Risk Management Framework

Risk Management Framework

A Lab-Based Approach to Securing Information Systems

1st Edition - July 3, 2013

Write a review

  • Author: James Broad
  • eBook ISBN: 9780124047235
  • Paperback ISBN: 9781597499958

Purchase options

Purchase options
DRM-free (Mobi, PDF, EPub)
Available
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order

Description

The RMF allows an organization to develop an organization-wide risk framework that reduces the resources required to authorize a systems operation. Use of the RMF will help organizations maintain compliance with not only FISMA and OMB requirements but can also be tailored to meet other compliance requirements such as Payment Card Industry (PCI) or Sarbanes Oxley (SOX). With the publishing of NIST SP 800-37 in 2010 and the move of the Intelligence Community and Department of Defense to modified versions of this process, clear implementation guidance is needed to help individuals correctly implement this process. No other publication covers this topic in the detail provided in this book or provides hands-on exercises that will enforce the topics. Examples in the book follow a fictitious organization through the RMF, allowing the reader to follow the development of proper compliance measures. Templates provided in the book allow readers to quickly implement the RMF in their organization. The need for this book continues to expand as government and non-governmental organizations build their security programs around the RMF. The companion website provides access to all of the documents, templates and examples needed to not only understand the RMF but also implement this process in the reader’s own organization.

Key Features

  • A comprehensive case study from initiation to decommission and disposal
  • Detailed explanations of the complete RMF process and its linkage to the SDLC
  • Hands on exercises to reinforce topics
  • Complete linkage of the RMF to all applicable laws, regulations and publications as never seen before

Readership

Information Security professionals of all levels, systems administrators, information technology leaders, network administrators, information auditors, security managers, and an academic audience among information assurance majors

Table of Contents

  • Dedication
    Acknowledgments
    About the Author
    Technical Editor
    Companion Website
    Chapter 1: Introduction
    Book Overview And Key Learning Points

    Book Audience

    The Risk Management Framework (RMF)

    Why This Book Is Different

    A Note About National Security Systems

    Book Organization

    Part 1
    Introduction
    Chapter 2: Laws, Regulations, and Guidance
    Abstract

    Chapter Overview And Key Learning Points

    The Case For Legal And Regulatory Requirements

    Legal And Regulatory Organizations

    Laws, Policies, And Regulations

    National Institute Of Standards And Technology (NIST) Publications

    Chapter 3: Integrated Organization-Wide Risk Management
    Abstract

    Chapter Overview And Key Learning Points

    Risk Management

    Risk Management And The RMF

    Components Of Risk Management

    Multi-Tiered Risk Management

    Risk Executive (Function)

    Chapter 4: The Joint Task Force Transformation Initiative
    Abstract

    Chapter Overview And Key Learning Points

    Before The Joint Task Force Transformation Initiative

    The Joint Task Force Transformation Initiative

    Chapter 5: System Development Life Cycle (SDLC)
    Abstract

    System Development Life Cycle (SDLC)

    Traditional Systems Development Life Cycle (SDLC)

    Traditional SDLC Considerations

    Agile System Development

    Chapter 6: Transitioning from the C&A Process to RMF
    Abstract

    Chapter Overview And Key Learning Points

    C&A To RMF

    The Certification And Accreditation (C&A) Process

    Introducing The RMF (A High-Level View)

    Transition

    Chapter 7: Key Positions and Roles
    Abstract

    Chapter Overview And Key Learning Points

    Key Roles To Implement The RMF

    Part 2
    Introduction
    Chapter 8: Lab Organization
    Abstract

    Chapter Overview And Key Learning Points

    The Department Of Social Media (DSM)

    Organizational Structure

    Risk Executive (Function)

    Chapter 9: RMF Phase 1: Categorize the Information System
    Abstract

    Chapter Overview And Key Learning Points

    Phase 1, Task 1: Security Categorization

    Phase 1, Task 2: Information Systems Description

    Common Control Providers

    Phase 1, Task 3: Information System Registration

    Chapter 9 Lab Exercises: Information System Categorization

    Chapter 10: RMF Phase 2: Selecting Security Controls
    Abstract

    Chapter Overview And Key Learning Points

    Selecting Security Controls

    Chapter 10 Lab Exercises: Selecting Security Controls

    Chapter 11: RMF Phase 3: Implementing Security Controls
    Abstract

    Chapter Overview And Key Learning Points

    Phase 3, Task 1: Security Control Implementation

    Phase 3, Task 2: Security Control Documentation

    Chapter 11 Lab Exercises: Selecting Security Controls

    Chapter 12: RMF Phase 4: Assess Security Controls
    Abstract

    Chapter Overview And Key Learning Points

    Assessing Security Controls

    Chapter 12 Lab Exercises: Assessing Security Controls

    Chapter 13: RMF Phase 5: Authorizing the Information System
    Abstract

    Chapter Overview And Key Learning Points

    Phase 5, Task 1: Developing The Plan Of Action And Milestones (POA&M)

    Phase 5, Task 2: Assembly Of The Authorization Package

    Phase 5, Task 3: Determining Risk

    Phase 5, Task 4: Accepting Risk

    Chapter 13 Lab Exercises: Authorizing The Information System

    Chapter 14: RMF Phase 6: Monitoring Security Controls
    Abstract

    Chapter Overview And Key Learning Points

    Phase 6, Task 1: Monitoring Information System And Environment Changes

    Phase 6, Task 2: Ongoing Security Control Assessment

    Phase 6, Task 3: Ongoing Remediation Actions

    Phase 6, Task 4: Updating The Security Documentation

    Phase 6, Task 5: Security Status Reporting

    Phase 6, Task 6: Ongoing Risk Determination And Acceptance

    Phase 6, Task 7: System Removal And Decommissioning

    Chapter 14 Lab Exercises: Monitoring Security Controls

    Chapter 15: The Expansion of the RMF
    Abstract

    Chapter Overview And Key Learning Points

    The Transition To The RMF

    Future Updates To The RMF Process

    Using The RMF With Other Control Sets And Requirements

    Conclusion

    Appendix A: Answers to Exercises in Chapters 9 through 14
    Chapter 9

    Chapter 10

    Chapter 11

    Chapter 12

    Chapter 13

    Chapter 14

    Appendix B: Control Families and Classes
    Appendix C: Security Control Assessment Requirements
    NIST SP 800-53A Assessment Methods

    Security Control Baseline Categorization

    CNSSI 1253 Baseline Categorization

    New Controls Planned In Revision 4

    FedRAMP Controls

    SP 800-53 Security Controls To HIPAA Security Rule

    PCI DSS Standards

    Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
    Glossary
    Common Acronyms in this Book
    References
    Index

Product details

  • No. of pages: 316
  • Language: English
  • Copyright: © Syngress 2013
  • Published: July 3, 2013
  • Imprint: Syngress
  • eBook ISBN: 9780124047235
  • Paperback ISBN: 9781597499958

About the Author

James Broad

James Broad (CISSP, C|EH, CPTS, Security+, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.

Affiliations and Expertise

President and Owner, Cyber-Recon, LLC.

Ratings and Reviews

Write a review

There are currently no reviews for "Risk Management Framework"