Official (ISC)2® Guide to the CAP® CBK®, 2nd Edition

Official (ISC)2® Guide to the CAP® CBK®, 2nd Edition

by Patrick D. Howard
Released April 2016
Publisher(s): Auerbach Publications
ISBN: 9781439820766

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Providing an overview of certification and accreditation, the second edition of this officially sanctioned guide demonstrates the effectiveness of C&A as a risk management methodology for IT systems in public and private organizations. It enables readers to document the status of their security controls and learn how to secure IT systems via standard, repeatable processes. The text describes what it takes to build a certification and accreditation program at the organization level and analyzes various C&A processes and how they interrelate. A case study illustrates the successful implementation of certification and accreditation in a major U.S. government department.

Table of contents

  1. Preface
  2. Acknowledgments
  3. About the Author
  4. Chapter 1: Security Authorization of Information Systems
    1. Introduction
      1. Legal and Regulatory Framework for System Authorization
      2. External Program Drivers
      3. System-Level Security
      4. Defining System Authorization
      5. Resistance to System Authorization
      6. Benefits of System Authorization
    2. Key Elements of an Enterprise System Authorization Program
      1. The Business Case
      2. Goal Setting
      3. Tasks and Milestones
      4. Program Oversight
      5. Visibility
      6. Resources
      7. Program Guidance
      8. Special Issues
      9. Program Integration
      10. System Authorization Points of Contact
      11. Measuring Progress
      12. Managing Program Activities
      13. Monitoring Compliance
      14. Providing Advice and Assistance
      15. Responding to Changes
      16. Program Awareness, Training, and Education
      17. Using Expert Systems
      18. Waivers and Exceptions
    3. NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
      1. Overview
      2. Authority and Scope
      3. Purpose and Applicability
      4. Target Audience
    4. Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
      1. Guidance on Organization-Wide Risk Management
      2. Organization Level (Tier 1)
      3. Mission/Business Process Level (Tier 2)
      4. Information System Level (Tier 3)
      5. Guidance on Risk Management in the System Development Life Cycle
      6. NIST’s Risk Management Framework
      7. Guidance on System Boundary Definition
      8. Guidance on Software Application Boundaries
      9. Guidance on Complex Systems
      10. Guidance on the Impact of Technological Changes on System Boundaries
      11. Guidance on Dynamic Subsystems
      12. Guidance on External Subsystems
      13. Guidance on Security Control Allocation
      14. Guidance on Applying the Risk Management Framework
      15. Summary of NIST Guidance
    5. System Authorization Roles and Responsibilities
      1. Primary Roles and Responsibilities
      2. Other Roles and Responsibilities
      3. Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
      4. Documenting Roles and Responsibilities
      5. Job Descriptions
      6. Position Sensitivity Designations
      7. Personnel Transition
      8. Time Requirements
      9. Expertise Requirements
      10. Using Contractors
      11. Routine Duties
      12. Organizational Skills
      13. Organizational Placement of the System Authorization Function
    6. The System Authorization Life Cycle
      1. Initiation Phase
      2. Acquisition/Development Phase
      3. Implementation Phase
      4. Operations/Maintenance Phase
      5. Disposition Phase
      6. Challenges to Implementation
    7. Why System Authorization Programs Fail
      1. Program Scope
      2. Assessment Focus
      3. Short-Term Thinking
      4. Long-Term Thinking
      5. Poor Planning
      6. Lack of Responsibility
      7. Excessive Paperwork
      8. Lack of Enforcement
      9. Lack of Foresight
      10. Poor Timing
      11. Lack of Support
    8. System Authorization Project Planning
      1. Planning Factors
      2. Dealing with People
      3. Team Member Selection
      4. Scope Definition
      5. Assumptions
      6. Risks
      7. Project Agreements
      8. Project Team Guidelines
      9. Administrative Requirements
      10. Reporting
      11. Other Tasks
      12. Project Kickoff
      13. Wrap-Up
      14. Observations
    9. The System Inventory Process
      1. Responsibility
      2. System Identification
      3. Small Systems
      4. Complex Systems
      5. Combining Systems
      6. Accreditation Boundaries
      7. The Process
      8. Validation
      9. Inventory Information
      10. Inventory Tools
      11. Using the Inventory
      12. Maintenance
      13. Observations
    10. Interconnected Systems
      1. The Solution
      2. Agreements in the System Authorization Process
      3. Trust Relationships
      4. Initiation
      5. Time Issues
      6. Exceptions
      7. Maintaining Agreements
  5. Chapter 2: Information System Categorization
    1. Introduction
    2. Defining Sensitivity
    3. Data Sensitivity and System Sensitivity
    4. Sensitivity Assessment Process
    5. Data Classification Approaches
    6. Responsibility for Data Sensitivity Assessment
    7. Ranking Data Sensitivity
    8. National Security Information
    9. Criticality
    10. Criticality Assessment
    11. Criticality in the View of the System Owner
    12. Ranking Criticality
    13. Changes in Criticality and Sensitivity
    14. NIST Guidance on System Categorization
      1. Task 1-1: Categorize and Document the Information System
      2. Task 1-2: Describe the Information System
      3. Task 1-3: Register the Information System
  6. Chapter 3: Establishment of the Security Control Baseline
    1. Introduction
    2. Minimum Security Baselines and Best Practices
      1. Security Controls
      2. Levels of Controls
      3. Selecting Baseline Controls
      4. Use of the Minimum Security Baseline Set
      5. Common Controls
      6. Observations
    3. Assessing Risk
      1. Background
      2. Risk Assessment in System Authorization
      3. The Risk Assessment Process
      4. Step 1: System Characterization
      5. Step 2: Threat Identification
      6. Step 3: Vulnerability Identification
      7. Step 4: Control Analysis
      8. Step 5: Likelihood Determination
      9. Step 6: Impact Analysis
      10. Step 7: Risk Determination
      11. Step 8: Control Recommendations
      12. Step 9: Results Documentation
      13. Conducting the Risk Assessment
      14. Risk Categorization
      15. Documenting Risk Assessment Results
      16. Using the Risk Assessment
      17. Overview of NIST Special Publication 800-30, Revision 1
      18. Observations
    4. System Security Plans
      1. Applicability
      2. Responsibility
      3. Plan Contents
      4. What a Security Plan Is Not
      5. Plan Initiation
      6. Information Sources
      7. Security Plan Development Tools
      8. Plan Format
      9. Plan Approval
      10. Plan Maintenance
      11. Plan Security
      12. Plan Metrics
      13. Resistance to Security Planning
      14. Observations
    5. NIST Guidance on Security Controls Selection
      1. Task 2-1: Identify Common Controls
      2. Task 2-2: Select Security Controls
      3. Task 2-3: Develop Monitoring Strategy
      4. Task 2-4: Approve Security Plan
  7. Chapter 4: Application of Security Controls
    1. Introduction
    2. Security Procedures
      1. Purpose
      2. The Problem with Procedures
      3. Responsibility
      4. Procedure Templates
      5. Process for Developing Procedures
      6. Style
      7. Formatting
      8. Access
      9. Maintenance
      10. Common Procedures
      11. Procedures in the System Authorization Process
      12. Observations
    3. Remediation Planning
      1. Managing Risk
      2. Applicability of the Remediation Plan
      3. Responsibility for the Plan
      4. Risk Remediation Plan Scope
      5. Plan Format
      6. Using the Plan
      7. When to Create the Plan
      8. Risk Mitigation Meetings
      9. Observations
    4. NIST Guidance on Implementation of Security Controls
      1. Task 3-1: Implement Security Controls
      2. Task 3-2: Document Security Control Implementation
  8. Chapter 5: Assessment of Security Controls
    1. Introduction
    2. Scope of Testing
    3. Level of Effort
    4. Assessor Independence
    5. Developing the Test Plan
    6. The Role of the Host
    7. Test Execution
    8. Documenting Test Results
    9. NIST Guidance on Assessment of Security Control Effectiveness
      1. Task 4-1: Prepare for Controls Assessment
      2. Task 4-2: Assess Security Controls
      3. Task 4-3: Prepare Security Assessment Report
      4. Task 4-4: Conduct Remediation Actions
  9. Chapter 6: Information System Authorization
    1. Introduction
    2. System Authorization Decision Making
      1. The System Authorization Authority
      2. Authorization Timing
      3. The Authorization Letter
      4. Authorization Decisions
      5. Designation of Approving Authorities
      6. Approving Authority Qualifications
      7. Authorization Decision Process
      8. Actions Following Authorization
      9. Observations
    3. Essential System Authorization Documentation
      1. Authority
      2. System Authorization Package Contents
      3. Excluded Documentation
      4. The Certification Statement
      5. Transmittal Letter
      6. Administration
      7. Observations
    4. NIST Guidance on Authorization of Information Systems
      1. Task 5-1: Prepare Plan of Action and Milestones
      2. Task 5-2: Prepare Security Authorization Package
      3. Task 5-3: Conduct Risk Determination
      4. Task 5-4: Perform Risk Acceptance
  10. Chapter 7: Security Controls Monitoring
    1. Introduction
    2. Continuous Monitoring
      1. Configuration Management/Configuration Control
      2. Security Controls Monitoring
      3. Status Reporting and Documentation
      4. Key Roles in Continuous Monitoring
      5. Reaccreditation Decision
    3. NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
      1. Task 6-1: Analyze Impact of Information System and Environment Changes
      2. Task 6-2: Conduct Ongoing Security Control Assessments
      3. Task 6-3: Perform Ongoing Remediation Actions
      4. Task 6-4: Perform Key Updates
      5. Task 6-5: Report Security Status
      6. Task 6-6: Perform Ongoing Risk Determination and Acceptance
      7. Task 6-7: Information System Removal and Decommissioning
  11. Chapter 8: System Authorization Case Study
    1. Situation
    2. Action Plan
    3. Lessons Learned
    4. Tools
    5. Document Templates
    6. Coordination
    7. Role of the Inspector General
    8. Compliance Monitoring
    9. Measuring Success
    10. Project Milestones
    11. Interim Accreditation
    12. Management Support and Focus
    13. Results and Future Challenges
  12. Chapter 9: The Future of Information System Authorization
  13. Appendix A: References
  14. Appendix B: Glossary
  15. Appendix C: Sample Statement of Work
    1. Technical Requirements Section
      1. 2.1 Task Description
        1. 2.1.1 Scope of Work
        2. 2.1.2 Statement of Work
      2. 2.2 Deliverables
        1. 2.2.1 Work Plan (Deliverable 1)
        2. 2.2.2 ABC System Risk Assessment Report (Deliverable 2)
        3. 2.2.3 ABC System Security Plan/Test Plan (Deliverable 3)
        4. 2.2.4 ABC System Certification Report (Deliverable 4)
        5. 2.2.5 Exit Briefing Agenda and Presentation (Deliverable 5)
  16. Appendix D: Sample Project Work Plan
  17. Appendix E: Sample Project Kickoff Presentation Outline
    1. Title Slide
    2. Briefing Agenda
    3. XYZ Company C&A Program Overview
    4. ABC System C&A Project Objectives
    5. Deliverable Standards
    6. ABC System C&A Project Plan
    7. Project Organization
    8. Immediate Objective
    9. Documentation Review
    10. Interviews
    11. Vulnerability Scanning
    12. Other Data Collection Goals
    13. Project Schedule
    14. Administrative Requirements
    15. Next Steps
    16. Other Comments
    17. Team Contact Information
    18. Questions
  18. Appendix F: Sample Project Wrap-Up Presentation Outline
    1. Title Slide
    2. Briefing Agenda
    3. ABC System C&A (Certification and Accreditation) Objective
    4. ABC System C&A Project Tasks and Deliverables
    5. Project Findings
    6. Recommendations
    7. Next Steps
    8. Questions
  19. Appendix G: Sample System Inventory Policy
    1. Statement of Policy
    2. Purpose
    3. Definition
    4. Policy
    5. Applicability
    6. Authority and Responsibility
    7. Document History
  20. Appendix H: Sample Business Impact Assessment
  21. Appendix I: Sample Rules of Behavior (General Support System)
    1. XYZ Company Local-Area Network (LAN) Rules of Behavior
  22. Appendix J: Sample Rules of Behavior (Major Application)
    1. ABC Application Rules of Behavior
  23. Appendix K: Sample System Security Plan Outline
    1. Security Plan Outline
  24. Appendix L: Sample Memorandum of Understanding
    1. Memorandum of Understanding
      1. Introduction
      2. Background
        1. Zeus System
        2. Athena System
      3. Communications
      4. Interconnection Security Agreement
      5. Security
      6. Cost Considerations
      7. Timeline
      8. Signatory Authority
  25. Appendix M: Sample Interconnection Security Agreement
    1. Section 1: Statement of Requirements
    2. Section 2: System Security Considerations
      1. General Information/Data Description
      2. Services Offered
      3. Data Sensitivity
      4. User Community
      5. Information Exchange Security
      6. Trusted Behavior Expectations
      7. Formal Security Policy
      8. Incident Reporting
      9. Audit Trail Responsibilities
    3. Section 3: Connectivity Drawing
    4. Section 4: Approval
      1. Signatory Authority
  26. Appendix N: Sample Risk Assessment Outline
    1. Executive Summary
      1. I. Introduction
      2. II. Risk Assessment Approach
      3. III. System Characterization
      4. IV. Threat Statement
      5. V. Risk Assessment Results
      6. VI. Summary
  27. Appendix O: Sample Security Procedure
    1. Responsibility for Implementation and Enforcement
    2. References
    3. Applicability
    4. Reporting Process
    5. Tasks
  28. Appendix P: Sample Certification Test Results Matrix
  29. Appendix Q: Sample Risk Remediation Plan
  30. Appendix R: Sample Certification Statement
    1. ABC System Certification Statement
      1. Background
      2. Summary of Findings
      3. Statement of Compliance
      4. Recommendations
      5. Certification Statement
  31. Appendix S: Sample Accreditation Letter
  32. Appendix T: Sample Interim Accreditation Letter
  33. Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
    1. Domain 1: Understanding the Security Authorization of Information Systems
      1. Key Areas of Knowledge
    2. Domain 2: Categorize Information Systems
      1. Key Areas of Knowledge
    3. Domain 3: Establish the Security Control Baseline
      1. Key Areas of Knowledge
    4. Domain 4: Apply Security Controls
      1. Key Areas of Knowledge
    5. Domain 5: Assess Security Controls
      1. Key Areas of Knowledge
    6. Domain 6: Authorize Information System
      1. Key Areas of Knowledge
    7. Domain 7: Monitor Security Controls
      1. Key Areas of Knowledge
  34. Appendix V: Answers to Review Questions
    1. Domain 1
    2. Domain 2
    3. Domain 3
    4. Domain 4
    5. Domain 5
    6. Domain 6
    7. Domain 7

Product information

  • Title: Official (ISC)2® Guide to the CAP® CBK®, 2nd Edition
  • Author(s): Patrick D. Howard
  • Release date: April 2016
  • Publisher(s): Auerbach Publications
  • ISBN: 9781439820766