LIMITED OFFER
Save 50% on book bundles
Immediately download your ebook while waiting for your print delivery. No promo code needed.
FISMA and the Risk Management Framework
The New Practice of Federal Cyber Security
- 1st Edition - November 27, 2012
- Authors: Daniel R. Philpott, Stephen D. Gantz
- Language: English
- Paperback ISBN:9 7 8 - 1 - 5 9 7 4 9 - 6 4 1 - 4
- eBook ISBN:9 7 8 - 1 - 5 9 7 4 9 - 6 4 2 - 1
FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteFISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.
- Learn how to build a robust, near real-time risk management system and comply with FISMA
- Discover the changes to FISMA compliance and beyond
- Gain your systems the authorization they need
Information Security Auditors; Information Security Analysts, Penetration Testers, FISMA compliance staff, ST&E contractors, Information Security Engineers
Dedication
Trademarks
Acknowledgements
About the Author
Chapter 1. Introduction
Introduction
FISMA Applicability and Implementation
FISMA Provisions
Strengths and Shortcomings of FISMA
Structure and Content
Relevant Source Material
Summary
References
Chapter 2. Federal Information Security Fundamentals
Information Security in the Federal Government
Certification and Accreditation
Organizational Responsibilities
Relevant Source Material
Summary
References
Chapter 3. Thinking About Risk
Understanding Risk
Trust, Assurance, and Security
Risk Associated with Information Systems
Relevant Source Material
Summary
References
Chapter 4. Thinking About Systems
Defining Systems in Different Contexts
Perspectives on Information Systems
Establishing Information System Boundaries
Maintaining System Inventories
Relevant Source Material
Summary
References
Chapter 5. Success Factors
Prerequisites for Organizational Risk Management
Managing the Information Security Program
Compliance and Reporting
Organizational Success Factors
Measuring Security Effectiveness
Relevant Source Material
Summary
References
Chapter 6. Risk Management Framework Planning and Initiation
Planning
Planning the RMF Project
Prerequisites for RMF Initiation
Establishing a Project Plan
Roles and Responsibilities
Getting the Project Underway
Relevant Source Material
Summary
References
Chapter 7. Risk Management Framework Steps 1 & 2
Purpose and Objectives
Standards and Guidance
Step 1: Categorize Information System
Step 2: Select Security Controls
Relevant Source Material
Summary
References
Chapter 8. Risk Management Framework Steps 3 & 4
Working with Security Control Baselines
Roles and Responsibilities
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Relevant Source Material
Summary
References
Chapter 9. Risk Management Framework Steps 5 & 6
Preparing for System Authorization
Step 5: Authorize Information System
Step 6: Monitor Security Controls
Relevant Source Material
Summary
References
Chapter 10. System Security Plan
Purpose and Role of the System Security Plan
Structure and Content of the System Security Plan
Developing the System Security Plan
Managing System Security Using the SSP
Relevant Source Material
Summary
References
Chapter 11. Security Assessment Report
Security Assessment Fundamentals
Performing Security Control Assessments
The Security Assessment Report in Context
Relevant Source Material
Summary
References
Chapter 12. Plan of Action and Milestones
Regulatory Background
Structure and Content of the Plan of Action and Milestones
Weaknesses and Deficiencies
Producing the Plan of Action and Milestones
Maintaining and Monitoring the Plan of Action and Milestones
Relevant Source Material
Summary
References
Chapter 13. Risk Management
Risk Management
Three-Tiered Approach
Components of Risk Management
Information System Risk Assessments
Relevant Source Material
Summary
References
Chapter 14. Continuous Monitoring
The Role of Continuous Monitoring in the Risk Management Framework
Continuous Monitoring Process
Technical Solutions for Continuous Monitoring
Relevant Source Material
Summary
References
Chapter 15. Contingency Planning
Introduction to Contingency Planning
Contingency Planning and Continuity of Operations
Information System Contingency Planning
Developing the Information System Contingency Plan
Operational Requirements for Contingency Planning
Relevant Source Material
Summary
References
Chapter 16. Privacy
Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act
Federal Agency Requirements Under the Privacy Act
Privacy Impact Assessments
Protecting Personally Identifiable Information (PII)
Other Legal and Regulatory Sources of Privacy Requirements
Relevant Source Material
Summary
References
Chapter 17. Federal Initiatives
Network Security
Cloud Computing
Application Security
Identity and Access Management
Other Federal Security Management Requirements
Relevant Source Material
Summary
References
Appendix A. References
References
Appendix B. Acronyms
Acronyms and Abbreviations
Appendix C. Glossary
Glossary
Index
- No. of pages: 584
- Language: English
- Edition: 1
- Published: November 27, 2012
- Imprint: Syngress
- Paperback ISBN: 9781597496414
- eBook ISBN: 9781597496421
DP
Daniel R. Philpott
Daniel Philpott is a Federal Information Security Architect with the Information Assurance Division of Tantus Technologies where he works with Federal agencies on FISMA compliance and Risk Management.
Dan is a respected information security practitioner specializing in Federal information security needs including FISMA, Cybersecurity, SCAP, FDCC, HSPD-12, risk management, governance, cloud computing, social media and web application security. He is founder of the FISMApedia.org wiki and FISMA Arts training project. You can find his comments and analysis at Guerilla-CISO.com and ArielSilverstone.com, where he is a guest blogger. As a sought after public speaker on Federal information security he is frequently featured in interviews and articles by a variety of security news sources and podcasts.
Dan started his career in IT at age 13, beta testing display terminals at ProType Corporation. Since that time he has held a variety of positions in the field. While often working on security issues (cryptography, host hardening, network hardening, resilient architectures and application security) he made information security his career in 1998 during his work at National Institute of Standards and Technology. In the Federal space he has worked with the National Institutes of Health, Department of Commerce Technology Administration, U.S. Agency for International Development and NIST. Having experienced Federal information security before and after FISMA he is a strong proponent of the changes FISMA has brought about.
Approaching information security with a strong focus on effective reduction of risk, Dan brings an technical and operational security perspective to the theory and practice of FISMA compliance. His long experience in the IT security field provides his Federal clients with depth of knowledge and a diverse skill set encompassing compliance, governance, practice, technology and risk management.
Affiliations and expertise
Daniel Philpott, Federal Information Security Architect, Information Assurance Division of Tantus TechnologiesSG
Stephen D. Gantz
Stephen Gantz (CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO) is an information security and IT consultant with over 20 years of experience in security and privacy management, enterprise architecture, systems development and integration, and strategic planning. He currently holds an executive position with a health information technology services firm primarily serving federal and state government customers. He is also an Associate Professor of Information Assurance in the Graduate School at University of Maryland University College. He maintains a security-focused website and blog at http://www.securityarchitecture.com.
Steve’s security and privacy expertise spans program management, security architecture, policy development and enforcement, risk assessment, and regulatory compliance with major legislation such as FISMA, HIPAA, and the Privacy Act. His industry experience includes health, financial services, higher education, consumer products, and manufacturing, but since 2000 his work has focused on security and other information resources management functions in federal government agencies. His prior work history includes completing projects for government clients including the Departments of Defense, Labor, and Health and Human Services, Office of Management and Budget, Federal Deposit Insurance Corporation, U.S. Postal Service, and U.S. Senate.
Steve holds a master’s degree in public policy from the Kennedy School of Government at Harvard University, and also earned his bachelor’s degree from Harvard. He is nearing completion of the Doctor of Management program at UMUC, where his dissertation focuses on trust and distrust in networks and inter-organizational relationships. Steve currently resides in Arlington, Virginia with his wife Reneé and children Henry, Claire, and Gillian.
Affiliations and expertise
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, Founder and Principal Architect of SecurityArchitecture.com.Read FISMA and the Risk Management Framework on ScienceDirect