FISMA Compliance Handbook

FISMA Compliance Handbook

Second Edition

1st Edition - August 20, 2013

Write a review

  • Author: Laura Taylor
  • eBook ISBN: 9780124059153
  • Paperback ISBN: 9780124058712

Purchase options

Purchase options
DRM-free (EPub, Mobi, PDF)
Available
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order

Description

This comprehensive book instructs IT managers to adhere to federally mandated compliance requirements. FISMA Compliance Handbook Second Edition explains what the requirements are for FISMA compliance and why FISMA compliance is mandated by federal law. The evolution of Certification and Accreditation is discussed. This book walks the reader through the entire FISMA compliance process and includes guidance on how to manage a FISMA compliance project from start to finish. The book has chapters for all FISMA compliance deliverables and includes information on how to conduct a FISMA compliant security assessment. Various topics discussed in this book include the NIST Risk Management Framework, how to characterize the sensitivity level of your system, contingency plan, system security plan development, security awareness training, privacy impact assessments, security assessments and more. Readers will learn how to obtain an Authority to Operate for an information system and what actions to take in regards to vulnerabilities and audit findings. FISMA Compliance Handbook Second Edition, also includes all-new coverage of federal cloud computing compliance from author Laura Taylor, the federal government’s technical lead for FedRAMP, the government program used to assess and authorize cloud products and services.

Key Features

  • Includes new information on cloud computing compliance from Laura Taylor, the federal government’s technical lead for FedRAMP
  • Includes coverage for both corporate and government IT managers
  • Learn how to prepare for, perform, and document FISMA compliance projects
  • This book is used by various colleges and universities in information security and MBA curriculums

Readership

Information Security professionals of all levels, systems administrators, information technology leaders, network administrators, information auditors, security managers, and an academic audience among information assurance majors.

Table of Contents

  • Dedication

    Author Acknowledgments

    About the Author

    Foreword

    Chapter 1. FISMA Compliance Overview

    Abstract

    Topics in this chapter

    Introduction

    Terminology

    Processes and paperwork

    Templates streamline the process

    FISMA oversight and governance

    Supporting government security regulations

    Summary

    References

    Chapter 2. FISMA Trickles into the Private Sector

    Abstract

    Topics in this chapter

    Introduction and authorities

    Inspector General reports

    What should NGOs do regarding FISMA?

    FISMA compliance tools

    Summary

    Chapter 3. FISMA Compliance Methodologies

    Abstract

    Topics in this chapter

    Introduction

    The NIST risk management framework (RMF)

    Defense information assurance C&A process (DIACAP)

    Department of defense (DoD) risk management framework (RMF)

    ICD 503 and DCID 6/3

    The common denominator of FISMA compliance methodologies

    FISMA compliance for private enterprises

    Legacy methodologies

    Summary

    Notes

    Chapter 4. Understanding the FISMA Compliance Process

    Abstract

    Topics in this chapter

    Introduction

    Recognizing the need for FISMA compliance

    Roles and responsibilities

    Stepping through the process

    FISMA project management

    Summary

    Chapter 5. Establishing a FISMA Compliance Program

    Abstract

    Topics in this chapter

    Introduction

    Compliance handbook development

    Create a standardized security assessment process

    Provide package delivery instructions

    Authority and endorsement

    Improve your compliance program each year

    Problems of not having a compliance program

    Summary

    Chapter 6. Getting Started on Your FISMA Project

    Abstract

    Topics in this chapter

    Introduction

    Initiate your project

    Analyze your research

    Develop the documents

    Verify your information

    Retain your ethics

    Summary

    Chapter 7. Preparing the Hardware and Software Inventory

    Abstract

    Topics in this chapter

    Introduction

    Determining the system boundaries

    Collecting the inventory information

    Structure of inventory information

    Delivery of inventory document

    Summary

    Chapter 8. Categorizing Data Sensitivity

    Abstract

    Topics in this chapter

    Introduction

    Heed this warning before you start

    Confidentiality, Integrity, and Availability

    Template for FIPS 199 Profile

    The explanatory memo

    National Security Systems

    Summary

    Chapter 9. Addressing Security Awareness and Training

    Abstract

    Topics in this chapter

    Introduction and authorities

    Purpose of security awareness and training

    Elements of the security awareness and training plan

    Specialized security training

    Security awareness

    The awareness and training message

    Security awareness and training checklist

    Security awareness course evaluation

    Summary

    Reference

    Chapter 10. Addressing Rules of Behavior

    Abstract

    Topics in this chapter

    Introduction

    Implementing Rules of Behavior

    Rules for internal and external users

    What rules to include

    Consequences of noncompliance

    Rules of Behavior checklist

    Summary

    Chapter 11. Developing an Incident Response Plan

    Abstract

    Topics in this chapter

    Introduction

    Purpose and applicability

    Policies, procedures, and guidelines

    Reporting framework

    Roles and responsibilities

    Definitions

    Incident handling

    Forensic investigations

    Incident types

    Incident Response Plan checklist

    Security Incident Reporting Form

    Summary

    Additional resources

    Incident response organizations

    Books on incident response

    Articles and papers on incident response

    Chapter 12. Conducting a Privacy Impact Assessment

    Abstract

    Topics in this chapter

    Introduction

    Privacy laws, regulations, and rights

    OMB Memoranda with privacy implications

    Laws and regulations

    When to conduct a PIA?

    Questions for a privacy impact assessment

    Personally identifiable information (PII)

    Persistent tracking technologies

    Decommissioning of PII

    System of record notice (SORN)

    Posting the privacy policy

    PIA checklist

    Summary

    Books on privacy

    References

    Chapter 13. Preparing the Business Impact Analysis

    Abstract

    Topics in this chapter

    Introduction

    Terminology

    Document actual recovery times

    Establish relative recovery priorities

    Define escalation thresholds

    Record license keys

    BIA Organization

    Summary

    Additional resources

    Chapter 14. Developing the Contingency Plan

    Abstract

    Topics in this chapter

    Introduction

    List assumptions

    Concept of operations

    Roles and responsibilities

    Levels of disruption

    Procedures

    Line of succession

    Service-Level Agreements

    Contact lists

    Testing the Contingency Plan

    Appendices

    Contingency Plan checklist

    Additional resources

    Chapter 15. Developing a Configuration Management Plan

    Abstract

    Topics in this chapter

    Introduction

    Establish definitions

    Describe assets controlled by the plan

    Describe the configuration management system

    Define roles and responsibilities

    Describe baselines

    Change control process

    Configuration management audit

    Configuration and change management tools

    Configuration Management Plan checklist

    Summary

    Additional resources

    Chapter 16. Preparing the System Security Plan

    Abstract

    Topics in this chapter

    Introduction

    Laws, regulations, and policies

    The system description

    Security controls and requirements

    Management controls

    Operational controls

    Technical controls

    ISSO appointment letter

    System security plan checklist

    Summary

    Additional resources

    Note

    Chapter 17. Performing the Business Risk Assessment

    Abstract

    Topics in this chapter

    Introduction

    Determine the mission

    Create a mission map

    Construct risk statements

    Describe the sensitivity model

    Quantitative risk assessment

    Qualitative versus quantitative risk assessment

    Make an informed decision

    Summary

    Books and articles on risk assessment

    References

    Chapter 18. Getting Ready for Security Testing

    Abstract

    Topics in this chapter

    Introduction and authorities

    Planning

    Scoping

    Assumptions and constraints

    Schedule

    Rules of Engagement

    Limitation of Liability

    End of testing

    Summary

    Additional resources

    Chapter 19. Submitting the Security Package

    Abstract

    Topics in this chapter

    Introduction

    Structure of documents

    Who puts the package together?

    Markings and format

    Signature pages

    A word about “Not Applicable” information

    Submission and revision

    Defending the Security Package

    Checklist

    Summary

    Additional resources

    Chapter 20. Independent Assessor Audit Guide

    Abstract

    Topics in this chapter

    Introduction

    Test against the System’s security control baseline

    How does confidentiality, integrity, and availability fit in?

    Manual and automated testing

    Security testing tools

    Infrastructure scanners

    Evaluations by Inspector Generals

    Evaluations by the Government Accountability Office

    Summary

    Chapter 21. Developing the Security Assessment Report

    Abstract

    Topics in this chapter

    Introduction

    Analysis of test results

    Risk assessment methodology

    Present the risks

    Checklist

    Make decisions

    Certification

    Authority to operate

    Interim authority to operate

    Summary

    Additional resources

    Chapter 22. Addressing FISMA Findings

    Abstract

    Topics in this chapter

    Introduction

    POA&Ms

    Development and approval

    POA&M elements

    A word to the wise

    Checklist

    Summary

    Chapter 23. FedRAMP: FISMA for the Cloud

    Abstract

    Topics in this chapter

    Introduction

    What is cloud computing?

    Looking at virtual machines another way

    Sharding

    Content delivery networks

    FedRAMP security independent assessors

    FedRAMP security assessments

    The great value of FedRAMP

    FedRAMP organization

    Summary

    Resources

    Appendix A. FISMA

    Title III—Information Security

    Appendix B. OMB Circular A-130 Appendix III

    Security of federal automated information resources

    Appendix C. FIPS 199

    Foreword

    Authority

    Table of contents

    1 Purpose

    2 Applicability

    3 Categorization of information and information systems

    APPENDIX A Terms and definitions

    APPENDIX B References

    Index

Product details

  • No. of pages: 350
  • Language: English
  • Copyright: © Syngress 2013
  • Published: August 20, 2013
  • Imprint: Syngress
  • eBook ISBN: 9780124059153
  • Paperback ISBN: 9780124058712

About the Author

Laura Taylor

Laura Taylor leads the technical development of FedRAMP, the U.S. government's initiative to apply the Federal Information Security Management Act to cloud computing. In 2006, Taylor's FISMA Certification and Accreditation Handbook was the first book published on FISMA. Taylor has contributed to four other books on information security and has authored hundreds of articles and white papers on infosec topics for a variety of web publications and magazines. Specializing in assisting federal agencies and private industry comply with computer security laws, Taylor is a thought leader on cyber security compliance. Taylor has led large technology migrations, developed enterprise wide information security programs, and has performed risk assessments and security audits for numerous financial institutions.

Ratings and Reviews

Write a review

There are currently no reviews for "FISMA Compliance Handbook"