راهنمای ارزیابی، آزمایش و ارزیابی کنترلهای امنیتی
Security Controls Evaluation, Testing, and Assessment Handbook
معرفی کتاب «راهنمای ارزیابی، آزمایش و ارزیابی کنترلهای امنیتی» (با عنوان لاتین Security Controls Evaluation, Testing, and Assessment Handbook) نوشتهٔ Leighton Johnson، منتشرشده توسط نشر Academic Press در سال 2019. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
Security Controls Evaluation, Testing, and Assessment Handbook, Second Edition, provides a current and well-developed approach to evaluate and test IT security controls to prove they are functioning correctly. This handbook discusses the world of threats and potential breach actions surrounding all industries and systems. Sections cover how to take FISMA, NIST Guidance, and DOD actions, while also providing a detailed, hands-on guide to performing assessment events for information security professionals in US federal agencies. This handbook uses the DOD Knowledge Service and the NIST Families assessment guides as the basis for needs assessment, requirements and evaluation efforts. Provides direction on how to use SP800-53A, SP800-115, DOD Knowledge Service, and the NIST Families assessment guides to implement thorough evaluation efforts Shows readers how to implement proper evaluation, testing, assessment procedures and methodologies, with step-by-step walkthroughs of all key concepts Presents assessment techniques for each type of control, provides evidence of assessment, and includes proper reporting techniques Security Controls Evaluation, Testing, and Assessment Handbook Copyright Introduction Introduction for second edition 1. Introduction to assessments 2. Risk, security, and assurance Risk management Risk assessments Security controls Privacy 3. Statutory and regulatory GRC Statutory requirements Privacy Act-1974 CFAA-1986 ECPA-1986 CSA-1987 CCA-1996 HIPAA-1996 EEA-1996 GISRA-1998 USA PATRIOT ACT-2001 FISMA-2002 Sarbanes-Oxley (SOX)-2002 Health Information Technology Economic and Clinical Health Act (HITECH)-2009 Federal Information Security Modernization Act (FISMA 2.0)-2014 The Cybersecurity Enhancement Act (CEA)-2014 The Cybersecurity Information Sharing Act (CISA)-2015 National Cybersecurity Protection Advancement Act (CPAA)-2015 Executive Orders/Presidential Directives Federal processing standards FIPS-140-Security requirements for cryptographic modules FIPS-186-Digital Signature Standard (DSS) FIPS-197-Advanced Encryption Standard (AES) FIPS-199-Standards for security categorization of federal information and information systems FIPS-200-Minimum security requirements for federal information and information systems FIPS-201-Personal Identity Verification (PIV) of federal employees and contractors FIPS-202-SHA-3 standard: permutation-based hash and extendable-output functions Regulatory requirements DOD DODI 8500.01-cybersecurity DODI 8510.01-``Risk Management Framework (RMF) for DoD Information Technology (IT)'' CNSS CNSSI 1253-Security Categorization and Control Selection for National Security Systems CNSSI 1254-Risk management framework documentation, data element standards, and reciprocity process for national security s ... CNSSP 22-Policy on information assurance risk management for national security systems HHS HIPAA Security Rule HIPAA Privacy Rule HITECH breach reporting OMB requirements for each agency Circulars A-130, T-5-managing information as a strategic resource-July 2016 A-130, T-4, Appendix III-published in 2000 Memoranda M-02-01 Guidance for Preparing and Submitting Security Plans of Action and Milestones (Oct 2001) M04-04E-Authentication guidance for federal agencies M06-15 Safeguarding PII M06-19 PII reporting M07-16 Safeguarding against and responding to the breach of Personally Identifiable Information M10-15 FY 2010 Reporting instructions for the Federal Information Security Management Act and Agency Privacy Management M10-28 clarifying cybersecurity responsibilities and activities of the Executive Office of the President and the Department ... M14-03 and M14-04 4. Federal Risk Management Framework requirements Federal civilian agencies DOD-DIACAP-RMF for DOD IT IC-ICD 503 FedRAMP NIST Cybersecurity Framework 5. Risk Management Framework Step 0-preparation Step 1-categorization Step 2-selection Step 3-implementation Step 4-assessment Step 5-authorization Step 6-monitoring Continuous monitoring for current systems 6. Roles and responsibilities Organizational roles White house Congress OMB NIST CNSS NSA NIAP DHS DOD Individual roles System owner Authorization official Information system security or privacy officer Systems security or privacy engineer Security or privacy architect Common control provider Authorizing official designated representative Information owner/steward Risk executive (function) User Representative Agency head Security control assessor Senior information security officer Chief information officer Chief acquisition officer Enterprise architect Mission or business owner Senior accountable official for risk management Senior agency official for privacy System administrator System user DOD roles 7. Assessment process Focus Guidance SP 800-53A RMF step 4-assess security controls TASK A-1: ASSESSOR SELECTION-select the appropriate assessor or assessment team for the type of control assessment to be co ... Primary role of responsibility: authorizing official TASK A-2: ASSESSMENT PREPARATION-Develop, review, and approve a plan to assess the security controls Primary role of responsibility: security control assessor, authorizing official TASK A-3: SECURITY CONTROL ASSESSMENT-Assess the security controls in accordance with the assessment procedures defined in ... Primary role of responsibility: security control assessor TASK A-4: SECURITY ASSESSMENT REPORT-Prepare the security assessment report documenting the issues, findings, and recommend ... Primary role of responsibility: security control assessor TASK A-4: REMEDIATION ACTIONS-Conduct initial remediation actions on security controls based on the findings and recommenda ... Primary roles of responsibility: information system owner or common control provider; security control assessor TASK A-5: PLAN OF ACTION AND MILESTONES-Prepare the plan of action and milestones based on the findings and recommendations ... Primary roles of responsibility: information system owner or common control provider SP 800-37, rev. 2 ∗∗NOTE∗∗ SP 800-115 RMF Knowledge Service ISO 27001/27002 ISO/IEC 27007:2011 information technology-Security techniques-Guidelines for information security management systems auditing ISO/IEC TR 27008:2011 Information technology-Security techniques-Guidelines for auditors on information security management ... SP 800-171A, Assessing security requirements for Controlled Unclassified Information 8. Assessment methods Evaluation methods and their attributes Processes Interviews Examinations Observations Document reviews Testing Automated Manual CUI assessment process 9. Assessment techniques for each kind of control Security assessment plan developmental process Develop security assessment policy Prioritize and schedule assessment Select and customize testing techniques Determine logistics of assessment Develop the assessment plan Address legal considerations Security assessment actions NIST SP 800-53, rev. 4 controls Security controls by family Access Control (AC) family Awareness and Training (AT) family Audit and Accountability (AU) family Assessment and Authorization (CA) family Configuration Management (CM) family Contingency Planning family Identification and Authentication family Incident Response family Maintenance family Media Protection family Physical and Environmental family Planning family Program Management family Personnel Security family Risk Assessment family Systems Acquisition family Systems and Communication Protection family Systems Integrity family Privacy controls DOD specific controls ISO 27001/27002 specific controls SP 800-171 CUI specific controls 10. System and network assessments 800-115 Introduction Assessment techniques Network testing purpose and scope ACL reviews System defined reviews Testing roles and responsibilities Security testing techniques Network Scanning Network Scanning (sniffing) Port scanning Network services discovery Banner grabbing Vulnerability scanning Password cracking Identifies weak passwords Stored and transmitted in encrypted form Dictionary attack/hybrid attack/brute force Theoretically all passwords are ``crackable'' ``LanMan'' password hashes Log Reviews File integrity checkers Antivirus protection/virus detectors War dialing Wireless LAN testing Penetration testing Overt or Covert Testing Four phases of penetration testing Planning Discovery Attack Reporting Posttest actions to be taken General schedule for testing categories 11. Security component fundamentals for assessment Management areas of consideration Management controls PM-program management Information security program plan Critical infrastructure plan Essential services that underpin American society Industrial control systems characteristics Information security resources Measures of performance (SP 800-55) Measures of performance Metric types Metrics development process Federal Enterprise Architecture SA-system and services acquisition Security services life cycle General considerations for security services Information security and external parties CA-security assessment and authorization PL-planning family and family plans System security plan Rules of behavior Information security hardware RA-risk assessment family Risk management Security categorization Risk and vulnerability assessments RA-5 vulnerability scanning Operational areas of consideration Operational security controls key concepts Awareness and training Training Continuum Awareness Training Education Configuration management The phases of security-focused configuration management A Planning B Identifying and implementing configurations C Controlling configuration changes D Monitoring Contingency planning Contingency-related plan relationships A. Seven steps to contingency planning as defined in SP 800-34 B. BIA requirements C. Numbers that matter-critical recovery numbers D. Recovery strategies E. SP 800-82 guide to test, training, and exercise programs for IT plans and capabilities Test Training Exercises Tabletop Functional F. Contingency plan testing Incident response SP 800-61-computer security incident handling guide Incident handling Preparation Detection and analysis Containment, eradication, and recovery Postincident activity Federal agency incident categories Federal agency incident categories A ``Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal age ... B Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications C Organizations should document their guidelines for interactions with other organizations regarding incidents D Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents th ... E Organizations should emphasize the importance of incident detection and analysis throughout the organization F Organizations should create written guidelines for prioritizing incidents G Organizations should use the lessons learned process to gain value from incidents System maintenance Encryption standards for use and review in federal systems A. Security level 1 B. Security level 2 C. Security level 3 D. Security level 4 E. Advanced encryption standard Media protection Media sanitation Types of media Sanitization and disposition decision flow Storage encryption technologies Physical security Personnel security Staffing Systems integrity Malware incident prevention and handling Malware categories Email security-spam Technical areas of consideration Access control Logical access controls Paths of logical access General points of entry Logical access control software Logical access control software functionality A General operating system access control functions include B Database and/or application-level access control functions include Identification and authentication Log-on IDs and passwords Token devices, one-time passwords Biometrics Management of biometrics Single sign-on (SSO) Systems and communications protection Network layer security VPN IPSec VPN-SP 800-77 VPN model comparison IPsec Fundamentals Authentication header (AH) AH modes Encapsulating security payload (ESP) Internet Key Exchange (IKE) IP Payload Compression Protocol (IPComp) SSL VPNs-SP 800-113 SSL portal VPNs SSL tunnel VPNs Administering SSL VPN SSL VPN architecture SSL VPN architecture SSL protocol basics Versions of SSL and TLS Cryptography used in SSL sessions Authentication used for identifying SSL servers Transport layer security (TLS) Wireless networking Cryptography Three types of encryption as currently used in security controls Symmetric Symmetric algorithms Asymmetric Asymmetric algorithms Hashing Secure hash Secure hash standard HMAC Intrusion detection systems Common intrusion detection methodologies Signature-based detection Anomaly-based detection Stateful protocol analysis Uses of IDPS technologies Firewalls Firewall security systems-SP 800-41 Firewall general features Firewall types Packet filtering Application firewall systems Stateful inspection Circuit or application proxy Firewall utilization Examples of firewall implementations Audit and accounting Log management SIEM 12. Cybersecurity framework CSF core components Cybersecurity framework components CSF functions Categories and subcategories CSF categories, subcategories, and related informative references Implementation tiers Different view of the implementation tiers Framework profile Sample profile Implementing and assessing security via the Cybersecurity Framework Framework maturity tiers Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive Current and Target Profiles Risk assessment Results Comparison to another baseline Current Profile Capability Claim Confidence Target Profile 13. Controlled unclassified information assessment CUI control assessment criteria 14. Evidence of assessment Types of evidence Physical examination/inspection Confirmation Documentation Analytical procedures Sampling Type of controls and sample size Interviews of the users/developers/customers Reuse of previous work Automatic test results Observation Documentation requirements Trustworthiness 15. Reporting Key elements for assessment reporting The assessment findings Security assessment report Appendix A: Detailed security assessment results Risk assessment report Executive summary Body of the report Appendices Artifacts as reports Privacy risk assessment report Remediation efforts during and subsequent to assessment POA&Ms 16. Conclusion Acronym List FedRAMP assessment process and templates . Executive summary . Table of contents . How to contact us . Access control (AC) AC-1 AC-2 AC-2 (1) AC-2 (2) AC-2 (3) AC-2 (4) AC-2 (5) AC-2 (7) AC-2 (9) AC-2 (10) AC-2 (12) AC-3 AC-4 AC-4 (21) AC-5 AC-6 AC-6 (1) AC-6 (2) AC-6 (5) AC-6 (9) AC-6 (10) AC-7 AC-8 AC-10 AC-11 AC-11 (1) AC-12 AC-14 AC-17 AC-17 (1) AC-17 (2) AC-17 (3) AC-17 (4) AC-17 (9) AC-18 AC-18 (1) AC-19 AC-19 (5) AC-20 AC-20 (1) AC-20 (2) AC-21 AC-22 . Awareness and training (AT) AT-1 AT-2 AT-2 (2) AT-3 AT-4 . Audit and accountability (AU) AU-1 AU-2 AU-2 (3) AU-3 AU-3 (1) AU-4 AU-5 AU-6 AU-6 (1) AU-6 (3) AU-7 AU-7 (1) AU-8 AU-8 (1) AU-9 AU-9 (2) AU-9 (4) AU-11 AU-12 . Security assessment and authorization (CA) CA-1 CA-2 CA-2 (1) CA-2 (2) CA-2 (3) CA-3 CA-2 (2) CA-2 (3) CA-3 (3) CA-3 (5) CA-5 CA-6 CA-7 CA-7 (1) CA-8 CA-8 (1) CA-9 . Configuration management (CM) CM-1 CM-2 CM-2 (1) CM-2 (2) CM-2 (3) CM-2 (7) CM-3 CM-4 CM-5 CM-5 (1) CM-5 (3) CM-5 (5) CM-6 CM-6 (1) CM-7 CM-7 (1) CM-7 (2) CM-7 (5) CM-8 CM-8 (1) CM-8 (3) CM-8 (5) CM-9 CM-10 CM-10 (1) CM-11 . Contingency planning (CP) CP-1 CP-2 CP-2 (1) CP-2 (2) CP-2 (3) CP-2 (8) CP-3 CP-4 CP-4 (1) CP-6 CP-6 (1) CP-6 (3) CP-7 CP-7 (1) CP-7 (2) CP-7 (3) CP-8 CP-8 (1) CP-8 (2) CP-9 CP-9 (1) CP-9 (3) CP-10 CP-10 (2) . Identification and authentication (IA) IA-1 IA-2 IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (5) IA-2 (8) IA-2 (11) IA-2 (12) IA-3 IA-4 IA-4 (4) IA-5 IA-5 (1) IA-5 (2) IA-5 (3) IA-5 (4) IA-5 (6) IA-5 (7) IA-5 (11) IA-6 IA-7 IA-8 IA-8 (1) IA-8 (2) IA-8 (3) IA-8 (4) . Incident response (IR) IR-1 IR-2 IR-3 IR-3 (2) IR-4 IR-5 IR-6 IR-6 (1) IR-7 IR-7 (1) IR-7 (2) IR-8 IR-9 (1) IR-9 (2) IR-9 (3) IR-9 (4) . Maintenance (MA) MA-1 MA-2 MA-3 MA-3 (1) MA-3 (2) MA-3 (3) MA-4 MA-4 (2) MA-5 MA-5 (1) MA-6 . Media protection (MP) MP-1 MP-2 MP-3 MP-4 MP-5 MP-5 (4) MP-6 MP-6 (2) MP-7 MP-7 (1) . Physical and environmental protection (PE) PE-1 PE-2 PE-3 PE-4 PE-5 PE-6 PE-6 (1) PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-13 (2) PE-13 (3) PE-14 PE-14 (2) PE-15 PE-16 PE-17 . Planning (PL) PL-1 PL-2 PL-2 (3) PL-4 PL-4 (1) PL-8 . Personnel security (PS) PS-1 PS-2 PS-3 PS-3 (3) PS-4 PS-5 PS-6 PS-7 PS-8 . Risk assessment (RA) RA-1 RA-2 RA-3 RA-5 RA-5 (1) RA-5 (2) RA-5 (3) RA-5 (5) RA-5 (6) RA-5 (8) . System and services acquisition (SA) SA-1 SA-2 SA-3 SA-4 SA-4 (1) SA-4 (2) SA-4 (8) SA-4 (9) SA-4 (10) SA-5 SA-8 SA-9 SA-9 (1) SA-9 (2) SA-9 (4) SA-9 (5) SA-10 SA-10 (1) SA-11 SA-11 (1) SA-11 (2) SA-11 (8) . System and communications protection (SC) SC-1 SC-2 SC-4 SC-5 SC-6 SC-7 SC-7 (3) SC-7 (4) SC-7 (6) SC-7 (7) SC-7 (8) SC-7 (12) SC-7 (13) SC-7 (18) SC-8 SC-8 (1) SC-10 SC-12 SC-12 (2) SC-12 (3) SC-13 SC-15 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-28 SC-28 (1) SC-39 . System and information integrity (SI) SI-1 SI-2 SI-2 (2) SI-2 (3) SI-3 SI-3 (1) SI-3 (2) SI-3 (7) SI-4 SI-4 (1) SI-4 (2) SI-4 (4) SI-4 (5) SI-4 (14) SI-4 (16) SI-4 (23) SI-5 SI-6 SI-7 SI-7 (1) SI-7 (7) SI-8 SI-8 (1) SI-8 (2) SI-10 SI-11 SI-12 SI-16 Templates for testing and evaluation reports Index A B C D E F G H I K L M N O P R S T U V W X "Security Controls Evaluation, Testing, and Assessment Handbook provides a current and well-developed approach to evaluation and testing of security controls to prove they are functioning correctly in today's IT systems. This handbook shows you how to evaluate, examine, and test installed security controls in the world of threats and potential breach actions surrounding all industries and systems. If a system is subject to external or internal threats and vulnerabilities - which most are - then this book will provide a useful handbook for how to evaluate the effectiveness of the security controls that are in place. Security Controls Evaluation, Testing, and Assessment Handbook shows you what your security controls are doing and how they are standing up to various inside and outside threats. This handbook provides guidance and techniques for evaluating and testing various computer security controls in IT systems. Author Leighton Johnson shows you how to take FISMA, NIST Guidance, and DOD actions and provide a detailed, hands-on guide to performing assessment events for information security professionals who work with US federal agencies. As of March 2014, all agencies are following the same guidelines under the NIST-based Risk Management Framework. This handbook uses the DOD Knowledge Service and the NIST Families assessment guides as the basis for needs assessment, requirements, and evaluation efforts for all security controls. Each of the controls can and should be evaluated in its own unique way, through testing, examination, and key personnel interviews"-- Provided by publisher
دانلود کتاب راهنمای ارزیابی، آزمایش و ارزیابی کنترلهای امنیتی