Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC)2® Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.
Derived from the author’s decades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C&A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book:
- Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria
- Explains how to combine disparate processes into a unified risk management methodology
- Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®)
- Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS
- Reviews the tasks involved in certifying and accrediting U.S. government information systems
Chapters 1 through 7 describe each of the domains of the (ISC)2® CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book’s appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems.
Security Authorization of Information Systems
Introduction
Legal and Regulatory Framework for System Authorization
External Program Drivers
System-Level Security
Defining System Authorization
Resistance to System Authorization
Benefits of System Authorization
Key Elements of an Enterprise System Authorization Program
The Business Case
Goal Setting
Tasks and Milestones
Program Oversight
Visibility
Resources
Program Guidance
Special Issues
Program Integration
System Authorization Points of Contact
Measuring Progress
Managing Program Activities
Monitoring Compliance
Providing Advice and Assistance
Responding to Changes
Program Awareness, Training, and Education
Using Expert Systems
Waivers and Exceptions
NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
Overview
Authority and Scope
Purpose and Applicability
Target Audience
Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
Guidance on Organization-Wide Risk Management
Organization Level (Tier 1)
Mission/Business Process Level (Tier 2)
Information System Level (Tier 3)
Guidance on Risk Management in the System Development Life Cycle
NIST’s Risk Management Framework
Guidance on System Boundary Definition
Guidance on Software Application Boundaries
Guidance on Complex Systems
Guidance on the Impact of Technological Changes on System Boundaries
Guidance on Dynamic Subsystems
Guidance on External Subsystems
Guidance on Security Control Allocation
Guidance on Applying the Risk Management Framework
Summary of NIST Guidance
System Authorization Roles and Responsibilities
Primary Roles and Responsibilities
Other Roles and Responsibilities
Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
Documenting Roles and Responsibilities
Job Descriptions
Position Sensitivity Designations
Personnel Transition
Time Requirements
Expertise Requirements
Using Contractors
Routine Duties
Organizational Skills
Organizational Placement of the System Authorization Function
The System Authorization Life Cycle
Initiation Phase
Acquisition/Development Phase
Implementation Phase
Operations/Maintenance Phase
Disposition Phase
Challenges to Implementation
Why System Authorization Programs Fail
Program Scope
Assessment Focus
Short-Term Thinking
Long-Term Thinking
Poor Planning
Lack of Responsibility
Excessive Paperwork
Lack of Enforcement
Lack of Foresight
Poor Timing
Lack of Support
System Authorization Project Planning
Planning Factors
Dealing with People
Team Member Selection
Scope Definition
Assumptions
Risks
Project Agreements
Project Team Guidelines
Administrative Requirements
Reporting
Other Tasks
Project Kickoff
Wrap-Up
Observations
The System Inventory Process
Responsibility
System Identification
Small Systems
Complex Systems
Combining Systems
Accreditation Boundaries
The Process
Validation
Inventory Information
Inventory Tools
Using the Inventory
Maintenance
Observations
Interconnected Systems
The Solution
Agreements in the System Authorization Process
Trust Relationships
Initiation
Time Issues
Exceptions
Maintaining Agreements
Security Authorization of Information Systems: Review Questions
Information System Categorization
Introduction
Defining Sensitivity
Data Sensitivity and System Sensitivity
Sensitivity Assessment Process
Data Classification Approaches
Responsibility for Data Sensitivity Assessment
Ranking Data Sensitivity
National Security Information
Criticality
Criticality Assessment
Criticality in the View of the System Owner
Ranking Criticality
Changes in Criticality and Sensitivity
NIST Guidance on System Categorization
Task 1-1: Categorize and Document the Information System
Task 1-2: Describe the Information System
Task 1-3: Register the Information System
Information System Categorization: Review Questions
Establishment of the Security Control Baseline
Introduction
Minimum Security Baselines and Best Practices
Security Controls
Levels of Controls
Selecting Baseline Controls
Use of the Minimum Security Baseline Set
Common Controls
Observations
Assessing Risk
Background
Risk Assessment in System Authorization
The Risk Assessment Process
Step 1: System Characterization
Step 2: Threat Identification
Step 3: Vulnerability Identification
Step 4: Control Analysis
Step 5: Likelihood Determination
Step 6: Impact Analysis
Step 7: Risk Determination
Step 8: Control Recommendations
Step 9: Results Documentation
Conducting the Risk Assessment
Risk Categorization
Documenting Risk Assessment Results
Using the Risk Assessment
Overview of NIST Special Publication 800-30, Revision 1
Observations
System Security Plans
Applicability
Responsibility
Plan Contents
What a Security Plan Is Not
Plan Initiation
Information Sources
Security Plan Development Tools
Plan Format
Plan Approval
Plan Maintenance
Plan Security
Plan Metrics
Resistance to Security Planning
Observations
NIST Guidance on Security Controls Selection
Task 2-1: Identify Common Controls
Task 2-2: Select Security Controls
Task 2-3: Develop Monitoring Strategy
Task 2-4: Approve Security Plan
Establishment of the Security Control Baseline: Review Questions
Application of Security Controls
Introduction
Security Procedures
Purpose
The Problem with Procedures
Responsibility
Procedure Templates
Process for Developing Procedures
Style
Formatting
Access
Maintenance
Common Procedures
Procedures in the System Authorization Process
Observations
Remediation Planning
Managing Risk
Applicability of the Remediation Plan
Responsibility for the Plan
Risk Remediation Plan Scope
Plan Format
Using the Plan
When to Create the Plan
Risk Mitigation Meetings
Observations
NIST Guidance on Implementation of Security Controls
Task 3-1: Implement Security Controls
Task 3-2: Document Security Control Implementation
Application of Security Controls: Review Questions
Assessment of Security Controls
Scope of Testing
Level of Effort
Assessor Independence
Developing the Test Plan
The Role of the Host
Test Execution
Documenting Test Results
NIST Guidance on Assessment of Security Control Effectiveness
Task 4-1: Prepare for Controls Assessment
Task 4-2: Assess Security Controls
Task 4-3: Prepare Security Assessment Report
Task 4-4: Conduct Remediation Actions
Assessment of Security Controls: Review Questions
Information System Authorization
Introduction
System Authorization Decision Making
The System Authorization Authority
Authorization Timing
The Authorization Letter
Authorization Decisions
Designation of Approving Authorities
Approving Authority Qualifications
Authorization Decision Process
Actions Following Authorization
Observations
Essential System Authorization Documentation
Authority
System Authorization Package Contents
Excluded Documentation
The Certification Statement
Transmittal Letter
Administration
Observations
NIST Guidance on Authorization of Information Systems
Task 5-1: Prepare Plan of Action and Milestones
Task 5-2: Prepare Security Authorization Package
Task 5-3: Conduct Risk Determination
Task 5-4: Perform Risk Acceptance
Security Controls Monitoring
Introduction
Continuous Monitoring
Configuration Management/Configuration Control
Security Controls Monitoring
Status Reporting and Documentation
Key Roles in Continuous Monitoring
Reaccreditation Decision
NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
Task 6-1: Analyze Impact of Information System and Environment Changes
Task 6-2: Conduct Ongoing Security Control Assessments
Task 6-3: Perform Ongoing Remediation Actions
Task 6-4: Perform Key Updates
Task 6-5: Report Security Status
Task 6-6: Perform Ongoing Risk Determination and Acceptance
Task 6-7: Information System Removal and Decommissioning
Security Controls Monitoring: Review Questions
System Authorization Case Study
Situation
Action Plan
Lessons Learned
Tools
Document Templates
Coordination
Role of the Inspector General
Compliance Monitoring
Measuring Success
Project Milestones
Interim Accreditation
Management Support and Focus
Results and Future Challenges
The Future of Information System Authorization
Appendix A: References
Appendix B: Glossary
Appendix C: Sample Statement of Work
Appendix D: Sample Project Work Plan
Appendix E: Sample Project Kickoff Presentation Outline
Appendix F: Sample Project Wrap-Up Presentation Outline
Appendix G: Sample System Inventory Policy
Appendix H: Sample Business Impact Assessment
Appendix I: Sample Rules of Behavior (General Support System)
Appendix J: Sample Rules of Behavior (Major Application)
Appendix K: Sample System Security Plan Outline
Appendix L: Sample Memorandum of Understanding
Appendix M: Sample Interconnection Security Agreement
Appendix N: Sample Risk Assessment Outline
Appendix O: Sample Security Procedure
Appendix P: Sample Certification Test Results Matrix
Appendix Q: Sample Risk Remediation Plan
Appendix R: Sample Certification Statement
Appendix S: Sample Accreditation Letter
Appendix T: Sample Interim Accreditation Letter
Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
Appendix V: Answers to Review Questions
Biography
Patrick D. Howard, CISSP, CISM, is a senior consultant for SecureInfo, a Kratos Company. He has over 40 years experience in security, including 20 years service as a U.S. Army Military Police officer, and has specialized in information security since 1989. Mr. Howard began his service as the Chief Information Security Officer for the National Science Foundation’s Antarctic Support Contract in Centennial, Colorado in March 2012. He previously served as CISO for the Nuclear Regulatory Commission in Rockville, Maryland from 2008–2012, and for the Department of Housing and Urban Development from 2005–2008. Mr. Howard was named a Fed 100 winner in 2007, and is the author of three information security books: The Total CISSP Exam Prep Book, 2002; Building and Implementing a Security Certification and Accreditation Program, 2006; and Beyond Compliance: FISMA Principles and Best Practices, 2011. He is a member of the International Information Systems Security Certification Consortium’s Government Advisory Board and Executive Writer’s Bureau, which he chairs. Mr. Howard is also an adjunct professor of Information Assurance at Walsh College, Troy Michigan. He graduated with a Bachelor’s degree from the University of Oklahoma in 1971 and a Master’s degree from Boston University in 1984.
Praise for the popular first edition:
This book focuses on the processes that must be employed by an organization to establish a certification and accreditation program based on current federal government criteria… Pat has structured this book to address the key issues in certification and accreditation, including roles and responsibilities, the life cycle, and even a discussion of pitfalls to avoid. As with all of Pat’s work, he provides the reader with practical information on what works and what does not … Even if government certification and accreditation is not your concern, the new ISO 27002 (formerly ISO17799) will require all of us to look for a process to make certification and accreditation bearable. Pat has succeeded in doing just that with this practical and readable book.
—Thomas R. Peltier, Peltier Associates, Member of the ISSA Hall of Fame