Official (ISC)2® Guide to the ISSMP® CBK®

Content: Security Authorization of Information Systems Introduction      Legal and Regulatory Framework for System Authorization      External Program Drivers      System-Level Security      Defining System Authorization      Resistance to System Authorization      Benefits of System Authorization Key Elements of an Enterprise System Authorization Program      The Business Case      Goal Setting      Tasks and Milestones      Program Oversight      Visibility      Resources      Program Guidance      Special Issues      Program Integration      System Authorization Points of Contact      Measuring Progress      Managing Program Activities      Monitoring Compliance      Providing Advice and Assistance      Responding to Changes      Program Awareness, Training, and Education      Using Expert Systems      Waivers and Exceptions NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems      Overview      Authority and Scope      Purpose and Applicability      Target Audience Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1      Guidance on Organization-Wide Risk Management      Organization Level (Tier 1)      Mission/Business Process Level (Tier 2)      Information System Level (Tier 3)      Guidance on Risk Management in the System Development Life Cycle      NIST\'s Risk Management Framework      Guidance on System Boundary Definition      Guidance on Software Application Boundaries      Guidance on Complex Systems      Guidance on the Impact of Technological Changes on System Boundaries      Guidance on Dynamic Subsystems      Guidance on External Subsystems      Guidance on Security Control Allocation      Guidance on Applying the Risk Management Framework      Summary of NIST Guidance System Authorization Roles and Responsibilities      Primary Roles and Responsibilities      Other Roles and Responsibilities      Additional Roles and Responsibilities from NIST SP 800-37, Revision 1      Documenting Roles and Responsibilities      Job Descriptions      Position Sensitivity Designations      Personnel Transition      Time Requirements      Expertise Requirements      Using Contractors      Routine Duties      Organizational Skills      Organizational Placement of the System Authorization Function The System Authorization Life Cycle      Initiation Phase      Acquisition/Development Phase      Implementation Phase      Operations/Maintenance Phase      Disposition Phase      Challenges to Implementation Why System Authorization Programs Fail      Program Scope      Assessment Focus      Short-Term Thinking      Long-Term Thinking      Poor Planning      Lack of Responsibility      Excessive Paperwork      Lack of Enforcement      Lack of Foresight      Poor Timing      Lack of Support System Authorization Project Planning      Planning Factors      Dealing with People      Team Member Selection      Scope Definition      Assumptions      Risks      Project Agreements      Project Team Guidelines      Administrative Requirements      Reporting      Other Tasks      Project Kickoff      Wrap-Up      Observations The System Inventory Process      Responsibility      System Identification      Small Systems      Complex Systems      Combining Systems      Accreditation Boundaries      The Process      Validation      Inventory Information      Inventory Tools      Using the Inventory      Maintenance      Observations Interconnected Systems      The Solution      Agreements in the System Authorization Process      Trust Relationships      Initiation      Time Issues      Exceptions      Maintaining Agreements      Security Authorization of Information Systems: Review Questions  Information System Categorization      Introduction      Defining Sensitivity      Data Sensitivity and System Sensitivity      Sensitivity Assessment Process      Data Classification Approaches      Responsibility for Data Sensitivity Assessment      Ranking Data Sensitivity      National Security Information      Criticality      Criticality Assessment      Criticality in the View of the System Owner      Ranking Criticality      Changes in Criticality and Sensitivity NIST Guidance on System Categorization      Task 1-1: Categorize and Document the Information System      Task 1-2: Describe the Information System      Task 1-3: Register the Information System      Information System Categorization: Review Questions    Establishment of the Security Control Baseline      Introduction      Minimum Security Baselines and Best Practices      Security Controls      Levels of Controls      Selecting Baseline Controls      Use of the Minimum Security Baseline Set      Common Controls      Observations Assessing Risk      Background      Risk Assessment in System Authorization      The Risk Assessment Process      Step 1: System Characterization      Step 2: Threat Identification      Step 3: Vulnerability Identification      Step 4: Control Analysis      Step 5: Likelihood Determination      Step 6: Impact Analysis      Step 7: Risk Determination      Step 8: Control Recommendations      Step 9: Results Documentation      Conducting the Risk Assessment      Risk Categorization      Documenting Risk Assessment Results      Using the Risk Assessment      Overview of NIST Special Publication 800-30, Revision 1      Observations System Security Plans      Applicability      Responsibility      Plan Contents      What a Security Plan Is Not      Plan Initiation      Information Sources      Security Plan Development Tools      Plan Format      Plan Approval      Plan Maintenance      Plan Security      Plan Metrics      Resistance to Security Planning      Observations NIST Guidance on Security Controls Selection      Task 2-1: Identify Common Controls      Task 2-2: Select Security Controls      Task 2-3: Develop Monitoring Strategy      Task 2-4: Approve Security Plan      Establishment of the Security Control Baseline: Review Questions    Application of Security Controls Introduction Security Procedures      Purpose      The Problem with Procedures      Responsibility      Procedure Templates      Process for Developing Procedures      Style      Formatting      Access      Maintenance      Common Procedures      Procedures in the System Authorization Process      Observations Remediation Planning      Managing Risk      Applicability of the Remediation Plan      Responsibility for the Plan      Risk Remediation Plan Scope      Plan Format      Using the Plan      When to Create the Plan      Risk Mitigation Meetings      Observations NIST Guidance on Implementation of Security Controls      Task 3-1: Implement Security Controls      Task 3-2: Document Security Control Implementation      Application of Security Controls: Review Questions        Assessment of Security Controls      Introduction      Scope of Testing      Level of Effort      Assessor Independence      Developing the Test Plan      The Role of the Host      Test Execution      Documenting Test Results NIST Guidance on Assessment of Security Control Effectiveness           Task 4-1: Prepare for Controls Assessment      Task 4-2: Assess Security Controls      Task 4-3: Prepare Security Assessment Report      Task 4-4: Conduct Remediation Actions      Assessment of Security Controls: Review Questions  Information System Authorization Introduction System Authorization Decision Making      The System Authorization Authority      Authorization Timing      The Authorization Letter      Authorization Decisions      Designation of Approving Authorities      Approving Authority Qualifications      Authorization Decision Process      Actions Following Authorization      Observations Essential System Authorization Documentation      Authority      System Authorization Package Contents      Excluded Documentation      The Certification Statement      Transmittal Letter      Administration      Observations NIST Guidance on Authorization of Information Systems      Task 5-1: Prepare Plan of Action and Milestones      Task 5-2: Prepare Security Authorization Package      Task 5-3: Conduct Risk Determination      Task 5-4: Perform Risk Acceptance        Security Controls Monitoring Introduction Continuous Monitoring      Configuration Management/Configuration Control      Security Controls Monitoring      Status Reporting and Documentation      Key Roles in Continuous Monitoring      Reaccreditation Decision NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System      Task 6-1: Analyze Impact of Information System and Environment Changes      Task 6-2: Conduct Ongoing Security Control Assessments      Task 6-3: Perform Ongoing Remediation Actions      Task 6-4: Perform Key Updates      Task 6-5: Report Security Status      Task 6-6: Perform Ongoing Risk Determination and Acceptance      Task 6-7: Information System Removal and Decommissioning      Security Controls Monitoring: Review Questions    System Authorization Case Study Situation Action Plan Lessons Learned Tools Document Templates Coordination Role of the Inspector General Compliance Monitoring Measuring Success Project Milestones Interim Accreditation Management Support and Focus Results and Future Challenges        The Future of Information System Authorization Appendix A: References Appendix B: Glossary Appendix C: Sample Statement of Work Appendix D: Sample Project Work Plan Appendix E: Sample Project Kickoff Presentation Outline Appendix F: Sample Project Wrap-Up Presentation Outline  Appendix G: Sample System Inventory Policy Appendix H: Sample Business Impact Assessment Appendix I: Sample Rules of Behavior (General Support System) Appendix J: Sample Rules of Behavior (Major Application) Appendix K: Sample System Security Plan Outline Appendix L: Sample Memorandum of Understanding Appendix M: Sample Interconnection Security Agreement Appendix N: Sample Risk Assessment Outline Appendix O: Sample Security Procedure Appendix P: Sample Certification Test Results Matrix Appendix Q: Sample Risk Remediation Plan Appendix R: Sample Certification Statement Appendix S: Sample Accreditation Letter Appendix T: Sample Interim Accreditation Letter Appendix U: Certification and Accreditation Professional (CAP(R)) Common Body of Knowledge (CBK(R)) Appendix V: Answers to Review Questions