Security Controls Evaluation, Testing, and Assessment Handbook - 1st Edition - ISBN: 9780128023242, 9780128025642

Security Controls Evaluation, Testing, and Assessment Handbook

1st Edition

Authors: Leighton Johnson
eBook ISBN: 9780128025642
Paperback ISBN: 9780128023242
Imprint: Syngress
Published Date: 14th December 2015
Page Count: 678
Sales tax will be calculated at check-out Price includes VAT/GST
Price includes VAT/GST

Institutional Subscription

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.


Security Controls Evaluation, Testing, and Assessment Handbook provides a current and well-developed approach to evaluation and testing of security controls to prove they are functioning correctly in today's IT systems. This handbook shows you how to evaluate, examine, and test installed security controls in the world of threats and potential breach actions surrounding all industries and systems. If a system is subject to external or internal threats and vulnerabilities - which most are - then this book will provide a useful handbook for how to evaluate the effectiveness of the security controls that are in place.

Security Controls Evaluation, Testing, and Assessment Handbook shows you what your security controls are doing and how they are standing up to various inside and outside threats. This handbook provides guidance and techniques for evaluating and testing various computer security controls in IT systems.

Author Leighton Johnson shows you how to take FISMA, NIST Guidance, and DOD actions and provide a detailed, hands-on guide to performing assessment events for information security professionals who work with US federal agencies. As of March 2014, all agencies are following the same guidelines under the NIST-based Risk Management Framework. This handbook uses the DOD Knowledge Service and the NIST Families assessment guides as the basis for needs assessment, requirements, and evaluation efforts for all of the security controls. Each of the controls can and should be evaluated in its own unique way, through testing, examination, and key personnel interviews. Each of these methods is discussed.

Key Features

  • Provides direction on how to use SP800-53A, SP800-115, DOD Knowledge Service, and the NIST Families assessment guides to implement thorough evaluation efforts for the security controls in your organization.
  • Learn how to implement proper evaluation, testing, and assessment procedures and methodologies with step-by-step walkthroughs of all key concepts.
  • Shows you how to implement assessment techniques for each type of control, provide evidence of assessment, and proper reporting techniques.


IT security professionals (security auditors and engineers, compliance specialists, etc.); IT professionals (network administrators, IT managers, security managers and analysts, directors of security, etc.)

Table of Contents

  • Dedication
  • Introduction
  • Section I
    • Chapter 1: Introduction to Assessments
      • Abstract
    • Chapter 2: Risk, Security, and Assurance
      • Abstract
      • Risk management
      • Risk assessments
      • Security controls
    • Chapter 3: Statutory and Regulatory GRC
      • Abstract
      • Statutory requirements
      • Executive Orders/Presidential Directives
      • Federal processing standards
      • Regulatory requirements
      • OMB requirements for each agency
    • Chapter 4: Federal RMF Requirements
      • Abstract
      • Federal civilian agencies
      • DOD – DIACAP – RMF for DOD IT
      • IC – ICD 503
      • FedRAMP
      • NIST Cybersecurity Framework
    • Chapter 5: Risk Management Framework
      • Abstract
      • Step 1 – categorization
      • Step 2 – selection
      • Step 3 – implementation
      • Step 4 – assessment
      • Step 5 – authorization
      • Step 6 – monitoring
    • Chapter 6: Roles and Responsibilities
      • Abstract
      • Organizational roles
      • Individual roles
      • DOD roles
  • Section II
    • Introduction
      • What is an assessment?
      • Experiences and the process
    • Chapter 7: Assessment Process
      • Abstract
      • Focus
      • Guidance
    • Chapter 8: Assessment Methods
      • Abstract
      • Evaluation methods and their attributes
      • Processes
    • Chapter 9: Assessment Techniques for Each Kind of Control
      • Abstract
      • Security assessment plan developmental process
      • Security assessment actions
      • Security controls by family
    • Chapter 10: System and Network Assessments
      • Abstract
      • 800-115 introduction
      • Assessment techniques
      • Network testing purpose and scope
      • Testing roles and responsibilities
      • Security testing techniques
      • Four phases of penetration testing
      • Post-test actions to be taken
      • General schedule for testing categories
    • Chapter 11: Security Component Fundamentals for Assessment
      • Abstract
      • Management areas of consideration
      • Management controls
      • Information security resources
      • Measures of performance (SP 800-55)
      • Measures of performance
      • Federal enterprise architecture
      • System and services acquisition (SA)
      • Security services life cycle
      • Information security and external parties
      • CA – security assessment and authorization
      • PL – planning family and family plans
      • RA – risk assessment family
      • Critical success factors to information security management
      • Operational areas of consideration
      • Operational security controls key concepts
      • Physical security
      • Personnel security
      • System integrity
      • Technical areas of consideration
      • Access control
      • Identification and authentication
      • Log-on IDs and passwords
      • Systems and communications protection
      • Wireless networking
      • Firewalls
      • Audit and accounting
    • Chapter 12: Evidence of Assessment
      • Abstract
      • Types of evidence
      • Documentation requirements
    • Chapter 13: Reporting
      • Abstract
      • Key elements for assessment reporting
      • The assessment findings
      • Security Assessment Report
      • Executive summary
      • Risk Assessment Report
      • Artifacts as reports
      • Privacy impact assessment report
      • Remediation efforts during and subsequent to assessment
      • POAMs
    • Chapter 14: Conclusion
      • Abstract
  • Appendix A: Acronym List
  • Appendix B: FedRAMP Assessment Process and Templates
  • Appendix C: Templates for Testing and Evaluation Reports
  • Subject Index


No. of pages:
© Syngress 2016
eBook ISBN:
Paperback ISBN:

About the Author

Leighton Johnson

Leighton Johnson is the CTO and Senior Security Engineer for Information Security and Forensics Management Team (ISFMT), a provider of computer security, forensics consulting & certification training. He has over 38 years experience in Computer Security, Software Development and Communications Equipment Operations & Maintenance. Primary focus areas have included computer security, information operations & assurance, software system development life cycle focused on modeling & simulation systems, systems engineering and integration activities, anti-terrorism/cyber terrorism, database administration, business process & data modeling. He just completed service as the AT/COOP task lead for a DOD Field Agency, based in Alexandria, VA. He recently was the CIO for a 450 person directorate within Lockheed Martin IS&GS covering 9 locations within the Eastern and Midwestern parts of the U.S. He previously served as Security Operations Program Manager for a US DOD Field Agency, based in Arlington, VA.

He is a member of the CSA CloudSIRT working group developing the model for response collaboration among cloud providers, responders and users; the CSA Security-as-a-Service working group developing the definitions for SECaaS requirements and models, as well as a member of the IEEE Education working groups on Cloud and on Computer Software Security. He recently served as a member of the IS Alliance – NIST joint working group on VOIP SCAP security. He has taught Digital and Network Forensics courses at Georgia Regents University. He holds CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CIFI (Certified Information Forensics Investigator), CSSLP (Certified Secure Software Lifecycle Professional), CAP (Certified Authorization Professional), CRISC (Certified in Risk & Information Systems Control), CMAS (Certified Master Antiterrorism Specialist), CAS-CTR (Certified Antiterrorism Specialist – Cyber Terrorism Response) and MBCI (Certified Member Business Continuity Institute) credentials.

Affiliations and Expertise

CTO and Senior Security Engineer for Information Security and Forensics Management Team (ISFMT)

Ratings and Reviews