundary.Definition................................................39 Guidance.on.Software.Application.Boundaries........................................40 Guidance.on.Complex.Systems...............................................................40 Guidance.on.the.Impact.of.Technological.Changes.on. System.Boundaries...................................................................................42 Guidance.on.Dynamic.Subsystems..........................................................42 Guidance.on.External.Subsystems...........................................................43 Guidance.on.Security.Control.Allocation..................................................44 Guidance.on.Applying.the.Risk.Management.Framework........................45 Summary.of.NIST.Guidance.....................................................................48 System Authorization Roles and Responsibilities............................49 Primary.Roles.and.Responsibilities..........................................................49 Other.Roles.and.Responsibilities..............................................................51 Additional.Roles.and.Responsibilities.from.NIST.SP.800-37,.Revision.1.....54 Documenting.Roles.and.Responsibilities.................................................55 Job.Descriptions.......................................................................................55 Position.Sensitivity.Designations..............................................................56 Personnel.Transition.................................................................................56 Time.Requirements..................................................................................57 Expertise.Requirements...........................................................................58 Using.Contractors.....................................................................................59 Routine.Duties..........................................................................................60 Organizational.Skills.................................................................................61 Organizational.Placement.of.the.System.Authorization.Function.............61 viii  ◾  Contents The System Authorization Life Cycle....................................................62 Initiation.Phase.........................................................................................66 Acquisition/Development.Phase...............................................................68 Implementation.Phase..............................................................................68 Operations/Maintenance.Phase...............................................................69 Disposition.Phase.....................................................................................70 Challenges.to.Implementation..................................................................71 Why System Authorization Programs Fail...........................................73 Program.Scope.........................................................................................74 Assessment.Focus...................................................................................74 Short-Term.Thinking.................................................................................74 Long-Term.Thinking..................................................................................75 Poor.Planning...........................................................................................75 Lack.of.Responsibility...............................................................................76 Excessive.Paperwork...............................................................................76 Lack.of.Enforcement.................................................................................76 Lack.of.Foresight......................................................................................77 Poor.Timing..............................................................................................77 Lack.of.Support........................................................................................77 System Authorization Project Planning...............................................79 Planning.Factors.......................................................................................79 Dealing.with.People..................................................................................80 Team.Member.Selection...........................................................................80 Scope.Definition.......................................................................................81 Contents  ◾  ix Assumptions.............................................................................................83 Risks.........................................................................................................83 Project.Agreements..................................................................................83 Project.Team.Guidelines...........................................................................83 Administrative.Requirements....................................................................85 Reporting..................................................................................................85 Other.Tasks..............................................................................................89 Project.Kickoff...........................................................................................89 Wrap-Up...................................................................................................90 Observations............................................................................................90 The System Inventory Process..............................................................90 Responsibility............................................................................................92 System.Identification.................................................................................93 Small.Systems..........................................................................................94 Complex.Systems.....................................................................................94 Combining.Systems..................................................................................95 Accreditation.Boundaries..........................................................................95 The.Process.............................................................................................97 Validation..................................................................................................97 Inventory.Information................................................................................98 Inventory.Tools.........................................................................................98 Using.the.Inventory...................................................................................99 Maintenance...........................................................................................101 Observations..........................................................................................104

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.