You are previewing Official (ISC)2® Guide to the CAP® CBK®, Second Edition, 2nd Edition.
O'Reilly logo
Official (ISC)2® Guide to the CAP® CBK®, Second Edition, 2nd Edition

Book Description

Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC) Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.

Derived from the author’s decades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C&A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book:

  • Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria
  • Explains how to combine disparate processes into a unified risk management methodology
  • Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®)
  • Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS
  • Reviews the tasks involved in certifying and accrediting U.S. government information systems

Chapters 1 through 7 describe each of the domains of the (ISC) CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book’s appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems.

Table of Contents

    1. Introduction
      1. Legal and Regulatory Framework for System Authorization
      2. External Program Drivers
      3. System-Level Security
      4. Defining System Authorization
      5. Resistance to System Authorization
      6. Benefits of System Authorization
    2. Key Elements of an Enterprise System Authorization Program
      1. The Business Case
      2. Goal Setting
      3. Tasks and Milestones
      4. Program Oversight
      5. Visibility
      6. Resources
      7. Program Guidance
      8. Special Issues
      9. Program Integration
      10. System Authorization Points of Contact
      11. Measuring Progress
      12. Managing Program Activities
      13. Monitoring Compliance
      14. Providing Advice and Assistance
      15. Responding to Changes
      16. Program Awareness, Training, and Education
      17. Using Expert Systems
      18. Waivers and Exceptions
    3. NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
      1. Overview
      2. Authority and Scope
      3. Purpose and Applicability
      4. Target Audience
    4. Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
      1. Guidance on Organization-Wide Risk Management
      2. Organization Level (Tier 1)
      3. Mission/Business Process Level (Tier 2)
      4. Information System Level (Tier 3)
      5. Guidance on Risk Management in the System Development Life Cycle
      6. NIST’s Risk Management Framework
      7. Guidance on System Boundary Definition
      8. Guidance on Software Application Boundaries
      9. Guidance on Complex Systems
      10. Guidance on the Impact of Technological Changes on System Boundaries
      11. Guidance on Dynamic Subsystems
      12. Guidance on External Subsystems
      13. Guidance on Security Control Allocation
      14. Guidance on Applying the Risk Management Framework
      15. Summary of NIST Guidance
    5. System Authorization Roles and Responsibilities
      1. Primary Roles and Responsibilities
      2. Other Roles and Responsibilities
      3. Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
      4. Documenting Roles and Responsibilities
      5. Job Descriptions
      6. Position Sensitivity Designations
      7. Personnel Transition
      8. Time Requirements
      9. Expertise Requirements
      10. Using Contractors
      11. Routine Duties
      12. Organizational Skills
      13. Organizational Placement of the System Authorization Function
    6. The System Authorization Life Cycle
      1. Initiation Phase
      2. Acquisition/Development Phase
      3. Implementation Phase
      4. Operations/Maintenance Phase
      5. Disposition Phase
      6. Challenges to Implementation
    7. Why System Authorization Programs Fail
      1. Program Scope
      2. Assessment Focus
      3. Short-Term Thinking
      4. Long-Term Thinking
      5. Poor Planning
      6. Lack of Responsibility
      7. Excessive Paperwork
      8. Lack of Enforcement
      9. Lack of Foresight
      10. Poor Timing
      11. Lack of Support
    8. System Authorization Project Planning
      1. Planning Factors
      2. Dealing with People
      3. Team Member Selection
      4. Scope Definition
      5. Assumptions
      6. Risks
      7. Project Agreements
      8. Project Team Guidelines
      9. Administrative Requirements
      10. Reporting
      11. Other Tasks
      12. Project Kickoff
      13. Wrap-Up
      14. Observations
    9. The System Inventory Process
      1. Responsibility
      2. System Identification
      3. Small Systems
      4. Complex Systems
      5. Combining Systems
      6. Accreditation Boundaries
      7. The Process
      8. Validation
      9. Inventory Information
      10. Inventory Tools
      11. Using the Inventory
      12. Maintenance
      13. Observations
    10. Interconnected Systems
      1. The Solution
      2. Agreements in the System Authorization Process
      3. Trust Relationships
      4. Initiation
      5. Time Issues
      6. Exceptions
      7. Maintaining Agreements
      8. Security Authorization of Information Systems: Review Questions
    1. Introduction
    2. Defining Sensitivity
    3. Data Sensitivity and System Sensitivity
    4. Sensitivity Assessment Process
    5. Data Classification Approaches
    6. Responsibility for Data Sensitivity Assessment
    7. Ranking Data Sensitivity
    8. National Security Information
    9. Criticality
    10. Criticality Assessment
    11. Criticality in the View of the System Owner
    12. Ranking Criticality
    13. Changes in Criticality and Sensitivity
    14. NIST Guidance on System Categorization
      1. Task 1-1: Categorize and Document the Information System
      2. Task 1-2: Describe the Information System
      3. Task 1-3: Register the Information System
      4. Information System Categorization: Review Questions
    1. Introduction
    2. Minimum Security Baselines and Best Practices
      1. Security Controls
      2. Levels of Controls
      3. Selecting Baseline Controls
      4. Use of the Minimum Security Baseline Set
      5. Common Controls
      6. Observations
    3. Assessing Risk
      1. Background
      2. Risk Assessment in System Authorization
      3. The Risk Assessment Process
      4. Step 1: System Characterization
      5. Step 2: Threat Identification
      6. Step 3: Vulnerability Identification
      7. Step 4: Control Analysis
      8. Step 5: Likelihood Determination
      9. Step 6: Impact Analysis
      10. Step 7: Risk Determination
      11. Step 8: Control Recommendations
      12. Step 9: Results Documentation
      13. Conducting the Risk Assessment
      14. Risk Categorization
      15. Documenting Risk Assessment Results
      16. Using the Risk Assessment
      17. Overview of NIST Special Publication 800-30, Revision 1
      18. Observations
    4. System Security Plans
      1. Applicability
      2. Responsibility
      3. Plan Contents
      4. What a Security Plan Is Not
      5. Plan Initiation
      6. Information Sources
      7. Security Plan Development Tools
      8. Plan Format
      9. Plan Approval
      10. Plan Maintenance
      11. Plan Security
      12. Plan Metrics
      13. Resistance to Security Planning
      14. Observations
    5. NIST Guidance on Security Controls Selection
      1. Task 2-1: Identify Common Controls
      2. Task 2-2: Select Security Controls
      3. Task 2-3: Develop Monitoring Strategy
      4. Task 2-4: Approve Security Plan
      5. Establishment of the Security Control Baseline: Review Questions
    1. Introduction
    2. Security Procedures
      1. Purpose
      2. The Problem with Procedures
      3. Responsibility
      4. Procedure Templates
      5. Process for Developing Procedures
      6. Style
      7. Formatting
      8. Access
      9. Maintenance
      10. Common Procedures
      11. Procedures in the System Authorization Process
      12. Observations
    3. Remediation Planning
      1. Managing Risk
      2. Applicability of the Remediation Plan
      3. Responsibility for the Plan
      4. Risk Remediation Plan Scope
      5. Plan Format
      6. Using the Plan
      7. When to Create the Plan
      8. Risk Mitigation Meetings
      9. Observations
    4. NIST Guidance on Implementation of Security Controls
      1. Task 3-1: Implement Security Controls
      2. Task 3-2: Document Security Control Implementation
      3. Application of Security Controls: Review Questions
    1. Introduction
    2. Scope of Testing
    3. Level of Effort
    4. Assessor Independence
    5. Developing the Test Plan
    6. The Role of the Host
    7. Test Execution
    8. Documenting Test Results
    9. NIST Guidance on Assessment of Security Control Effectiveness
      1. Task 4-1: Prepare for Controls Assessment
      2. Task 4-2: Assess Security Controls
      3. Task 4-3: Prepare Security Assessment Report
      4. Task 4-4: Conduct Remediation Actions
      5. Assessment of Security Controls: Review Questions
    1. Introduction
    2. System Authorization Decision Making
      1. The System Authorization Authority
      2. Authorization Timing
      3. The Authorization Letter
      4. Authorization Decisions
      5. Designation of Approving Authorities
      6. Approving Authority Qualifications
      7. Authorization Decision Process
      8. Actions Following Authorization
      9. Observations
    3. Essential System Authorization Documentation
      1. Authority
      2. System Authorization Package Contents
      3. Excluded Documentation
      4. The Certification Statement
      5. Transmittal Letter
      6. Administration
      7. Observations
    4. NIST Guidance on Authorization of Information Systems
      1. Task 5-1: Prepare Plan of Action and Milestones
      2. Task 5-2: Prepare Security Authorization Package
      3. Task 5-3: Conduct Risk Determination
      4. Task 5-4: Perform Risk Acceptance
      5. Information System Authorization: Review Questions
    1. Introduction
    2. Continuous Monitoring
      1. Configuration Management/Configuration Control
      2. Security Controls Monitoring
      3. Status Reporting and Documentation
      4. Key Roles in Continuous Monitoring
      5. Reaccreditation Decision
    3. NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
      1. Task 6-1: Analyze Impact of Information System and Environment Changes
      2. Task 6-2: Conduct Ongoing Security Control Assessments
      3. Task 6-3: Perform Ongoing Remediation Actions
      4. Task 6-4: Perform Key Updates
      5. Task 6-5: Report Security Status
      6. Task 6-6: Perform Ongoing Risk Determination and Acceptance
      7. Task 6-7: Information System Removal and Decommissioning
      8. Security Controls Monitoring: Review Questions
    1. Situation
    2. Action Plan
    3. Lessons Learned
    4. Tools
    5. Document Templates
    6. Coordination
    7. Role of the Inspector General
    8. Compliance Monitoring
    9. Measuring Success
    10. Project Milestones
    11. Interim Accreditation
    12. Management Support and Focus
    13. Results and Future Challenges
    1. Technical Requirements Section
      1. 2.1 Task Description
        1. 2.1.1 Scope of Work
        2. 2.1.2 Statement of Work
      2. 2.2 Deliverables
        1. 2.2.1 Work Plan (Deliverable 1)
        2. 2.2.2 ABC System Risk Assessment Report (Deliverable 2)
        3. 2.2.3 ABC System Security Plan/Test Plan (Deliverable 3)
        4. 2.2.4 ABC System Certification Report (Deliverable 4)
        5. 2.2.5 Exit Briefing Agenda and Presentation (Deliverable 5)
    1. Title Slide
    2. Briefing Agenda
    3. XYZ Company C&A Program Overview
    4. ABC System C&A Project Objectives
    5. Deliverable Standards
    6. ABC System C&A Project Plan
    7. Project Organization
    8. Immediate Objective
    9. Documentation Review
    10. Interviews
    11. Vulnerability Scanning
    12. Other Data Collection Goals
    13. Project Schedule
    14. Administrative Requirements
    15. Next Steps
    16. Other Comments
    17. Team Contact Information
    18. Questions
    1. Title Slide
    2. Briefing Agenda
    3. ABC System C&A (Certification and Accreditation) Objective
    4. ABC System C&A Project Tasks and Deliverables
    5. Project Findings
    6. Recommendations
    7. Next Steps
    8. Questions
    1. Statement of Policy
    2. Purpose
    3. Definition
    4. Policy
    5. Applicability
    6. Authority and Responsibility
    7. Document History
    1. XYZ Company Local-Area Network (LAN) Rules of Behavior
    1. ABC Application Rules of Behavior
    1. Security Plan Outline
    1. Memorandum of Understanding
      1. Introduction
      2. Background
        1. Zeus System
        2. Athena System
      3. Communications
      4. Interconnection Security Agreement
      5. Security
      6. Cost Considerations
      7. Timeline
      8. Signatory Authority
    1. Section 1: Statement of Requirements
    2. Section 2: System Security Considerations
      1. General Information/Data Description
      2. Services Offered
      3. Data Sensitivity
      4. User Community
      5. Information Exchange Security
      6. Trusted Behavior Expectations
      7. Formal Security Policy
      8. Incident Reporting
      9. Audit Trail Responsibilities
    3. Section 3: Connectivity Drawing
    4. Section 4: Approval
      1. Signatory Authority
    1. Executive Summary
      1. I. Introduction
      2. II. Risk Assessment Approach
      3. III. System Characterization
      4. IV. Threat Statement
      5. V. Risk Assessment Results
      6. VI. Summary
    1. Responsibility for Implementation and Enforcement
    2. References
    3. Applicability
    4. Reporting Process
    5. Tasks
    1. ABC System Certification Statement
      1. Background
      2. Summary of Findings
      3. Statement of Compliance
      4. Recommendations
      5. Certification Statement
    1. Domain 1: Understanding the Security Authorization of Information Systems
      1. Key Areas of Knowledge
    2. Domain 2: Categorize Information Systems
      1. Key Areas of Knowledge
    3. Domain 3: Establish the Security Control Baseline
      1. Key Areas of Knowledge
    4. Domain 4: Apply Security Controls
      1. Key Areas of Knowledge
    5. Domain 5: Assess Security Controls
      1. Key Areas of Knowledge
    6. Domain 6: Authorize Information System
      1. Key Areas of Knowledge
    7. Domain 7: Monitor Security Controls
      1. Key Areas of Knowledge
    1. Domain 1
    2. Domain 2
    3. Domain 3
    4. Domain 4
    5. Domain 5
    6. Domain 6
    7. Domain 7