Limited Offer
FISMA Compliance Handbook
Second Edition
- 1st Edition - August 20, 2013
- Author: Laura P. Taylor
- Language: English
- Paperback ISBN:9 7 8 - 0 - 1 2 - 4 0 5 8 7 1 - 2
- eBook ISBN:9 7 8 - 0 - 1 2 - 4 0 5 9 1 5 - 3
This comprehensive book instructs IT managers to adhere to federally mandated compliance requirements. FISMA Compliance Handbook Second Edition explains what the requireme… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteThis comprehensive book instructs IT managers to adhere to federally mandated compliance requirements. FISMA Compliance Handbook Second Edition explains what the requirements are for FISMA compliance and why FISMA compliance is mandated by federal law. The evolution of Certification and Accreditation is discussed.
This book walks the reader through the entire FISMA compliance process and includes guidance on how to manage a FISMA compliance project from start to finish. The book has chapters for all FISMA compliance deliverables and includes information on how to conduct a FISMA compliant security assessment.
Various topics discussed in this book include the NIST Risk Management Framework, how to characterize the sensitivity level of your system, contingency plan, system security plan development, security awareness training, privacy impact assessments, security assessments and more. Readers will learn how to obtain an Authority to Operate for an information system and what actions to take in regards to vulnerabilities and audit findings.
FISMA Compliance Handbook Second Edition,
also includes all-new coverage of federal cloud computing compliance from author Laura Taylor, the federal government’s technical lead for FedRAMP, the government program used to assess and authorize cloud products and services.- Includes new information on cloud computing compliance from Laura Taylor, the federal government’s technical lead for FedRAMP
- Includes coverage for both corporate and government IT managers
- Learn how to prepare for, perform, and document FISMA compliance projects
- This book is used by various colleges and universities in information security and MBA curriculums
Information Security professionals of all levels, systems administrators, information technology leaders, network administrators, information auditors, security managers, and an academic audience among information assurance majors.
Dedication
Author Acknowledgments
About the Author
Foreword
Chapter 1. FISMA Compliance Overview
Abstract
Topics in this chapter
Introduction
Terminology
Processes and paperwork
Templates streamline the process
FISMA oversight and governance
Supporting government security regulations
Summary
References
Chapter 2. FISMA Trickles into the Private Sector
Abstract
Topics in this chapter
Introduction and authorities
Inspector General reports
What should NGOs do regarding FISMA?
FISMA compliance tools
Summary
Chapter 3. FISMA Compliance Methodologies
Abstract
Topics in this chapter
Introduction
The NIST risk management framework (RMF)
Defense information assurance C&A process (DIACAP)
Department of defense (DoD) risk management framework (RMF)
ICD 503 and DCID 6/3
The common denominator of FISMA compliance methodologies
FISMA compliance for private enterprises
Legacy methodologies
Summary
Notes
Chapter 4. Understanding the FISMA Compliance Process
Abstract
Topics in this chapter
Introduction
Recognizing the need for FISMA compliance
Roles and responsibilities
Stepping through the process
FISMA project management
Summary
Chapter 5. Establishing a FISMA Compliance Program
Abstract
Topics in this chapter
Introduction
Compliance handbook development
Create a standardized security assessment process
Provide package delivery instructions
Authority and endorsement
Improve your compliance program each year
Problems of not having a compliance program
Summary
Chapter 6. Getting Started on Your FISMA Project
Abstract
Topics in this chapter
Introduction
Initiate your project
Analyze your research
Develop the documents
Verify your information
Retain your ethics
Summary
Chapter 7. Preparing the Hardware and Software Inventory
Abstract
Topics in this chapter
Introduction
Determining the system boundaries
Collecting the inventory information
Structure of inventory information
Delivery of inventory document
Summary
Chapter 8. Categorizing Data Sensitivity
Abstract
Topics in this chapter
Introduction
Heed this warning before you start
Confidentiality, Integrity, and Availability
Template for FIPS 199 Profile
The explanatory memo
National Security Systems
Summary
Chapter 9. Addressing Security Awareness and Training
Abstract
Topics in this chapter
Introduction and authorities
Purpose of security awareness and training
Elements of the security awareness and training plan
Specialized security training
Security awareness
The awareness and training message
Security awareness and training checklist
Security awareness course evaluation
Summary
Reference
Chapter 10. Addressing Rules of Behavior
Abstract
Topics in this chapter
Introduction
Implementing Rules of Behavior
Rules for internal and external users
What rules to include
Consequences of noncompliance
Rules of Behavior checklist
Summary
Chapter 11. Developing an Incident Response Plan
Abstract
Topics in this chapter
Introduction
Purpose and applicability
Policies, procedures, and guidelines
Reporting framework
Roles and responsibilities
Definitions
Incident handling
Forensic investigations
Incident types
Incident Response Plan checklist
Security Incident Reporting Form
Summary
Additional resources
Incident response organizations
Books on incident response
Articles and papers on incident response
Chapter 12. Conducting a Privacy Impact Assessment
Abstract
Topics in this chapter
Introduction
Privacy laws, regulations, and rights
OMB Memoranda with privacy implications
Laws and regulations
When to conduct a PIA?
Questions for a privacy impact assessment
Personally identifiable information (PII)
Persistent tracking technologies
Decommissioning of PII
System of record notice (SORN)
Posting the privacy policy
PIA checklist
Summary
Books on privacy
References
Chapter 13. Preparing the Business Impact Analysis
Abstract
Topics in this chapter
Introduction
Terminology
Document actual recovery times
Establish relative recovery priorities
Define escalation thresholds
Record license keys
BIA Organization
Summary
Additional resources
Chapter 14. Developing the Contingency Plan
Abstract
Topics in this chapter
Introduction
List assumptions
Concept of operations
Roles and responsibilities
Levels of disruption
Procedures
Line of succession
Service-Level Agreements
Contact lists
Testing the Contingency Plan
Appendices
Contingency Plan checklist
Additional resources
Chapter 15. Developing a Configuration Management Plan
Abstract
Topics in this chapter
Introduction
Establish definitions
Describe assets controlled by the plan
Describe the configuration management system
Define roles and responsibilities
Describe baselines
Change control process
Configuration management audit
Configuration and change management tools
Configuration Management Plan checklist
Summary
Additional resources
Chapter 16. Preparing the System Security Plan
Abstract
Topics in this chapter
Introduction
Laws, regulations, and policies
The system description
Security controls and requirements
Management controls
Operational controls
Technical controls
ISSO appointment letter
System security plan checklist
Summary
Additional resources
Note
Chapter 17. Performing the Business Risk Assessment
Abstract
Topics in this chapter
Introduction
Determine the mission
Create a mission map
Construct risk statements
Describe the sensitivity model
Quantitative risk assessment
Qualitative versus quantitative risk assessment
Make an informed decision
Summary
Books and articles on risk assessment
References
Chapter 18. Getting Ready for Security Testing
Abstract
Topics in this chapter
Introduction and authorities
Planning
Scoping
Assumptions and constraints
Schedule
Rules of Engagement
Limitation of Liability
End of testing
Summary
Additional resources
Chapter 19. Submitting the Security Package
Abstract
Topics in this chapter
Introduction
Structure of documents
Who puts the package together?
Markings and format
Signature pages
A word about “Not Applicable” information
Submission and revision
Defending the Security Package
Checklist
Summary
Additional resources
Chapter 20. Independent Assessor Audit Guide
Abstract
Topics in this chapter
Introduction
Test against the System’s security control baseline
How does confidentiality, integrity, and availability fit in?
Manual and automated testing
Security testing tools
Infrastructure scanners
Evaluations by Inspector Generals
Evaluations by the Government Accountability Office
Summary
Chapter 21. Developing the Security Assessment Report
Abstract
Topics in this chapter
Introduction
Analysis of test results
Risk assessment methodology
Present the risks
Checklist
Make decisions
Certification
Authority to operate
Interim authority to operate
Summary
Additional resources
Chapter 22. Addressing FISMA Findings
Abstract
Topics in this chapter
Introduction
POA&Ms
Development and approval
POA&M elements
A word to the wise
Checklist
Summary
Chapter 23. FedRAMP: FISMA for the Cloud
Abstract
Topics in this chapter
Introduction
What is cloud computing?
Looking at virtual machines another way
Sharding
Content delivery networks
FedRAMP security independent assessors
FedRAMP security assessments
The great value of FedRAMP
FedRAMP organization
Summary
Resources
Appendix A. FISMA
Title III—Information Security
Appendix B. OMB Circular A-130 Appendix III
Security of federal automated information resources
Appendix C. FIPS 199
Foreword
Authority
Table of contents
1 Purpose
2 Applicability
3 Categorization of information and information systems
APPENDIX A Terms and definitions
APPENDIX B References
Index
- No. of pages: 350
- Language: English
- Edition: 1
- Published: August 20, 2013
- Imprint: Syngress
- Paperback ISBN: 9780124058712
- eBook ISBN: 9780124059153
LT