Official (ISC)² guide to the CAP CBK

 Content: Security Authorization of Information Systems Introduction   Legal and Regulatory Framework for System Authorization   External Program Drivers   System-Level Security   Defining System Authorization   Resistance to System Authorization   Benefits of System Authorization Key Elements of an Enterprise System Authorization Program   The Business Case   Goal Setting   Tasks and Milestones   Program Oversight   Visibility   Resources   Program Guidance   Special Issues   Program Integration   System Authorization Points of Contact   Measuring Progress   Managing Program Activities   Monitoring Compliance   Providing Advice and Assistance   Responding to Changes   Program Awareness, Training, and Education   Using Expert Systems   Waivers and Exceptions NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems   Overview   Authority and Scope   Purpose and Applicability   Target Audience Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1   Guidance on Organization-Wide Risk Management   Organization Level (Tier 1)   Mission/Business Process Level (Tier 2)   Information System Level (Tier 3)   Guidance on Risk Management in the System Development Life Cycle   NIST's Risk Management Framework   Guidance on System Boundary Definition   Guidance on Software Application Boundaries   Guidance on Complex Systems   Guidance on the Impact of Technological Changes on System Boundaries   Guidance on Dynamic Subsystems   Guidance on External Subsystems   Guidance on Security Control Allocation   Guidance on Applying the Risk Management Framework   Summary of NIST Guidance System Authorization Roles and Responsibilities   Primary Roles and Responsibilities   Other Roles and Responsibilities   Additional Roles and Responsibilities from NIST SP 800-37, Revision 1   Documenting Roles and Responsibilities   Job Descriptions   Position Sensitivity Designations   Personnel Transition   Time Requirements   Expertise Requirements   Using Contractors   Routine Duties   Organizational Skills   Organizational Placement of the System Authorization Function The System Authorization Life Cycle   Initiation Phase   Acquisition/Development Phase   Implementation Phase   Operations/Maintenance Phase   Disposition Phase   Challenges to Implementation Why System Authorization Programs Fail   Program Scope   Assessment Focus   Short-Term Thinking   Long-Term Thinking   Poor Planning   Lack of Responsibility   Excessive Paperwork   Lack of Enforcement   Lack of Foresight   Poor Timing   Lack of Support System Authorization Project Planning   Planning Factors   Dealing with People   Team Member Selection   Scope Definition   Assumptions   Risks   Project Agreements   Project Team Guidelines   Administrative Requirements   Reporting   Other Tasks   Project Kickoff   Wrap-Up   Observations The System Inventory Process   Responsibility   System Identification   Small Systems   Complex Systems   Combining Systems   Accreditation Boundaries   The Process   Validation   Inventory Information   Inventory Tools   Using the Inventory   Maintenance   Observations Interconnected Systems   The Solution   Agreements in the System Authorization Process   Trust Relationships   Initiation   Time Issues   Exceptions   Maintaining Agreements   Security Authorization of Information Systems: Review Questions  Information System Categorization   Introduction   Defining Sensitivity   Data Sensitivity and System Sensitivity   Sensitivity Assessment Process   Data Classification Approaches   Responsibility for Data Sensitivity Assessment   Ranking Data Sensitivity   National Security Information   Criticality   Criticality Assessment   Criticality in the View of the System Owner   Ranking Criticality   Changes in Criticality and Sensitivity NIST Guidance on System Categorization   Task 1-1: Categorize and Document the Information System   Task 1-2: Describe the Information System   Task 1-3: Register the Information System   Information System Categorization: Review Questions Establishment of the Security Control Baseline   Introduction   Minimum Security Baselines and Best Practices   Security Controls   Levels of Controls   Selecting Baseline Controls   Use of the Minimum Security Baseline Set   Common Controls   Observations Assessing Risk   Background   Risk Assessment in System Authorization   The Risk Assessment Process   Step 1: System Characterization   Step 2: Threat Identification   Step 3: Vulnerability Identification   Step 4: Control Analysis   Step 5: Likelihood Determination   Step 6: Impact Analysis   Step 7: Risk Determination   Step 8: Control Recommendations   Step 9: Results Documentation   Conducting the Risk Assessment   Risk Categorization   Documenting Risk Assessment Results   Using the Risk Assessment   Overview of NIST Special Publication 800-30, Revision 1   Observations System Security Plans   Applicability   Responsibility   Plan Contents   What a Security Plan Is Not   Plan Initiation   Information Sources   Security Plan Development Tools   Plan Format   Plan Approval   Plan Maintenance   Plan Security   Plan Metrics   Resistance to Security Planning   Observations NIST Guidance on Security Controls Selection   Task 2-1: Identify Common Controls   Task 2-2: Select Security Controls   Task 2-3: Develop Monitoring Strategy   Task 2-4: Approve Security Plan   Establishment of the Security Control Baseline: Review Questions Application of Security Controls Introduction Security Procedures   Purpose   The Problem with Procedures   Responsibility   Procedure Templates   Process for Developing Procedures   Style   Formatting   Access   Maintenance   Common Procedures   Procedures in the System Authorization Process   Observations Remediation Planning   Managing Risk   Applicability of the Remediation Plan   Responsibility for the Plan   Risk Remediation Plan Scope   Plan Format   Using the Plan   When to Create the Plan   Risk Mitigation Meetings   Observations NIST Guidance on Implementation of Security Controls   Task 3-1: Implement Security Controls   Task 3-2: Document Security Control Implementation   Application of Security Controls: Review Questions  Assessment of Security Controls   Introduction   Scope of Testing   Level of Effort   Assessor Independence   Developing the Test Plan   The Role of the Host   Test Execution   Documenting Test Results NIST Guidance on Assessment of Security Control Effectiveness    Task 4-1: Prepare for Controls Assessment   Task 4-2: Assess Security Controls   Task 4-3: Prepare Security Assessment Report   Task 4-4: Conduct Remediation Actions   Assessment of Security Controls: Review Questions  Information System Authorization Introduction System Authorization Decision Making   The System Authorization Authority   Authorization Timing   The Authorization Letter   Authorization Decisions   Designation of Approving Authorities   Approving Authority Qualifications   Authorization Decision Process   Actions Following Authorization   Observations Essential System Authorization Documentation   Authority   System Authorization Package Contents   Excluded Documentation   The Certification Statement   Transmittal Letter   Administration   Observations NIST Guidance on Authorization of Information Systems   Task 5-1: Prepare Plan of Action and Milestones   Task 5-2: Prepare Security Authorization Package   Task 5-3: Conduct Risk Determination   Task 5-4: Perform Risk Acceptance  Security Controls Monitoring Introduction Continuous Monitoring   Configuration Management/Configuration Control   Security Controls Monitoring   Status Reporting and Documentation   Key Roles in Continuous Monitoring   Reaccreditation Decision NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System   Task 6-1: Analyze Impact of Information System and Environment Changes   Task 6-2: Conduct Ongoing Security Control Assessments   Task 6-3: Perform Ongoing Remediation Actions   Task 6-4: Perform Key Updates   Task 6-5: Report Security Status   Task 6-6: Perform Ongoing Risk Determination and Acceptance   Task 6-7: Information System Removal and Decommissioning   Security Controls Monitoring: Review Questions System Authorization Case Study Situation Action Plan Lessons Learned Tools Document Templates Coordination Role of the Inspector General Compliance Monitoring Measuring Success Project Milestones Interim Accreditation Management Support and Focus Results and Future Challenges  The Future of Information System Authorization Appendix A: References Appendix B: Glossary Appendix C: Sample Statement of Work Appendix D: Sample Project Work Plan Appendix E: Sample Project Kickoff Presentation Outline Appendix F: Sample Project Wrap-Up Presentation Outline  Appendix G: Sample System Inventory Policy Appendix H: Sample Business Impact Assessment Appendix I: Sample Rules of Behavior (General Support System) Appendix J: Sample Rules of Behavior (Major Application) Appendix K: Sample System Security Plan Outline Appendix L: Sample Memorandum of Understanding Appendix M: Sample Interconnection Security Agreement Appendix N: Sample Risk Assessment Outline Appendix O: Sample Security Procedure Appendix P: Sample Certification Test Results Matrix Appendix Q: Sample Risk Remediation Plan Appendix R: Sample Certification Statement Appendix S: Sample Accreditation Letter Appendix T: Sample Interim Accreditation Letter Appendix U: Certification and Accreditation Professional (CAP(R)) Common Body of Knowledge (CBK(R)) Appendix V: Answers to Review Questions
 Abstract:             "Providing an overview of certification and accreditation, the second edition of this officially sanctioned guide demonstrates the practicality and effectiveness of C&A as a risk management methodology for IT systems in public and private organizations. It enables readers to document the status of their security controls and learn how to secure IT systems via standard, repeatable processes. The text describes what it takes to build a certification and accreditation program at the organization level and then analyzes various C&A processes and how they interrelate. A case study illustrates the successful implementation of certification and accreditation in a major U.S. government department. The appendices offer a collection of helpful samples"--
"There are many elements that make system authorization complex. This book focuses on the processes that must be employed by an organization to establish a system authorization program based on current federal government criteria. Although the roots of this book address various federal requirements, the process developed and presented can be used by nongovernment organizations to address compliance and the myriad laws, regulations, and standards currently driving information technology security. The key to reaching system authorization nirvana is understanding what is required and then implementing a methodology that will achieve those requirements. The top-down methodology presented in this book provides the reader with a practical approach for completion of such an undertaking. By demystifying government requirements, this book presents a simplified, practical approach to system authorization"