Book description
Learn more about establishing and maintaining a secure information environment...
War is always a product of its age; and information systems are one of the primary drivers of war in the age of information. The tools and tactics used to fight the information war have evolved with advances in technology. So, it is no wonder that the tools and tactics needed to defend critical information systems must also evolve.
Certification and Accreditation Process
One of the tools in the defense toolkit is the process known as Certification and Accreditation (C&A). C&A stretches across the Department of Defense (DoD), the Office of the Director of National Intelligence (DNI), the Committee on National Security Systems (CNSS), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).
It can be an extremely effective risk-based process in ensuring the implementation of the measures necessary to protect devices, systems and networks. It is therefore essential, for information security professionals to understand this huge and complex body of work, in order to establish and maintain a secure information environment.
New C&A practices reduce redundant activity
The new C&A practices will reduce redundant activity and unnecessary documentation, and will shorten the overall process that has historically affected DoD procurement. The new procedures will also ensure system certifications and accreditations accomplished by one agency are valid for all agencies.
A comprehensive and authoritative guide to C&A
This book is the first comprehensive manual to explain the current standards and best practices. The book provides all the information needed to recognize, implement and manage the relevant authorization requirements, and therefore to achieve compliance with federal, local and agency laws and policies. Each chapter not only provides a list of related references but also offers recommendations for additional reading. Ideal for security practitioners, system administrators, managers, standards developers, evaluators and testers, no other book provides such authoritative guidance on these emerging requirements.
What others are saying about this book...
'Book is easy to read and easy to follow. The author clearly identifies the major points of C&A. An excellent material for our MBA669A (Principles of Information Security Management) class'. Jeralyn Pasinabo, University of Dayton
'This book is excellent for real world techniques for employing best practices for security… very well laid out and has lots of important points.'
'This textbook was very detailed, yet easy to follow… I would highly recommend The Definitive Guide to the C&A Transformation.' Letitia Sharp (amazon.com review)
Table of contents
- PREFACE
- ABOUT THE AUTHORS
- ACKNOWLEDGEMENTS
- CONTENTS
- INTRODUCTION
-
CHAPTER 1: AN ABRIDGED HISTORY OF INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS SECURITY
- From physical to virtual – a highly abridged history of information technology
-
Information systems and information systems security – merging concerns
- 40 years ago: The Dinosaur Age – the mainframe
- 30 years ago: The caveman and the wheel – ftp, email, and telnet
- 20 years ago: The automobile meets the road – rise of the personal computer
- 10 years ago: The Autobahn – the information super-highway
- Today: The sky is the limit – networking without boundaries!
- References
- CHAPTER 2: THE ESSENTIAL INFORMATION SYSTEMS SECURITY REGULATIONS
-
CHAPTER 3: THE AUTHORIZATION PROCESS FRAMEWORK
-
Commonly found authorization process deficiencies
- Risk assessments were not conducted or did not provide an adequate basis for a risk-based decision
- Information system sensitivity levels were inconsistent or incorrect
- Inappropriate or insufficient security controls
- Authorization decisions were based on inadequate and inconsistent testing
- Processes for security controls reviews were inadequate or nonexistent
- Authorization process commonalities
- The basic authorization framework
- Factors that influence authorization activities
- Joint or reciprocal authorization
- References
-
Commonly found authorization process deficiencies
-
CHAPTER 4: THE AUTHORIZATION PROCESS – ESTABLISHING A FOUNDATION
- Authorization is only one part of an effective security program
-
Designing an effective information security program
- Defining the program
- The 5000 meter view
- Getting and keeping resources
-
Security governance – establishing the right roles and responsibilities
- Senior leadership
- Chief information officer (CIO)
- Senior agency information security officer (SAISO)/chief information security officer (CISO)
- Risk executive (individual or function)
- Authorizing official (AO)/designated accrediting authority (DAA)43
- Information systems security manager (ISSM)/information assurance manager (IAM)44
- Information system security officer (ISSO)/information assurance officer (IAO)
- Certifying authority (CA)45
- Security controls assessor
- Common control provider
- Information owner/information steward
- Information system owner or program manager (PM)/information system steward
- Information system security engineer (ISSE)
- User representative
- Users
- Subject matter experts (SME)
- Contractors
- But I’m just a small organization…
- Can roles and responsibilities be delegated?
- Systems security training and certification
- Developing and publishing plans and policies
- Measuring progress
- Milestones from the “establishing a foundation” activities
- References
-
CHAPTER 5: PRE-AUTHORIZATION ACTIVITIES – THE FUNDAMENTALS
- Establish the authorization team
- Training the authorization team should not be an afterthought
- Categorizing the information system
- Defining the boundary ensures manageable and measurable authorization
- Establishing a risk management process
-
Risk management process example
- The risk assessment process
-
The risk assessment process
- Step 1: Prepare and plan the risk assessment
- Step 2: Identifying assets
- Step 3: Perform asset sensitivity analysis
- Step 4: Conduct a threat analysis
- Step 5: Conduct a vulnerability analysis
- Step 6: Execute cost/impact analysis
- Step 7: Finalize risk assessment and analysis
- Step 8: Assess residual risk against risk tolerance
- The full risk assessment: Yes or No?
- Align with the system life cycle61 (SLC)
- Milestones from the pre-certification and accreditation activities:
- References
-
CHAPTER 6: PLAN, INITIATE AND IMPLEMENT AUTHORIZATION – PREPARING FOR AUTHORIZATION
- UNDERSTAND the information and the information system
- System 1: A public web server
- System 2: A financial organization
- System 3: A medical management system
- REGISTER the information system
- NEGOTIATE the authorization approach
- IMPLEMENT the security controls
- Milestones from the plan, initiate, and implement authorization activities
- References
-
CHAPTER 7: VERIFY, VALIDATE & AUTHORIZE – CONDUCTING THE AUTHORIZATION
- ASSESS the security controls
- DEVELOP the plan of action and milestones (POA&M)
- AUTHORIZE the operation of the information system
- Milestones from the verify, validate and authorize activities
- References
- CHAPTER 8: OPERATE & MAINTAIN – MAINTAINING AUTHORIZATION
- CHAPTER 9: REMOVE THE INFORMATION SYSTEM FROM OPERATION
-
CHAPTER 10: AUTHORIZATION PACKAGE AND SUPPORTING EVIDENCE
-
The authorization package in detail
- System security plan (SSP)
-
The POA&M elements and format
- Column 1: Weakness identifier
- Column 2: Weakness description
- Column 3: Point of contact (POC)
- Column 4: Resources required
- Column 5: Scheduled completion date
- Column 6: Milestones with completion dates
- Column 7: Changes to milestones
- Column 8: Identified in audit or review
- Column 9: Status
- Column 10: Comments
- Column 11: Risk level
- Risk level determination
- Establishing a POA&M process
- Security assessment report (SAR)
- Certification statement
-
Supporting evidence for the authorization decision – security control documentation
- Information system inventory – understand your information systems
- Security control assessment (SCA) plan91
- Security control assessment report (SAR)
- Configuration management (CM) process and plan
- Continuity of operations/IT contingency planning
- User guides – general and privileged users
- Incident handling and response
- Privacy impact assessment (PIA)
- Interconnection agreements
- MOU, MOA or ISA?
- References
-
The authorization package in detail
-
CHAPTER 11: C&A IN THE US DEPARTMENT OF DEFENSE
- Introduction to the DIACAP
- DIACAP governance structure
-
A DIACAP roadmap (guide to the stages or activities)
-
Initiate & plan IA C&A
- Register the information system with the DOD component IA program
- Assign the information assurance controls
- Assigning the DIACAP team
- Develop the DIACAP implementation plan
- Implement and validate assigned IA controls
- Finding implementation and validation test guidance
- Execute the DIACAP implementation plan
- Conduct validation activities
- Prepare the plan of action & milestones (POA&M)
- Compile validation results in the DIACAP scorecard
- Make certification determination & accreditation decision
- Maintain authorization to operate & conduct reviews
- Decommission the information system
-
Initiate & plan IA C&A
- DIACAP support tools
- C&A and the DOD components
- References
-
CHAPTER 12: AUTHORIZATION IN THE FEDERAL GOVERNMENT
- Establishing information system authorization boundaries (also known as accreditation boundaries)
- Choose the proper accreditation vehicle
-
Security authorization process
- Step 1: Categorizing the information system
- Step 2: Registering the information system
- Step 3: Selecting the security controls
- Step 4: Implementing the security controls
- Step 5: Identify and select the independent security control assessor (assessment team)
- Step 6: Develop the security control assessment plan
- Step 7: Prepare for the test
- Step 8: Conduct the security controls assessment test
- Step 9: Update the system security plan
- Step 10: Develop the POA&M
- Step 11: Security authorization decision
- Step 12: Continuous monitoring and ongoing risk acceptance
- Step 13: Decommissioning the information system
- References
-
CHAPTER 13: THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
- The e-Government Act of 2002 and FISMA
-
The FISMA report card
-
The FISMA report requirements
- FISMA systems inventory
- Certification and accreditation, security controls testing, and contingency plan testing
- Implementation of NIST SP 800-53 security controls
- Incident detection, monitoring, and response
- Security awareness training
- Peer-to-peer file sharing
- Configuration management
- Incident reporting
- New technologies and emerging threats
- Security performance metrics
-
The FISMA report requirements
- FISMA misunderstood – What FISMA is NOT
- FISMA and its achievements
- 10 critical questions for FISMA compliance
- The 30,000 foot view of FISMA compliance
- References
- CHAPTER 14: AUTHORIZATION AND THE SYSTEM LIFE CYCLE (SLC)
- CHAPTER 15: INFORMATION SYSTEMS SECURITY TRAINING AND CERTIFICATION
- CHAPTER 16: THE FUTURE – REVITALIZING AND TRANSFORMING C&A
- THE RESOURCE CD
- GLOSSARY
- ACRONYMS
- ITG RESOURCES
Product information
- Title: The Definitive Guide to the C Transformation Process
- Author(s):
- Release date: October 2009
- Publisher(s): IT Governance Publishing
- ISBN: 9781849281294
You might also like
book
CMMI for Development : Implementation Guide
Apply best practices and proven methods to ensure a successful CMMi implementation. This practical book shows …
book
VMware Cross-Cloud Architecture
Enhance your virtualization skills by mastering storage and network virtualization with automation across different Clouds About …
book
Official (ISC)2® Guide to the CAP® CBK®, 2nd Edition
Providing an overview of certification and accreditation, the second edition of this officially sanctioned guide demonstrates …
audiobook
Transformed
Help transform your business and innovate like the world's top tech companies! Transformed: Moving to the …