FISMA Compliance Handbook - 1st Edition - ISBN: 9780124058712, 9780124059153

FISMA Compliance Handbook

1st Edition

Second Edition

Authors: Laura Taylor
Paperback ISBN: 9780124058712
eBook ISBN: 9780124059153
Imprint: Syngress
Published Date: 27th August 2013
Page Count: 350
Tax/VAT will be calculated at check-out
52.95
42.99
68.95
Unavailable
Compatible Not compatible
VitalSource PC, Mac, iPhone & iPad Amazon Kindle eReader
ePub & PDF Apple & PC desktop. Mobile devices (Apple & Android) Amazon Kindle eReader
Mobi Amazon Kindle eReader Anything else

Institutional Access


Description

This comprehensive book instructs IT managers to adhere to federally mandated compliance requirements. FISMA Compliance Handbook Second Edition explains what the requirements are for FISMA compliance and why FISMA compliance is mandated by federal law. The evolution of Certification and Accreditation is discussed.

This book walks the reader through the entire FISMA compliance process and includes guidance on how to manage a FISMA compliance project from start to finish. The book has chapters for all FISMA compliance deliverables and includes information on how to conduct a FISMA compliant security assessment.

Various topics discussed in this book include the NIST Risk Management Framework, how to characterize the sensitivity level of your system, contingency plan, system security plan development, security awareness training, privacy impact assessments, security assessments and more. Readers will learn how to obtain an Authority to Operate for an information system and what actions to take in regards to vulnerabilities and audit findings.

FISMA Compliance Handbook Second Edition, also includes all-new coverage of federal cloud computing compliance from author Laura Taylor, the federal government’s technical lead for FedRAMP, the government program used to assess and authorize cloud products and services.

Key Features

  • Includes new information on cloud computing compliance from Laura Taylor, the federal government’s technical lead for FedRAMP
  • Includes coverage for both corporate and government IT managers
  • Learn how to prepare for, perform, and document FISMA compliance projects
  • This book is used by various colleges and universities in information security and MBA curriculums.

Readership

Information Security professionals of all levels, systems administrators, information technology leaders, network administrators, information auditors, security managers, and an academic audience among information assurance majors.

Table of Contents

Dedication

Author Acknowledgments

About the Author

Foreword

Chapter 1. FISMA Compliance Overview

Abstract

Topics in this chapter

Introduction

Terminology

Processes and paperwork

Templates streamline the process

FISMA oversight and governance

Supporting government security regulations

Summary

References

Chapter 2. FISMA Trickles into the Private Sector

Abstract

Topics in this chapter

Introduction and authorities

Inspector General reports

What should NGOs do regarding FISMA?

FISMA compliance tools

Summary

Chapter 3. FISMA Compliance Methodologies

Abstract

Topics in this chapter

Introduction

The NIST risk management framework (RMF)

Defense information assurance C&A process (DIACAP)

Department of defense (DoD) risk management framework (RMF)

ICD 503 and DCID 6/3

The common denominator of FISMA compliance methodologies

FISMA compliance for private enterprises

Legacy methodologies

Summary

Notes

Chapter 4. Understanding the FISMA Compliance Process

Abstract

Topics in this chapter

Introduction

Recognizing the need for FISMA compliance

Roles and responsibilities

Stepping through the process

FISMA project management

Summary

Chapter 5. Establishing a FISMA Compliance Program

Abstract

Topics in this chapter

Introduction

Compliance handbook development

Create a standardized security assessment process

Provide package delivery instructions

Authority and endorsement

Improve your compliance program each year

Problems of not having a compliance program

Summary

Chapter 6. Getting Started on Your FISMA Project

Abstract

Topics in this chapter

Introduction

Initiate your project

Analyze your research

Develop the documents

Verify your information

Retain your ethics

Summary

Chapter 7. Preparing the Hardware and Software Inventory

Abstract

Topics in this chapter

Introduction

Determining the system boundaries

Collecting the inventory information

Structure of inventory information

Delivery of inventory document

Summary

Chapter 8. Categorizing Data Sensitivity

Abstract

Topics in this chapter

Introduction

Heed this warning before you start

Confidentiality, Integrity, and Availability

Template for FIPS 199 Profile

The explanatory memo

National Security Systems

Summary

Chapter 9. Addressing Security Awareness and Training

Abstract

Topics in this chapter

Introduction and authorities

Purpose of security awareness and training

Elements of the security awareness and training plan

Specialized security training

Security awareness

The awareness and training message

Security awareness and training checklist

Security awareness course evaluation

Summary

Reference

Chapter 10. Addressing Rules of Behavior

Abstract

Topics in this chapter

Introduction

Implementing Rules of Behavior

Rules for internal and external users

What rules to include

Consequences of noncompliance

Rules of Behavior checklist

Summary

Chapter 11. Developing an Incident Response Plan

Abstract

Topics in this chapter

Introduction

Purpose and applicability

Policies, procedures, and guidelines

Reporting framework

Roles and responsibilities

Definitions

Incident handling

Forensic investigations

Incident types

Incident Response Plan checklist

Security Incident Reporting Form

Summary

Additional resources

Incident response organizations

Books on incident response

Articles and papers on incident response

Chapter 12. Conducting a Privacy Impact Assessment

Abstract

Topics in this chapter

Introduction

Privacy laws, regulations, and rights

OMB Memoranda with privacy implications

Laws and regulations

When to conduct a PIA?

Questions for a privacy impact assessment

Personally identifiable information (PII)

Persistent tracking technologies

Decommissioning of PII

System of record notice (SORN)

Posting the privacy policy

PIA checklist

Summary

Books on privacy

References

Chapter 13. Preparing the Business Impact Analysis

Abstract

Topics in this chapter

Introduction

Terminology

Document actual recovery times

Establish relative recovery priorities

Define escalation thresholds

Record license keys

BIA Organization

Summary

Additional resources

Chapter 14. Developing the Contingency Plan

Abstract

Topics in this chapter

Introduction

List assumptions

Concept of operations

Roles and responsibilities

Levels of disruption

Procedures

Line of succession

Service-Level Agreements

Contact lists

Testing the Contingency Plan

Appendices

Contingency Plan checklist

Additional resources

Chapter 15. Developing a Configuration Management Plan

Abstract

Topics in this chapter

Introduction

Establish definitions

Describe assets controlled by the plan

Describe the configuration management system

Define roles and responsibilities

Describe baselines

Change control process

Configuration management audit

Configuration and change management tools

Configuration Management Plan checklist

Summary

Additional resources

Chapter 16. Preparing the System Security Plan

Abstract

Topics in this chapter

Introduction

Laws, regulations, and policies

The system description

Security controls and requirements

Management controls

Operational controls

Technical controls

ISSO appointment letter

System security plan checklist

Summary

Additional resources

Note

Chapter 17. Performing the Business Risk Assessment

Abstract

Topics in this chapter

Introduction

Determine the mission

Create a mission map

Construct risk statements

Describe the sensitivity model

Quantitative risk assessment

Qualitative versus quantitative risk assessment

Make an informed decision

Summary

Books and articles on risk assessment

References

Chapter 18. Getting Ready for Security Testing

Abstract

Topics in this chapter

Introduction and authorities

Planning

Scoping

Assumptions and constraints

Schedule

Rules of Engagement

Limitation of Liability

End of testing

Summary

Additional resources

Chapter 19. Submitting the Security Package

Abstract

Topics in this chapter

Introduction

Structure of documents

Who puts the package together?

Markings and format

Signature pages

A word about “Not Applicable” information

Submission and revision

Defending the Security Package

Checklist

Summary

Additional resources

Chapter 20. Independent Assessor Audit Guide

Abstract

Topics in this chapter

Introduction

Test against the System’s security control baseline

How does confidentiality, integrity, and availability fit in?

Manual and automated testing

Security testing tools

Infrastructure scanners

Evaluations by Inspector Generals

Evaluations by the Government Accountability Office

Summary

Chapter 21. Developing the Security Assessment Report

Abstract

Topics in this chapter

Introduction

Analysis of test results

Risk assessment methodology

Present the risks

Checklist

Make decisions

Certification

Authority to operate

Interim authority to operate

Summary

Additional resources

Chapter 22. Addressing FISMA Findings

Abstract

Topics in this chapter

Introduction

POA&Ms

Development and approval

POA&M elements

A word to the wise

Checklist

Summary

Chapter 23. FedRAMP: FISMA for the Cloud

Abstract

Topics in this chapter

Introduction

What is cloud computing?

Looking at virtual machines another way

Sharding

Content delivery networks

FedRAMP security independent assessors

FedRAMP security assessments

The great value of FedRAMP

FedRAMP organization

Summary

Resources

Appendix A. FISMA

Title III—Information Security

Appendix B. OMB Circular A-130 Appendix III

Security of federal automated information resources

Appendix C. FIPS 199

Foreword

Authority

Table of contents

1 Purpose

2 Applicability

3 Categorization of information and information systems

APPENDIX A Terms and definitions

APPENDIX B References

Index

Details

No. of pages:
350
Language:
English
Copyright:
© Syngress 2013
Published:
Imprint:
Syngress
eBook ISBN:
9780124059153
Paperback ISBN:
9780124058712

About the Author

Laura Taylor

Laura Taylor leads the technical development of FedRAMP, the U.S. government's initiative to apply the Federal Information Security Management Act to cloud computing. In 2006, Taylor's FISMA Certification and Accreditation Handbook was the first book published on FISMA. Taylor has contributed to four other books on information security and has authored hundreds of articles and white papers on infosec topics for a variety of web publications and magazines. Specializing in assisting federal agencies and private industry comply with computer security laws, Taylor is a thought leader on cyber security compliance. Taylor has led large technology migrations, developed enterprise wide information security programs, and has performed risk assessments and security audits for numerous financial institutions.