Home Page Icon
Home Page
Table of Contents for
The Definitive Guide to the C&A Transformation: The First Publication of a Comprehensive View of the C&A Transformation
Close
The Definitive Guide to the C&A Transformation: The First Publication of a Comprehensive View of the C&A Transformation
by Waylon Krush, Dr. Julie Mehan
The Definitive Guide to the C Transformation Process
PREFACE
ABOUT THE AUTHORS
ACKNOWLEDGEMENTS
CONTENTS
INTRODUCTION
Purpose and scope
Motivation – what do we hope to accomplish with this book?
Who is the target audience?
Terminology
Overview of the contents
CHAPTER 1: AN ABRIDGED HISTORY OF INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS SECURITY
From physical to virtual – a highly abridged history of information technology
Information systems and information systems security – merging concerns
40 years ago: The Dinosaur Age – the mainframe
30 years ago: The caveman and the wheel – ftp, email, and telnet
20 years ago: The automobile meets the road – rise of the personal computer
10 years ago: The Autobahn – the information super-highway
Today: The sky is the limit – networking without boundaries!
References
CHAPTER 2: THE ESSENTIAL INFORMATION SYSTEMS SECURITY REGULATIONS
Information systems security regulations you need to know
Executive orders, laws, regulations, and standards
Laws
Executive orders
Regulations
Policy, guidance and standards
Miscellaneous legislation affecting the authorization process
Health Information Portability and Accountability Act (HIPAA)
Sarbanes-Oxley
Federal Information System Controls Audit Manual (FISCAM)
The C&A transformation – The future is here (near)
References
CHAPTER 3: THE AUTHORIZATION PROCESS FRAMEWORK
Commonly found authorization process deficiencies
Risk assessments were not conducted or did not provide an adequate basis for a risk-based decision
Information system sensitivity levels were inconsistent or incorrect
Inappropriate or insufficient security controls
Authorization decisions were based on inadequate and inconsistent testing
Processes for security controls reviews were inadequate or nonexistent
Authorization process commonalities
The basic authorization framework
Factors that influence authorization activities
Joint or reciprocal authorization
Joint accreditation
Reciprocal accreditations
References
CHAPTER 4: THE AUTHORIZATION PROCESS – ESTABLISHING A FOUNDATION
Authorization is only one part of an effective security program
Making the business case – what is the ROSI?
Don’t sell FUD – tell them what they have to gain
Designing an effective information security program
Defining the program
The 5000 meter view
Getting and keeping resources
Security governance – establishing the right roles and responsibilities
Senior leadership
Chief information officer (CIO)
Senior agency information security officer (SAISO)/chief information security officer (CISO)
Risk executive (individual or function)
Authorizing official (AO)/designated accrediting authority (DAA)43
Information systems security manager (ISSM)/information assurance manager (IAM)44
Information system security officer (ISSO)/information assurance officer (IAO)
Certifying authority (CA)45
Security controls assessor
Common control provider
Information owner/information steward
Information system owner or program manager (PM)/information system steward
Information system security engineer (ISSE)
User representative
Users
Subject matter experts (SME)
Contractors
But I’m just a small organization…
Can roles and responsibilities be delegated?
Systems security training and certification
Developing and publishing plans and policies
Measuring progress
Milestones from the “establishing a foundation” activities
References
CHAPTER 5: PRE-AUTHORIZATION ACTIVITIES – THE FUNDAMENTALS
Establish the authorization team
Authorization roles by team member
Training the authorization team should not be an afterthought
Categorizing the information system
Identifying the type of information system
Enclave
Automation information system (AIS) application
Outsourced IT
Platform IT
Identifying the information
Defining the boundary ensures manageable and measurable authorization
Network topology
Organization
Mission
Location
Data sensitivity or classification
Boundary considerations: too narrow or too broad
Helpful hints
Establishing a risk management process
Risk management process example
The risk assessment process
The risk assessment process
Step 1: Prepare and plan the risk assessment
Step 2: Identifying assets
Step 3: Perform asset sensitivity analysis
Step 4: Conduct a threat analysis
Step 5: Conduct a vulnerability analysis
Step 6: Execute cost/impact analysis
Step 7: Finalize risk assessment and analysis
Step 8: Assess residual risk against risk tolerance
The full risk assessment: Yes or No?
Align with the system life cycle61 (SLC)
Milestones from the pre-certification and accreditation activities:
References
CHAPTER 6: PLAN, INITIATE AND IMPLEMENT AUTHORIZATION – PREPARING FOR AUTHORIZATION
UNDERSTAND the information and the information system
Who is involved?
Scope and level of effort
Information obtained from documentation
Developmental systems
Operational systems
Plan and schedule
Cost
System security categorization for information
Subtask 1: Identify the information type(s)
Subtask 2: Select the provisional or initial impact level
Subtask 3: Review the provisional/initial impact levels and adjust
Subtask 4: Assign system security category
System 1: A public web server
System 2: A financial organization
System 3: A medical management system
Additional notes on security category
The final output: Identification of the security controls baseline
Selecting the initial baseline
Supplementing the initial baseline
Identifying common or inherited controls
Benefits of common/inherited controls
REGISTER the information system
Who is involved?
The registration process
It’s all about the money!
NEGOTIATE the authorization approach
Negotiations associated with system type
Major applications (MAs)/AIS applications68
General support system (GSS) or enclave
The authorization plan
IMPLEMENT the security controls
Implementation factors
Technology-related implementation factors
Infrastructure-related implementation factors
Public access-related implementation factors
Scalability-related implementation factors
Common/inherited control-related implementation factors
Risk-related implementation factors
Implementation guidance
Operational or management control
Technical control
Results of implementation: Evidence or artifacts
Milestones from the plan, initiate, and implement authorization activities
References
CHAPTER 7: VERIFY, VALIDATE & AUTHORIZE – CONDUCTING THE AUTHORIZATION
ASSESS the security controls
What is security control testing?
What should be tested?
Who executes security control testing?
Validation testing in federal agencies
Validation testing within DOD
Security control test procedures
Security control assessment methods
Examine – “E”
Interview – “I”
Test – “T”
Observation – “O”
Executing the security controls assessment
Plan the security controls assessment
Execute the security controls test
Analyze, document, and report the results in the security assessment report (SAR)
DEVELOP the plan of action and milestones (POA&M)
Importance of the POA&M – $$$$
How the POA&M fits into the information system security evaluation
Benefits of the POA&M process
The POA&M process of weakness remediation
Summary
AUTHORIZE the operation of the information system
The security authorization package
The system security plan (SSP)
Assessment summary report
A plan of action and milestones (POA&M)
The certification statement
Importance of the certifying authority and the certification statement
The security authorization decision
Authorization to operate (ATO)
Interim authorization to operate (IATO)
Denial of authorization to operate (DATO)
Interim authority to test (IATT)
Accreditation decision letter
Milestones from the verify, validate and authorize activities
References
CHAPTER 8: OPERATE & MAINTAIN – MAINTAINING AUTHORIZATION
MONITOR the security control status: situational awareness
Change and configuration management
What is a security relevant event?
Configuration management processes
What is a configuration management plan?
Why have a configuration management plan?
When should you develop a CMP?
Ongoing security control verification
CONDUCT the annual review and security reporting
MAINTAIN the authorization
Milestones from the operate and maintain activities
References
CHAPTER 9: REMOVE THE INFORMATION SYSTEM FROM OPERATION
Required actions when removing an information system from operation
The removal from operation or decommissioning plan
Avoiding self-inflicted security issues through effective system removal
Methods of removing an information system and/or its data from operation
Data you may not know you have
Some examples of tools
References
CHAPTER 10: AUTHORIZATION PACKAGE AND SUPPORTING EVIDENCE
The authorization package in detail
System security plan (SSP)
Developing the SSP
A sample table of contents (TOC) for your SSP
System security plan approval
The POA&M elements and format
Column 1: Weakness identifier
Column 2: Weakness description
Column 3: Point of contact (POC)
Column 4: Resources required
Column 5: Scheduled completion date
Column 6: Milestones with completion dates
Column 7: Changes to milestones
Column 8: Identified in audit or review
Column 9: Status
Column 10: Comments
Column 11: Risk level
Risk level determination
Establishing a POA&M process
Security assessment report (SAR)
Report structure
Submitting the SAR
Certification statement
Contents of the certification statement
Supporting evidence for the authorization decision – security control documentation
Information system inventory – understand your information systems
How to proceed
The overall inventory of information systems
Hardware and software inventories
Use of inventory tools
Security control assessment (SCA) plan91
Types of security control assessments
Security control assessment plan contents
Security control assessment plan approval
Security control assessment report (SAR)
SAR template
Configuration management (CM) process and plan
Typical CM roles and responsibilities
Configuration management board (CMB) and configuration control board (CCB)
The configuration management process (CMP)
The configuration management plan (CMP)
What are the basic contents of the CMP?
Continuity of operations/IT contingency planning
Testing the plan
User guides – general and privileged users
User’s guide
Privileged user’s guide
Incident handling and response
Incident handling versus just incident response
Incident response plan (IRP)
Privacy impact assessment (PIA)
When is a PIA required?
When is a PIA submitted?
Steps to completing a PIA
Contents of the PIA
Interconnection agreements
Why is an interconnection agreement necessary?
MOU, MOA or ISA?
Role of the authorizing official
Memorandum of understanding/agreement (MOU/A)
Interconnection security agreement (ISA)
References
CHAPTER 11: C&A IN THE US DEPARTMENT OF DEFENSE
Introduction to the DIACAP
The IA controls and how to use them
Determining mission assurance category
Determining confidentiality level
Selecting the IA control set: Putting MAC and CL together
IA control subject areas
IA control naming convention
DIACAP governance structure
The accreditation sub-structure
Configuration control and management sub-structure
C&A process sub-structure
A DIACAP roadmap (guide to the stages or activities)
Initiate & plan IA C&A
Register the information system with the DOD component IA program
Assign the information assurance controls
Assigning the DIACAP team
Develop the DIACAP implementation plan
Implement and validate assigned IA controls
Finding implementation and validation test guidance
Execute the DIACAP implementation plan
Conduct validation activities
Prepare the plan of action & milestones (POA&M)
Compile validation results in the DIACAP scorecard
Make certification determination & accreditation decision
Make certification determination
Issue accreditation decision
Maintain authorization to operate & conduct reviews
Maintain situational awareness
Maintain IA posture
Conduct reviews
Initiate re-accreditation
Decommission the information system
Retiring the information system
DIACAP support tools
DIACAP Knowledge Service
Enterprise Mission Assurance Support Service (eMASS)
C&A and the DOD components
References
CHAPTER 12: AUTHORIZATION IN THE FEDERAL GOVERNMENT
Establishing information system authorization boundaries (also known as accreditation boundaries)
The system description
Network and dataflow diagrams
The system inventory
Choose the proper accreditation vehicle
Security authorization process
Step 1: Categorizing the information system
Step 2: Registering the information system
Step 3: Selecting the security controls
Step 4: Implementing the security controls
Step 5: Identify and select the independent security control assessor (assessment team)
Step 6: Develop the security control assessment plan
Step 7: Prepare for the test
Step 8: Conduct the security controls assessment test
Some tips for preparing the final assessment report
Step 9: Update the system security plan
Step 10: Develop the POA&M
Step 11: Security authorization decision
Step 12: Continuous monitoring and ongoing risk acceptance
Step 13: Decommissioning the information system
References
CHAPTER 13: THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
The e-Government Act of 2002 and FISMA
The FISMA report card
The FISMA report requirements
FISMA systems inventory
Certification and accreditation, security controls testing, and contingency plan testing
Implementation of NIST SP 800-53 security controls
Incident detection, monitoring, and response
Security awareness training
Peer-to-peer file sharing
Configuration management
Incident reporting
New technologies and emerging threats
Security performance metrics
FISMA misunderstood – What FISMA is NOT
FISMA and its achievements
10 critical questions for FISMA compliance
The 30,000 foot view of FISMA compliance
Automated C&A tools can help!
References
CHAPTER 14: AUTHORIZATION AND THE SYSTEM LIFE CYCLE (SLC)
Phases of the system life cycle (SLC)
Initiation phase
System concept development phase
Planning phase
Requirements analysis phase
Design phase
Development/acquisition phase
Integration and test phase
Production and deployment phase
Operations and maintenance phase
Disposal phase
Life cycle phases and documentation
Why link authorization to the SLC?
References
CHAPTER 15: INFORMATION SYSTEMS SECURITY TRAINING AND CERTIFICATION
Leverage your most important asset
The drivers
Policy foundation
Security education, training, and awareness (SETA) – and certification
Why certification?
Managers and technical staff
References
CHAPTER 16: THE FUTURE – REVITALIZING AND TRANSFORMING C&A
Why transform?
Goals of the transformation
The transformation process
Approach to developing the revised C&A policy
Proposed approach to C&A
The elements of the enterprise risk perspective
Combining the processes with the system life cycle views
The basis for reciprocity
Status of the C&A transformation and transition
Transition
What is the value added by the transformation and transition?
References
THE RESOURCE CD
GLOSSARY
ACRONYMS
ITG RESOURCES
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
The Definitive Guide to the C&A Transformation: The First Publication of a Comprehensive View of the C&A Transformation
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset