2nd Edition

Official (ISC)2® Guide to the CAP® CBK®

By Patrick D. Howard Copyright 2013
    462 Pages 9 B/W Illustrations
    by Auerbach Publications

    Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC) Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.

    Derived from the author’s decades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C&A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book:

    • Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria
    • Explains how to combine disparate processes into a unified risk management methodology
    • Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®)
    • Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS
    • Reviews the tasks involved in certifying and accrediting U.S. government information systems

    Chapters 1 through 7 describe each of the domains of the (ISC) CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book’s appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems.

    Security Authorization of Information Systems
    Introduction
         Legal and Regulatory Framework for System Authorization
         External Program Drivers
         System-Level Security
         Defining System Authorization
         Resistance to System Authorization
         Benefits of System Authorization
    Key Elements of an Enterprise System Authorization Program
         The Business Case
         Goal Setting
         Tasks and Milestones
         Program Oversight
         Visibility
         Resources
         Program Guidance
         Special Issues
         Program Integration
         System Authorization Points of Contact
         Measuring Progress
         Managing Program Activities
         Monitoring Compliance
         Providing Advice and Assistance
         Responding to Changes
         Program Awareness, Training, and Education
         Using Expert Systems
         Waivers and Exceptions
    NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
         Overview
         Authority and Scope
         Purpose and Applicability
         Target Audience
    Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
         Guidance on Organization-Wide Risk Management
         Organization Level (Tier 1)
         Mission/Business Process Level (Tier 2)
         Information System Level (Tier 3)
         Guidance on Risk Management in the System Development Life Cycle
         NIST’s Risk Management Framework
         Guidance on System Boundary Definition
         Guidance on Software Application Boundaries
         Guidance on Complex Systems
         Guidance on the Impact of Technological Changes on System Boundaries
         Guidance on Dynamic Subsystems
         Guidance on External Subsystems
         Guidance on Security Control Allocation
         Guidance on Applying the Risk Management Framework
         Summary of NIST Guidance
    System Authorization Roles and Responsibilities
         Primary Roles and Responsibilities
         Other Roles and Responsibilities
         Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
         Documenting Roles and Responsibilities
         Job Descriptions
         Position Sensitivity Designations
         Personnel Transition
         Time Requirements
         Expertise Requirements
         Using Contractors
         Routine Duties
         Organizational Skills
         Organizational Placement of the System Authorization Function
    The System Authorization Life Cycle
         Initiation Phase
         Acquisition/Development Phase
         Implementation Phase
         Operations/Maintenance Phase
         Disposition Phase
         Challenges to Implementation
    Why System Authorization Programs Fail
         Program Scope
         Assessment Focus
         Short-Term Thinking
         Long-Term Thinking
         Poor Planning
         Lack of Responsibility
         Excessive Paperwork
         Lack of Enforcement
         Lack of Foresight
         Poor Timing
         Lack of Support
    System Authorization Project Planning
         Planning Factors
         Dealing with People
         Team Member Selection
         Scope Definition
         Assumptions
         Risks
         Project Agreements
         Project Team Guidelines
         Administrative Requirements
         Reporting
         Other Tasks
         Project Kickoff
         Wrap-Up
         Observations
    The System Inventory Process
         Responsibility
         System Identification
         Small Systems
         Complex Systems
         Combining Systems
         Accreditation Boundaries
         The Process
         Validation
         Inventory Information
         Inventory Tools
         Using the Inventory
         Maintenance
         Observations
    Interconnected Systems
         The Solution
         Agreements in the System Authorization Process
         Trust Relationships
         Initiation
         Time Issues
         Exceptions
         Maintaining Agreements
         Security Authorization of Information Systems: Review Questions

    Information System Categorization
         Introduction
         Defining Sensitivity
         Data Sensitivity and System Sensitivity
         Sensitivity Assessment Process
         Data Classification Approaches
         Responsibility for Data Sensitivity Assessment
         Ranking Data Sensitivity
         National Security Information
         Criticality
         Criticality Assessment
         Criticality in the View of the System Owner
         Ranking Criticality
         Changes in Criticality and Sensitivity
    NIST Guidance on System Categorization
         Task 1-1: Categorize and Document the Information System
         Task 1-2: Describe the Information System
         Task 1-3: Register the Information System
         Information System Categorization: Review Questions

    Establishment of the Security Control Baseline
         Introduction
         Minimum Security Baselines and Best Practices
         Security Controls
         Levels of Controls
         Selecting Baseline Controls
         Use of the Minimum Security Baseline Set
         Common Controls
         Observations
    Assessing Risk
         Background
         Risk Assessment in System Authorization
         The Risk Assessment Process
         Step 1: System Characterization
         Step 2: Threat Identification
         Step 3: Vulnerability Identification
         Step 4: Control Analysis
         Step 5: Likelihood Determination
         Step 6: Impact Analysis
         Step 7: Risk Determination
         Step 8: Control Recommendations
         Step 9: Results Documentation
         Conducting the Risk Assessment
         Risk Categorization
         Documenting Risk Assessment Results
         Using the Risk Assessment
         Overview of NIST Special Publication 800-30, Revision 1
         Observations
    System Security Plans
         Applicability
         Responsibility
         Plan Contents
         What a Security Plan Is Not
         Plan Initiation
         Information Sources
         Security Plan Development Tools
         Plan Format
         Plan Approval
         Plan Maintenance
         Plan Security
         Plan Metrics
         Resistance to Security Planning
         Observations
    NIST Guidance on Security Controls Selection
         Task 2-1: Identify Common Controls
         Task 2-2: Select Security Controls
         Task 2-3: Develop Monitoring Strategy
         Task 2-4: Approve Security Plan
         Establishment of the Security Control Baseline: Review Questions

    Application of Security Controls
    Introduction
    Security Procedures
         Purpose
         The Problem with Procedures
         Responsibility
         Procedure Templates
         Process for Developing Procedures
         Style
         Formatting
         Access
         Maintenance
         Common Procedures
         Procedures in the System Authorization Process
         Observations
    Remediation Planning
         Managing Risk
         Applicability of the Remediation Plan
         Responsibility for the Plan
         Risk Remediation Plan Scope
         Plan Format
         Using the Plan
         When to Create the Plan
         Risk Mitigation Meetings
         Observations
    NIST Guidance on Implementation of Security Controls
         Task 3-1: Implement Security Controls
         Task 3-2: Document Security Control Implementation
         Application of Security Controls: Review Questions

    Assessment of Security Controls
         Introduction
         Scope of Testing
         Level of Effort
         Assessor Independence
         Developing the Test Plan
         The Role of the Host
         Test Execution
         Documenting Test Results
    NIST Guidance on Assessment of Security Control Effectiveness     
         Task 4-1: Prepare for Controls Assessment
         Task 4-2: Assess Security Controls
         Task 4-3: Prepare Security Assessment Report
         Task 4-4: Conduct Remediation Actions
         Assessment of Security Controls: Review Questions

    Information System Authorization
    Introduction
    System Authorization Decision Making
         The System Authorization Authority
         Authorization Timing
         The Authorization Letter
         Authorization Decisions
         Designation of Approving Authorities
         Approving Authority Qualifications
         Authorization Decision Process
         Actions Following Authorization
         Observations
    Essential System Authorization Documentation
         Authority
         System Authorization Package Contents
         Excluded Documentation
         The Certification Statement
         Transmittal Letter
         Administration
         Observations
    NIST Guidance on Authorization of Information Systems
         Task 5-1: Prepare Plan of Action and Milestones
         Task 5-2: Prepare Security Authorization Package
         Task 5-3: Conduct Risk Determination
         Task 5-4: Perform Risk Acceptance

    Security Controls Monitoring
    Introduction
    Continuous Monitoring
         Configuration Management/Configuration Control
         Security Controls Monitoring
         Status Reporting and Documentation
         Key Roles in Continuous Monitoring
         Reaccreditation Decision
    NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
         Task 6-1: Analyze Impact of Information System and Environment Changes
         Task 6-2: Conduct Ongoing Security Control Assessments
         Task 6-3: Perform Ongoing Remediation Actions
         Task 6-4: Perform Key Updates
         Task 6-5: Report Security Status
         Task 6-6: Perform Ongoing Risk Determination and Acceptance
         Task 6-7: Information System Removal and Decommissioning
         Security Controls Monitoring: Review Questions

    System Authorization Case Study
    Situation
    Action Plan
    Lessons Learned
    Tools
    Document Templates
    Coordination
    Role of the Inspector General
    Compliance Monitoring
    Measuring Success
    Project Milestones
    Interim Accreditation
    Management Support and Focus
    Results and Future Challenges

    The Future of Information System Authorization
    Appendix A: References
    Appendix B: Glossary
    Appendix C: Sample Statement of Work
    Appendix D: Sample Project Work Plan
    Appendix E: Sample Project Kickoff Presentation Outline
    Appendix F: Sample Project Wrap-Up Presentation Outline
    Appendix G: Sample System Inventory Policy
    Appendix H: Sample Business Impact Assessment
    Appendix I: Sample Rules of Behavior (General Support System)
    Appendix J: Sample Rules of Behavior (Major Application)
    Appendix K: Sample System Security Plan Outline
    Appendix L: Sample Memorandum of Understanding
    Appendix M: Sample Interconnection Security Agreement
    Appendix N: Sample Risk Assessment Outline
    Appendix O: Sample Security Procedure
    Appendix P: Sample Certification Test Results Matrix
    Appendix Q: Sample Risk Remediation Plan
    Appendix R: Sample Certification Statement
    Appendix S: Sample Accreditation Letter
    Appendix T: Sample Interim Accreditation Letter
    Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
    Appendix V: Answers to Review Questions

    Biography

    Patrick D. Howard, CISSP, CISM, is a senior consultant for SecureInfo, a Kratos Company. He has over 40 years experience in security, including 20 years service as a U.S. Army Military Police officer, and has specialized in information security since 1989. Mr. Howard began his service as the Chief Information Security Officer for the National Science Foundation’s Antarctic Support Contract in Centennial, Colorado in March 2012. He previously served as CISO for the Nuclear Regulatory Commission in Rockville, Maryland from 2008–2012, and for the Department of Housing and Urban Development from 2005–2008. Mr. Howard was named a Fed 100 winner in 2007, and is the author of three information security books: The Total CISSP Exam Prep Book, 2002; Building and Implementing a Security Certification and Accreditation Program, 2006; and Beyond Compliance: FISMA Principles and Best Practices, 2011. He is a member of the International Information Systems Security Certification Consortium’s Government Advisory Board and Executive Writer’s Bureau, which he chairs. Mr. Howard is also an adjunct professor of Information Assurance at Walsh College, Troy Michigan. He graduated with a Bachelor’s degree from the University of Oklahoma in 1971 and a Master’s degree from Boston University in 1984.

    Praise for the popular first edition:

    This book focuses on the processes that must be employed by an organization to establish a certification and accreditation program based on current federal government criteria… Pat has structured this book to address the key issues in certification and accreditation, including roles and responsibilities, the life cycle, and even a discussion of pitfalls to avoid. As with all of Pat’s work, he provides the reader with practical information on what works and what does not … Even if government certification and accreditation is not your concern, the new ISO 27002 (formerly ISO17799) will require all of us to look for a process to make certification and accreditation bearable. Pat has succeeded in doing just that with this practical and readable book.
    —Thomas R. Peltier, Peltier Associates, Member of the ISSA Hall of Fame