Title:
Building and implementing a security certification and accreditation program : official (ISC) guide to the CAP CBK
Personal Author:
Publication Information:
Boca Raton, FL : Auerbach Publications, 2006
ISBN:
9780849320620
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010132711 | QA76.3 H68 2006 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Building and Implementing a Security Certification and Accreditation Program: Official (ISC)2Guide to the CAP CBK demonstrates the practicality and effectiveness of certification and accreditation (C&A) as a risk management methodology for IT systems in both public and private organizations. It provides security professionals with an overview of C&A components, enabling them to document the status of the security controls of their IT systems, and learn how to secure systems via standard, repeatable processes.
This book consists of four main sections. It begins with a description of what it takes to build a certification and accreditation program at the organization level, followed by an analysis of various C&A processes and how they interrelate. The text then provides a case study of the successful implementation of certification and accreditation in a major U.S. government department. It concludes by offering a collection of helpful samples in the appendices.
Table of Contents
| Foreword | p. xv |
| Preface | p. xvii |
| Acknowledgments | p. xix |
| Introduction | p. xxi |
| The Author | p. xxix |
| Section I Building a Successful Enterprise Certification and Accreditation Program | |
| 1 Key Elements of an Enterprise Certification and Accreditation Program | p. 3 |
| The Certification and Accreditation Business Case | p. 3 |
| Certification and Accreditation Goal Setting | p. 4 |
| Establishing Program Tasks and Milestones | p. 6 |
| Overseeing Program Execution | p. 6 |
| Maintaining Program Visibility | p. 7 |
| Resources | p. 9 |
| Developing Guidance | p. 9 |
| Program Integration | p. 12 |
| Establishing Certification and Accreditation Points of Contact | p. 14 |
| Measuring Progress | p. 14 |
| Tracking Program Activities | p. 16 |
| Tracking Compliance | p. 17 |
| Providing Advice and Assistance | p. 18 |
| Responding to Changes | p. 20 |
| Program Awareness, Training, and Education | p. 21 |
| Use of Expert Systems | p. 21 |
| Waivers and Exceptions to Policy | p. 23 |
| Summary | p. 24 |
| 2 Certification and Accreditation Roles and Responsibilities | p. 25 |
| Primary Roles and Responsibilities | p. 25 |
| Other Roles and Responsibilities | p. 27 |
| Documenting Roles and Responsibilities | p. 29 |
| Job Descriptions | p. 30 |
| Position Sensitivity Designations | p. 30 |
| Personnel Transition | p. 30 |
| Time Requirements | p. 33 |
| Expertise Required | p. 33 |
| Using Contractors | p. 34 |
| Routine Duties | p. 35 |
| Organizational Skills | p. 36 |
| Organizational Placement of the Certification and Accreditation Function | p. 37 |
| Summary | p. 37 |
| 3 The Certification and Accreditation Life Cycle | p. 41 |
| Initiation Phase | p. 44 |
| Acquisition/Development Phase | p. 44 |
| Implementation Phase | p. 45 |
| Operations/Maintenance Phase | p. 45 |
| Disposition Phase | p. 46 |
| Challenges to Implementation | p. 48 |
| Summary | p. 50 |
| 4 Why Certification and Accreditation Programs Fail | p. 51 |
| Problems in Program Scope | p. 51 |
| Assessment Focus | p. 52 |
| Short-Term Thinking | p. 52 |
| Long-Term Thinking | p. 52 |
| Poor Planning | p. 53 |
| Lack of Responsibility | p. 54 |
| Too Much Paperwork | p. 54 |
| Lack of Enforcement | p. 54 |
| Lack of Foresight | p. 55 |
| Poor Timing | p. 55 |
| Lack of Support | p. 56 |
| Summary | p. 56 |
| Section II Certification and Accreditation Processes | |
| 5 Certification and Accreditation Project Planning | p. 61 |
| Planning Factors | p. 61 |
| Dealing with People | p. 62 |
| Team Member Selection | p. 63 |
| Scope Definition | p. 64 |
| Assumptions | p. 65 |
| Risks | p. 65 |
| Project Agreements | p. 66 |
| Project Team Guidelines | p. 66 |
| Administrative Requirements | p. 67 |
| Reporting | p. 68 |
| Other Tasks | p. 71 |
| Project Kickoff | p. 72 |
| Wrap-Up | p. 72 |
| Summary | p. 73 |
| 6 System Inventory Process | p. 75 |
| Responsibility | p. 77 |
| System Identification | p. 78 |
| Small Systems | p. 79 |
| Large Systems | p. 79 |
| Combining Systems | p. 80 |
| Accreditation Boundaries | p. 80 |
| The Process | p. 82 |
| Validation | p. 82 |
| Inventory Information | p. 83 |
| Inventory Tools | p. 83 |
| Using the Inventory | p. 84 |
| Maintenance | p. 86 |
| Summary | p. 88 |
| 7 Assessing Data Sensitivity and Criticality | p. 91 |
| Defining Sensitivity | p. 91 |
| Data Sensitivity and System Sensitivity | p. 93 |
| Sensitivity Assessment Process | p. 93 |
| Data Classification Approaches | p. 95 |
| Responsibility for Data Sensitivity Assessment | p. 96 |
| Ranking Data Sensitivity | p. 96 |
| Criticality | p. 97 |
| Criticality Assessment | p. 99 |
| Criticality in the View of the System Owner | p. 102 |
| Ranking Criticality | p. 102 |
| Changes in Criticality and Sensitivity | p. 103 |
| Summary | p. 104 |
| 8 System Security Plans | p. 105 |
| Applicability | p. 105 |
| Responsibility | p. 106 |
| Plan Contents | p. 106 |
| What a Security Plan Is Not | p. 110 |
| Plan Initiation | p. 111 |
| Information Sources | p. 112 |
| Security Plan Development Tools | p. 112 |
| Plan Format | p. 114 |
| Plan Approval | p. 114 |
| Plan Maintenance | p. 114 |
| Plan Security | p. 116 |
| Plan Metrics | p. 117 |
| Resistance to Security Plans | p. 117 |
| Summary | p. 118 |
| 9 Coordinating Security for Interconnected Systems | p. 119 |
| The Solution | p. 119 |
| Agreements in the Certification and Accreditation Process | p. 120 |
| Trust Relationships | p. 121 |
| Initiation | p. 121 |
| Time Issues | p. 122 |
| Exceptions | p. 124 |
| Maintaining Agreements | p. 124 |
| Summary | p. 125 |
| 10 Minimum Security Baselines and Best Practices | p. 127 |
| Levels of Controls | p. 128 |
| Selecting Baseline Controls | p. 128 |
| Use of the Minimum Security Baseline Set | p. 132 |
| Summary | p. 133 |
| 11 Assessing Risk | p. 135 |
| Background | p. 135 |
| Risk Assessment in Certification and Accreditation | p. 137 |
| Risk Assessment Process | p. 138 |
| Asset Identification | p. 138 |
| Threat Identification | p. 138 |
| Vulnerability Assessment | p. 139 |
| Risk Calculation | p. 142 |
| Safeguard Identification | p. 144 |
| Risk Assessment Execution | p. 144 |
| Risk Categorization | p. 147 |
| Documenting Risk Assessment Results | p. 147 |
| Summary | p. 148 |
| 12 Security Procedures | p. 149 |
| Purpose | p. 149 |
| The Problem with Procedures | p. 150 |
| Responsibility | p. 150 |
| Procedure Templates | p. 151 |
| The Procedure Development Process | p. 151 |
| Style | p. 151 |
| Formatting | p. 154 |
| Access | p. 155 |
| Maintenance | p. 155 |
| Common Procedures | p. 155 |
| Procedures in the Certification and Accreditation Process | p. 156 |
| Summary | p. 156 |
| 13 Certification Testing | p. 159 |
| Scope | p. 159 |
| Level of Effort | p. 160 |
| Independence | p. 160 |
| Developing the Test Plan | p. 163 |
| The Role of the Host | p. 170 |
| Test Execution | p. 171 |
| Documenting Test Results | p. 173 |
| Summary | p. 174 |
| 14 Remediation Planning | p. 175 |
| Applicability of the Remediation Plan | p. 176 |
| Responsibility for the Plan | p. 176 |
| Risk Remediation Plan Scope | p. 177 |
| Plan Format | p. 177 |
| Using the Plan | p. 182 |
| When to Create the Plan | p. 183 |
| Risk Mitigation Meetings | p. 185 |
| Summary | p. 186 |
| 15 Essential Certification and Accreditation Documentation | p. 187 |
| Authority | p. 190 |
| Certification Package Contents | p. 190 |
| Excluded Documentation | p. 191 |
| The Certification Statement | p. 192 |
| Transmittal Letter | p. 192 |
| Administration | p. 193 |
| Summary | p. 193 |
| 16 Documenting the Accreditation Decision | p. 195 |
| The Accrediting Authority | p. 196 |
| Timing | p. 196 |
| The Accreditation Letter | p. 196 |
| Conditional and Interim Accreditation | p. 198 |
| Designation of Approving Authorities | p. 198 |
| Approving Authority Qualifications | p. 200 |
| Accreditation Decision Process | p. 200 |
| Actions Following Accreditation | p. 202 |
| Summary | p. 203 |
| Section III Certification and Accreditation Case Study | |
| Situation | p. 205 |
| Action Plan | p. 206 |
| Lessons Learned | p. 207 |
| Tools | p. 211 |
| Document Templates | p. 213 |
| Coordination | p. 215 |
| Role of the Inspector General | p. 215 |
| Compliance Monitoring | p. 216 |
| Measuring Success | p. 216 |
| Project Milestones | p. 217 |
| Interim Accreditation | p. 217 |
| Management Support and Focus | p. 218 |
| Results and Future Challenges | p. 218 |
| Summary | p. 219 |
| Section IV The Future of Certification and Accreditation | |
| Section V Appendices | |
| Appendix A Certification and Accreditation References | p. 227 |
| Appendix B Glossary | p. 229 |
| Appendix C Sample Statement of Work | p. 239 |
| Appendix D Sample Project Work Plan | p. 247 |
| Appendix E Sample Project Kickoff Presentation Outline | p. 249 |
| Appendix F Sample Project Wrap-Up Presentation Outline | p. 255 |
| Appendix G Sample System Inventory Policy | p. 259 |
| Appendix H Sample Business Impact Assessment | p. 261 |
| Appendix I Sample Rules of Behavior (General Support System) | p. 265 |
| Appendix J Sample Rules of Behavior (Major Application) | p. 267 |
| Appendix K Sample System Security Plan Outline | p. 269 |
| Appendix L Sample Memorandum of Understanding | p. 271 |
| Appendix M Sample Interconnection Security Agreement | p. 275 |
| Appendix N Sample Risk Assessment Outline | p. 279 |
| Appendix O Sample Security Procedure | p. 281 |
| Appendix P Sample Certification Test Results Matrix | p. 285 |
| Appendix Q Sample Risk Remediation Plan | p. 289 |
| Appendix R Sample Certification Statement | p. 293 |
| Appendix S Sample Accreditation Letter | p. 297 |
| Appendix T Sample Interim Accreditation Letter | p. 299 |
| Section VI Index | |
| Index | p. 303 |
