Risk Management Framework
1st Edition
A Lab-Based Approach to Securing Information Systems
Description
The RMF allows an organization to develop an organization-wide risk framework that reduces the resources required to authorize a systems operation. Use of the RMF will help organizations maintain compliance with not only FISMA and OMB requirements but can also be tailored to meet other compliance requirements such as Payment Card Industry (PCI) or Sarbanes Oxley (SOX). With the publishing of NIST SP 800-37 in 2010 and the move of the Intelligence Community and Department of Defense to modified versions of this process, clear implementation guidance is needed to help individuals correctly implement this process. No other publication covers this topic in the detail provided in this book or provides hands-on exercises that will enforce the topics. Examples in the book follow a fictitious organization through the RMF, allowing the reader to follow the development of proper compliance measures. Templates provided in the book allow readers to quickly implement the RMF in their organization. The need for this book continues to expand as government and non-governmental organizations build their security programs around the RMF. The companion website provides access to all of the documents, templates and examples needed to not only understand the RMF but also implement this process in the reader’s own organization.
Key Features
- A comprehensive case study from initiation to decommission and disposal
- Detailed explanations of the complete RMF process and its linkage to the SDLC
- Hands on exercises to reinforce topics
- Complete linkage of the RMF to all applicable laws, regulations and publications as never seen before
Readership
Information Security professionals of all levels, systems administrators, information technology leaders, network administrators, information auditors, security managers, and an academic audience among information assurance majors
Table of Contents
Dedication
Acknowledgments
About the Author
Technical Editor
Companion Website
Chapter 1: Introduction
Book Overview And Key Learning Points
Book Audience
The Risk Management Framework (RMF)
Why This Book Is Different
A Note About National Security Systems
Book Organization
Part 1
Introduction
Chapter 2: Laws, Regulations, and Guidance
Abstract
Chapter Overview And Key Learning Points
The Case For Legal And Regulatory Requirements
Legal And Regulatory Organizations
Laws, Policies, And Regulations
National Institute Of Standards And Technology (NIST) Publications
Chapter 3: Integrated Organization-Wide Risk Management
Abstract
Chapter Overview And Key Learning Points
Risk Management
Risk Management And The RMF
Components Of Risk Management
Multi-Tiered Risk Management
Risk Executive (Function)
Chapter 4: The Joint Task Force Transformation Initiative
Abstract
Chapter Overview And Key Learning Points
Before The Joint Task Force Transformation Initiative
The Joint Task Force Transformation Initiative
Chapter 5: System Development Life Cycle (SDLC)
Abstract
System Development Life Cycle (SDLC)
Traditional Systems Development Life Cycle (SDLC)
Traditional SDLC Considerations
Agile System Development
Chapter 6: Transitioning from the C&A Process to RMF
Abstract
Chapter Overview And Key Learning Points
C&A To RMF
The Certification And Accreditation (C&A) Process
Introducing The RMF (A High-Level View)
Transition
Chapter 7: Key Positions and Roles
Abstract
Chapter Overview And Key Learning Points
Key Roles To Implement The RMF
Part 2
Introduction
Chapter 8: Lab Organization
Abstract
Chapter Overview And Key Learning Points
The Department Of Social Media (DSM)
Organizational Structure
Risk Executive (Function)
Chapter 9: RMF Phase 1: Categorize the Information System
Abstract
Chapter Overview And Key Learning Points
Phase 1, Task 1: Security Categorization
Phase 1, Task 2: Information Systems Description
Common Control Providers
Phase 1, Task 3: Information System Registration
Chapter 9 Lab Exercises: Information System Categorization
Chapter 10: RMF Phase 2: Selecting Security Controls
Abstract
Chapter Overview And Key Learning Points
Selecting Security Controls
Chapter 10 Lab Exercises: Selecting Security Controls
Chapter 11: RMF Phase 3: Implementing Security Controls
Abstract
Chapter Overview And Key Learning Points
Phase 3, Task 1: Security Control Implementation
Phase 3, Task 2: Security Control Documentation
Chapter 11 Lab Exercises: Selecting Security Controls
Chapter 12: RMF Phase 4: Assess Security Controls
Abstract
Chapter Overview And Key Learning Points
Assessing Security Controls
Chapter 12 Lab Exercises: Assessing Security Controls
Chapter 13: RMF Phase 5: Authorizing the Information System
Abstract
Chapter Overview And Key Learning Points
Phase 5, Task 1: Developing The Plan Of Action And Milestones (POA&M)
Phase 5, Task 2: Assembly Of The Authorization Package
Phase 5, Task 3: Determining Risk
Phase 5, Task 4: Accepting Risk
Chapter 13 Lab Exercises: Authorizing The Information System
Chapter 14: RMF Phase 6: Monitoring Security Controls
Abstract
Chapter Overview And Key Learning Points
Phase 6, Task 1: Monitoring Information System And Environment Changes
Phase 6, Task 2: Ongoing Security Control Assessment
Phase 6, Task 3: Ongoing Remediation Actions
Phase 6, Task 4: Updating The Security Documentation
Phase 6, Task 5: Security Status Reporting
Phase 6, Task 6: Ongoing Risk Determination And Acceptance
Phase 6, Task 7: System Removal And Decommissioning
Chapter 14 Lab Exercises: Monitoring Security Controls
Chapter 15: The Expansion of the RMF
Abstract
Chapter Overview And Key Learning Points
The Transition To The RMF
Future Updates To The RMF Process
Using The RMF With Other Control Sets And Requirements
Conclusion
Appendix A: Answers to Exercises in Chapters 9 through 14
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Appendix B: Control Families and Classes
Appendix C: Security Control Assessment Requirements
NIST SP 800-53A Assessment Methods
Security Control Baseline Categorization
CNSSI 1253 Baseline Categorization
New Controls Planned In Revision 4
FedRAMP Controls
SP 800-53 Security Controls To HIPAA Security Rule
PCI DSS Standards
Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
Glossary
Common Acronyms in this Book
References
Index
Details
- No. of pages:
- 316
- Language:
- English
- Copyright:
- © Syngress 2013
- Published:
- 22nd July 2013
- Imprint:
- Syngress
- eBook ISBN:
- 9780124047235
- Paperback ISBN:
- 9781597499958
About the Author
James Broad
James Broad (CISSP, C|EH, CPTS, Security+, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.
Affiliations and Expertise
President and Owner, Cyber-Recon, LLC.
Reviews
"Writing for technical, administrative, and management professionals within the US government, information security consultant Broad explains the basics of the risk management framework as it pertains to the systems development life cycle of federal information technology systems, and suggests how to use this information during the development, assessment, and continuous monitoring of those systems." --Reference & Research Book News, December 2013