راهنمای رسمی (ISC)² برای CAP® CBK®، ویرایش دوم
Official (ISC)2® Guide to the CAP® CBK®, Second Edition ((ISC)2 Press
معرفی کتاب «راهنمای رسمی (ISC)² برای CAP® CBK®، ویرایش دوم» (با عنوان لاتین Official (ISC)2® Guide to the CAP® CBK®, Second Edition ((ISC)2 Press) نوشتهٔ Patrick D. Howard، منتشرشده توسط نشر Auerbach Publications/CRC Press در سال 2012. این کتاب در 2 صفحه، فرمت pdf، زبان انگلیسی ارائه شده است.
"Providing an overview of certification and accreditation, the second edition of this officially sanctioned guide demonstrates the practicality and effectiveness of C & A as a risk management methodology for IT systems in public and private organizations. It enables readers to document the status of their security controls and learn how to secure IT systems via standard, repeatable processes. The text describes what it takes to build a certification and accreditation program at the organization level and then analyzes various C & A processes and how they interrelate. A case study illustrates the successful implementation of certification and accreditation in a major U.S. government department. The appendices offer a collection of helpful samples"-- "There are many elements that make system authorization complex. This book focuses on the processes that must be employed by an organization to establish a system authorization program based on current federal government criteria. Although the roots of this book address various federal requirements, the process developed and presented can be used by nongovernment organizations to address compliance and the myriad laws, regulations, and standards currently driving information technology security. The key to reaching system authorization nirvana is understanding what is required and then implementing a methodology that will achieve those requirements. The top-down methodology presented in this book provides the reader with a practical approach for completion of such an undertaking. By demystifying government requirements, this book presents a simplified, practical approach to system authorization"-- � Read more... Abstract: Demonstrates the effectiveness of certification and accreditation as a risk management methodology for IT systems in public and private organizations. This work provides security professionals with an overview of C&A components, showing them how to document the status of IT security controls and secure systems via standard, repeatable processes. � Read more... Content: Security Authorization of Information Systems Introduction Legal and Regulatory Framework for System Authorization External Program Drivers System-Level Security Defining System Authorization Resistance to System Authorization Benefits of System Authorization Key Elements of an Enterprise System Authorization Program The Business Case Goal Setting Tasks and Milestones Program Oversight Visibility Resources Program Guidance Special Issues Program Integration System Authorization Points of Contact Measuring Progress Managing Program Activities Monitoring Compliance Providing Advice and Assistance Responding to Changes Program Awareness, Training, and Education Using Expert Systems Waivers and Exceptions NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems Overview Authority and Scope Purpose and Applicability Target Audience Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1 Guidance on Organization-Wide Risk Management Organization Level (Tier 1) Mission/Business Process Level (Tier 2) Information System Level (Tier 3) Guidance on Risk Management in the System Development Life Cycle NIST's Risk Management Framework Guidance on System Boundary Definition Guidance on Software Application Boundaries Guidance on Complex Systems Guidance on the Impact of Technological Changes on System Boundaries Guidance on Dynamic Subsystems Guidance on External Subsystems Guidance on Security Control Allocation Guidance on Applying the Risk Management Framework Summary of NIST Guidance System Authorization Roles and Responsibilities Primary Roles and Responsibilities Other Roles and Responsibilities Additional Roles and Responsibilities from NIST SP 800-37, Revision 1 Documenting Roles and Responsibilities Job Descriptions Position Sensitivity Designations Personnel Transition Time Requirements Expertise Requirements Using Contractors Routine Duties Organizational Skills Organizational Placement of the System Authorization Function The System Authorization Life Cycle Initiation Phase Acquisition/Development Phase Implementation Phase Operations/Maintenance Phase Disposition Phase Challenges to Implementation Why System Authorization Programs Fail Program Scope Assessment Focus Short-Term Thinking Long-Term Thinking Poor Planning Lack of Responsibility Excessive Paperwork Lack of Enforcement Lack of Foresight Poor Timing Lack of Support System Authorization Project Planning Planning Factors Dealing with People Team Member Selection Scope Definition Assumptions Risks Project Agreements Project Team Guidelines Administrative Requirements Reporting Other Tasks Project Kickoff Wrap-Up Observations The System Inventory Process Responsibility System Identification Small Systems Complex Systems Combining Systems Accreditation Boundaries The Process Validation Inventory Information Inventory Tools Using the Inventory Maintenance Observations Interconnected Systems The Solution Agreements in the System Authorization Process Trust Relationships Initiation Time Issues Exceptions Maintaining Agreements Security Authorization of Information Systems: Review Questions Information System Categorization Introduction Defining Sensitivity Data Sensitivity and System Sensitivity Sensitivity Assessment Process Data Classification Approaches Responsibility for Data Sensitivity Assessment Ranking Data Sensitivity National Security Information Criticality Criticality Assessment Criticality in the View of the System Owner Ranking Criticality Changes in Criticality and Sensitivity NIST Guidance on System Categorization Task 1-1: Categorize and Document the Information System Task 1-2: Describe the Information System Task 1-3: Register the Information System Information System Categorization: Review Questions Establishment of the Security Control Baseline Introduction Minimum Security Baselines and Best Practices Security Controls Levels of Controls Selecting Baseline Controls Use of the Minimum Security Baseline Set Common Controls Observations Assessing Risk Background Risk Assessment in System Authorization The Risk Assessment Process Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation Conducting the Risk Assessment Risk Categorization Documenting Risk Assessment Results Using the Risk Assessment Overview of NIST Special Publication 800-30, Revision 1 Observations System Security Plans Applicability Responsibility Plan Contents What a Security Plan Is Not Plan Initiation Information Sources Security Plan Development Tools Plan Format Plan Approval Plan Maintenance Plan Security Plan Metrics Resistance to Security Planning Observations NIST Guidance on Security Controls Selection Task 2-1: Identify Common Controls Task 2-2: Select Security Controls Task 2-3: Develop Monitoring Strategy Task 2-4: Approve Security Plan Establishment of the Security Control Baseline: Review Questions Application of Security Controls Introduction Security Procedures Purpose The Problem with Procedures Responsibility Procedure Templates Process for Developing Procedures Style Formatting Access Maintenance Common Procedures Procedures in the System Authorization Process Observations Remediation Planning Managing Risk Applicability of the Remediation Plan Responsibility for the Plan Risk Remediation Plan Scope Plan Format Using the Plan When to Create the Plan Risk Mitigation Meetings Observations NIST Guidance on Implementation of Security Controls Task 3-1: Implement Security Controls Task 3-2: Document Security Control Implementation Application of Security Controls: Review Questions Assessment of Security Controls Introduction Scope of Testing Level of Effort Assessor Independence Developing the Test Plan The Role of the Host Test Execution Documenting Test Results NIST Guidance on Assessment of Security Control Effectiveness Task 4-1: Prepare for Controls Assessment Task 4-2: Assess Security Controls Task 4-3: Prepare Security Assessment Report Task 4-4: Conduct Remediation Actions Assessment of Security Controls: Review Questions Information System Authorization Introduction System Authorization Decision Making The System Authorization Authority Authorization Timing The Authorization Letter Authorization Decisions Designation of Approving Authorities Approving Authority Qualifications Authorization Decision Process Actions Following Authorization Observations Essential System Authorization Documentation Authority System Authorization Package Contents Excluded Documentation The Certification Statement Transmittal Letter Administration Observations NIST Guidance on Authorization of Information Systems Task 5-1: Prepare Plan of Action and Milestones Task 5-2: Prepare Security Authorization Package Task 5-3: Conduct Risk Determination Task 5-4: Perform Risk Acceptance Security Controls Monitoring Introduction Continuous Monitoring Configuration Management/Configuration Control Security Controls Monitoring Status Reporting and Documentation Key Roles in Continuous Monitoring Reaccreditation Decision NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System Task 6-1: Analyze Impact of Information System and Environment Changes Task 6-2: Conduct Ongoing Security Control Assessments Task 6-3: Perform Ongoing Remediation Actions Task 6-4: Perform Key Updates Task 6-5: Report Security Status Task 6-6: Perform Ongoing Risk Determination and Acceptance Task 6-7: Information System Removal and Decommissioning Security Controls Monitoring: Review Questions System Authorization Case Study Situation Action Plan Lessons Learned Tools Document Templates Coordination Role of the Inspector General Compliance Monitoring Measuring Success Project Milestones Interim Accreditation Management Support and Focus Results and Future Challenges The Future of Information System Authorization Appendix A: References Appendix B: Glossary Appendix C: Sample Statement of Work Appendix D: Sample Project Work Plan Appendix E: Sample Project Kickoff Presentation Outline Appendix F: Sample Project Wrap-Up Presentation Outline Appendix G: Sample System Inventory Policy Appendix H: Sample Business Impact Assessment Appendix I: Sample Rules of Behavior (General Support System) Appendix J: Sample Rules of Behavior (Major Application) Appendix K: Sample System Security Plan Outline Appendix L: Sample Memorandum of Understanding Appendix M: Sample Interconnection Security Agreement Appendix N: Sample Risk Assessment Outline Appendix O: Sample Security Procedure Appendix P: Sample Certification Test Results Matrix Appendix Q: Sample Risk Remediation Plan Appendix R: Sample Certification Statement Appendix S: Sample Accreditation Letter Appendix T: Sample Interim Accreditation Letter Appendix U: Certification and Accreditation Professional (CAP(R)) Common Body of Knowledge (CBK(R)) Appendix V: Answers to Review Questions Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC)2® Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes. Derived from the author's decades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation's Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C & A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book: Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria Explains how to combine disparate processes into a unified risk management methodology Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS Reviews the tasks involved in certifying and accrediting U.S. government information systems Chapters 1 through 7 describe each of the domains of the (ISC)2® CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book's appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems As the recognized leader in the field of information security education and certification, the (ISC) 2 promotes the development of information security professionals around the world. The Certified Information Systems Security Professional-Information Systems Security Management Professional (CISSP-ISSMP ) examination assesses individuals understanding of security management practices. Obtaining certification validates your ability to create and implement effective information security management programs that meet the security needs of todays organizations. Preparing professionals for certification and job readiness, the Official (ISC) 2 Guide to the ISSMP CBK supplies a complete overview of the management topics related to information security. It provides for an expanded enterprise model of security and management that delves into project management, risk management, and continuity planning. Facilitating the mastery of the five ISSEP domains required for certification, the book includes authoritative coverage of enterprise security management, enterprise-wide system development, compliance of operations security, business continuity planning, disaster recovery planning, as well as legal and ethical considerations. Representing over a century of combined experience working at the forefront of information security, the editor and distinguished team of contributors provide unprecedented coverage of the things you need to know to achieve certification. This book will not only help you prepare for the CISSP-ISSMP certification exam, but also provide you with a solid foundation to enhance your career pathwhether youre a seasoned security veteran or just starting out. Candidates for the CISSP-ISSAP professional certification need to not only demonstrate a thorough understanding of the six domains of the ISSAP CBK , but also the ability to apply this in-depth knowledge to develop a detailed security architecture that meets all requirements. Supplying an authoritative review of the key concepts and requirements of the ISSAP CBK , the Official (ISC) 2 Guide to the ISSAP CBK provides the practical understanding required to implement the latest security protocols to improve productivity, profitability, security, and efficiency. Encompassing all of the knowledge elements needed to create secure architectures, the text covers the six domains: Requirements Analysis, Access Control, Cryptography, Physical Security, BCP/DRP, and Telecommunications and Network Security. With chapters written by those shaping this relatively new and rapidly developing field, this book is the only officially endorsed guide to the CISSP-ISSAP CBK . Read it, study it, and refer to it often as it will help improve your chances of achieving certification the first time around. Following certification it will serve as an authoritative reference for constructing architectures that are compliant with the latest security requirements. The (ISC) Systems Security Certified Practitioner (SSCP) certification is one of the most important credentials an information security practitioner can have. Having helped thousands of people around the world obtain this distinguished certification, the bestselling Official (ISC)2 Guide to the SSCP CBK has quickly become the book that many of todays security practitioners depend on to attain and maintain the required competence in the seven domains of the (ISC) CBK. Picking up where the popular first edition left off, the Official (ISC)2 Guide to the SSCP CBK, Second Edition brings together leading IT security tacticians from around the world to discuss the critical role that policy, procedures, standards, and guidelines play within the overall information security management infrastructure. Offering step-by-step guidance through the seven domains of the SSCP CBK, the Through clear descriptions accompanied by easy-to-follow instructions and self-assessment questions, this book will help you establish the product-independent understanding of information security fundamentals required to attain SSCP certification. Following certification it will be a valuable guide to addressing real-world security implementation challenges. "There are many elements that make system authorization complex. This book focuses on the processes that must be employed by an organization to establish a system authorization program based on current federal government criteria. Although the roots of this book address various federal requirements, the process developed and presented can be used by nongovernment organizations to address compliance and the myriad laws, regulations, and standards currently driving information technology security. The key to reaching system authorization nirvana is understanding what is required and then implementing a methodology that will achieve those requirements. The top-down methodology presented in this book provides the reader with a practical approach for completion of such an undertaking. By demystifying government requirements, this book presents a simplified, practical approach to system authorization"-- Provided by publisher Candidates for the ISSAP® certification need to demonstrate a thorough understanding of the six domains of the ISSAP® CBK® as well as the ability to apply this in-depth knowledge to develop detailed security architectures. Supplying an authoritative review of key concepts and requirements of the ISSAP® CBK®, this official guide provides the practical understanding required to implement the latest security protocols. Encompassing all of the knowledge elements needed to create secure architectures, the text covers requirements analysis, access control, cryptography, physical security, BCP/DRP, a 1. Access controls / Paul Henry 2. Cryptography / Christopher M. Nowell 3. Malicious code / Ken Dunham 4. Monitoring and analysis / Mike Mackrill 5. Networks and telecommunications / Eric Waxvik and Samuel Chun 6. Security operations and administration / C. Karen Stopford 7. Risk, response, and recovery / Chris Trautwein.
دانلود کتاب راهنمای رسمی (ISC)² برای CAP® CBK®، ویرایش دوم