وبلاگ بلیان

Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework (Internal Audit and IT Audit)

معرفی کتاب «Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework (Internal Audit and IT Audit)» نوشتهٔ Zuboff، Shoshana و Anne Kohnke; Ken Sigler; Dan Shoemaker، منتشرشده توسط نشر Auerbach Publications; CRC Press در سال 2017. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.

3.5.13 Maintain the System Security Category and Impact Levels -- 3.6 Chapter Summary -- References -- Chapter 4: Step 2-Select Security Controls -- 4.1 Understanding Control selection -- 4.2 Federal Information Processing Standard Publication 200 -- 4.3 Implementation of Step 2-Select Security Controls -- 4.4 Document Collection and Relationship Building -- 4.5 Select Initial Security Control Baselines and Minimum Assurance Requirements -- 4.6 Apply Scoping Guidance to Initial Baselines -- 4.7 Determine Need for Compensating Controls -- 4.8 Determine Organizational Parameters -- 4.9 Supplement Security Controls -- 4.10 Determine Assurance Measures for Minimum Assurance Requirements -- 4.11 Complete Security Plan -- 4.12 Develop Continuous Monitoring Strategy -- 4.13 Approval of Security Plan and Continuous Monitoring Strategy -- 4.14 Other Control Libraries -- 4.14.1 Control Objectives for Information and Related Technology (COBIT 5) -- 4.14.2 CIS Critical Security Controls -- 4.14.3 Industrial Automation and Control Systems Security Life Cycle -- 4.14.4 ISO/IEC 27001 -- 4.15 Chapter Summary -- Glossary -- References -- Chapter 5: Step 3- Implement Security Controls -- 5.1 Introduction -- 5.2 Implementation of the Security Controls Specified by the Security Plan -- 5.3 A System Perspective to Implementation -- 5.4 A Management Perspective to Implementation -- 5.5 Implementation via Security Life Cycle Management -- 5.6 Establishing Effective Security Implementation through Infrastructure Management -- 5.7 Finding the Fit: Security Implementation Projects and Organization Portfolios -- 5.8 Security Implementation Project Management -- 5.9 Document the Security Control Implementation in the Security Plan -- 5.10 Chapter Summary -- Glossary -- References -- Chapter 6: Step 4- Assess Security Controls -- 6.1 Understanding Security Control Assessment 6.2 Components of Security Control Assessment -- 6.3 Control Assessment and the SDLC -- 6.4 Ensuring Adequate Control Implementation -- 6.5 Assessment Plan Development, Review, and Approval -- 6.6 Security Control Assessment Procedures and Methodologies -- 6.7 Assess Controls in Accordance with Assessment Plan -- 6.8 Prepare the Security Assessment Report -- 6.9 Initial Remedy Actions of Assessment Findings -- 6.10 Chapter Summary -- Glossary -- References -- Chapter 7: Step 5- Authorize: Preparing the Information System for Use -- 7.1 Authorizing the Formal Risk Response -- 7.2 Elements of Risk Management -- 7.3 Certification and Accreditation -- 7.4 Application of the RMF -- 7.5 Security Authorizations/Approvals to Operate -- 7.6 Certification of the Correctness of Security Controls -- 7.7 Risk Management and Enterprise Architecture -- 7.8 Particular Role of Requirements -- 7.9 Drawing Hard Perimeters -- 7.10 Preparing the Action Plan -- 7.11 Preparing the Security Authorization Package -- 7.12 Standard Risk Determination -- 7.13 Chapter Summary -- Glossary -- References -- Chapter 8: Step 6- Monitor Security State -- 8.1 Sustaining the Organization's Risk Management Response -- 8.2 Overview of the Process: Sustaining Effective Risk Monitoring -- 8.3 Structuring the Risk-Monitoring Process -- 8.4 Sustaining an Ongoing Control-Monitoring Process -- 8.5 Establishing a Continuous Control Assessment Process -- 8.6 Implementing a Practical Control System Monitoring Process -- 8.7 Conducting Continuous Monitoring -- 8.8 Practical Considerations -- 8.9 Quantitative Measurement Considerations -- 8.10 Keeping the Control Set Correct over Time -- 8.11 Chapter Summary -- Glossary -- References -- Chapter 9: Practical Applications of the National Institute of Standards and Technology Risk Management Framework -- 9.1 Applying the NIST RMF 2.5 General Shape of the RMF Process -- 2.6 RMF Implementation -- 2.7 Other Frameworks and Models for Risk Management -- 2.8 International Organization for Standardization 31000:2009 -- 2.9 ISO 31000 Implementation Process: Establishment -- 2.10 COSO Enterprise Risk Management Framework -- 2.11 Health Information Trust Alliance Common Security Framework -- 2.12 Implementing the HITRUST CSF Control Structure -- 2.13 NIST SP 800-30 and NIST SP 800-39 Standards -- 2.14 Chapter Summary -- Glossary -- References -- Chapter 3: Step 1- Categorize Information and Information Systems -- 3.1 Introduction -- 3.2 Security Impact Analysis -- 3.3 FIPS 199, Standards for Security Categorization of Federal Information and Information Systems -- 3.3.1 FIPS 199-Security Categorization of Information Types -- 3.3.2 FIPS 199-Security Categorization of Information Systems -- 3.4 CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems -- 3.4.1 Implementation of Step 1-Security Categorization -- 3.5 Security Categorization from the Organizational Perspective -- 3.5.1 Establish Relationships with Organizational Entities -- 3.5.2 Develop an Organization-Wide Categorization Program -- 3.5.3 Prepare an Organization-Wide Guidance Program -- 3.5.4 Lead Organization-Wide Categorization Sessions -- 3.5.5 Security Categorization from the Management Perspective -- 3.5.6 Security Categorization from the System Perspective -- 3.5.7 Preparing for System Security Categorization -- 3.5.8 Step 1: Identify System Information Types -- 3.5.9 Step 2: Select Provisional Impact Values for Each Information Type -- 3.5.10 Step 3: Adjust the Provisional Impact Levels of Information Types -- 3.5.11 Step 4: Determine the Information System Security Impact Level -- 3.5.12 Obtain Approval for the System Security Category and Impact Level Cover -- Half Title -- Title Page -- Copyright page -- Contents -- Foreword -- Preface -- Why the NIST RMF Is Important -- Practical Benefits of Implementing the Risk Management Model -- Who Should Read This Book -- Organization of This Text -- Chapter 1: Introduction to Organizational Security Risk Management -- Chapter 2: Survey of Existing Risk Management Models -- Chapter 3: Step 1-Categorize Information and Information Systems -- Chapter 4: Step 2-Select Security Controls -- Chapter 5: Step 3-Implement Security Controls -- Chapter 6: Step 4-Assess Security Controls -- Chapter 7: Step 5-Authorize Information Systems -- Chapter 8: Step 6-Monitor Security State -- Chapter 9: Practical Application of the NIST RMF -- Appendix: (ISC)2 Certified Authorization Professional (CAP) Certification -- Authors -- Chapter 1: Introduction to Organizational Security Risk Management -- 1.1 Introduction to the Book -- 1.2 Risk Is Inevitable -- 1.3 Strategic Governance and Risk Management -- 1.4 Elements of Risk Management -- 1.5 Risk Types and Risk Handling Strategies -- 1.6 Overview of the Risk Management Process -- 1.6.1 Establishing the Risk Management Planning Process -- 1.6.2 Identifying and Categorizing the Risk Environment -- 1.6.3 Risk Assessment -- 1.6.4 Designing for Effective Risk Management -- 1.6.5 Evaluating Candidates for Control -- 1.6.6 Implementing Risk Management Controls -- 1.6.7 Assessing the Effectiveness of Risk Controls -- 1.6.8 Sustainment: Risk Assessment and Operational Evaluation of Change -- 1.6.9 Evaluating the Overall Risk Management Function -- 1.7 Chapter Summary -- Glossary -- Chapter 2: Survey of Existing Risk Management Frameworks -- 2.1 Survey of Existing Risk Management Models and Frameworks -- 2.2 Standard Best Practice -- 2.3 Making Risk Management Tangible -- 2.4 Formal Architectures Many enterprises lack an approach to integrate cybersecurity standards and enterprise governance of Information & Technology (EGIT). This lack of approach leaves them unable to establish systematic yet flexible and achievable governance and management objectives, processes, and capability levels to make measured improvements toward cybersecurity goals. Created to support critical infrastructure, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) continues to evolve based on feedback from diverse stakeholders and use cases. Today, the NIST CSF is a useful guide to help any enterprise address its cyberrisk. Explore proven practices to anticipate, understand and optimize IT risk by implementing NIST Framework for Improving Critical Infrastructure Cybersecurity V1.1 using COBIT 2019. Features NIST CSF Implementation. Correlating CSF guidance with measurable governance and management practices. Mapping of CSF steps and activities to COBIT 2019. Appendices for quick reference and further considerations. "In 2013, US President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary risk-based cybersecurity framework (CSF) that is "prioritized, flexible, repeatable, performance-based, and cost-effective." The CSF was developed through an international partnership of small and large organizations, including owners and operators of the nation's critical infrastructure, with leadership by the National Institute of Standards and Technology (NIST). ISACA participated in the CSF's development and helped embed key principles from the COBIT framework into the industry-led effort. As part of the knowledge, tools and guidance provided by CSX, ISACA has developed this guide for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity."-- Unedited summary from book The book provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management. This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management. It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an "application" of the risk management process as well as the fundamental elements of control formulation within an applied context. 9.2 RMF Application -- 9.3 Certification and Accreditation in the Federal Space -- 9.4 In the Beginning: The Clinger-Cohen Act (1996) -- 9.5 The E-Government Act of 2002: FISMA -- 9.6 Implementing Information Security Controls-NIST 800-53 -- 9.7 Evaluating the Control Set -- 9.8 Chapter Summary -- Glossary -- References -- Appendix -- Index
دانلود کتاب Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework (Internal Audit and IT Audit)