Index
Note: Page numbers followed by f indicate figures.
A
AO See Authorizing official (AO)
DHHS and CDC institutional rules and guidance 91
EO 89
federal laws 89–90
FIPS 90–91
loudspeaker applicable laws 91
NIST SP and guidelines 90
OMB and GAO requirements 91
PII 89
Approval to operate (ATO) 134
examination 273–274
interview 274–276
test 276–277
assessor 134–135
BOE 134–135
documentation 136
independent assessment team 135–136
IV&V 135–136
NIST SP 800-53A 136–137
ROE 134–135
types 135–136
Assessment test case 125
decision 153–154
authorization package 150–151
POA&M See (Plan of action and milestones (POA&M))
risk acceptance 153–155
risk determination 152
tasks 55–56
maintenance 151
special staff members 151
and reauthorization testing 140
termination dates 154–155
Authorization to operate (ATO) 148
authorization package 150–151
and CIO 64
description 63–64
effective audit trail 149
POA&M 148
risk acceptance 153
risk determination 152
security controls 122
SSP approval 183
Authorizing official designated representative 64–65
B
Body of evidence (BOE) 134–135
BOE See Body of evidence (BOE)
C
C&A process See Certification and accreditation (C&A) process
CCP See Common control provider (CCP)
and documentation 50
documentation 49–50
security verification 49–50
tasks 49–50
CCB 51
tasks 51
characterization, system 49
identification and notification, resources 49
SSP 49
tasks 48
transition 56–57
Chief executive officer (CEO) 59–61
Chief information security officer (CISO) 151
CIO See Chief information officer (CIO)
Clinger-CohenAct 16
Committee on National Security Systems Instruction (CNSSI) 19
acronym 97
AO and contact information 98
applicable laws 99
components 99
and contact information 98
description 64–65
environment 98
incident response points 100
information system users 100
integration 99
location 98
mission/business process 99
name, system and unique identifier 97
organization 98
ownership/operation 100
purpose, function and capability 98–99
SDLC 99
security authorization and termination date 100
security POC and designated contacts information 98
version release number 98
change control programs 159–160
security status reporting 164
Control families and classes 187
Control implementation resources 129–130
D
Data security standard (DSS) 173–174
Defense Infomation Systems Agency (DISA) 129
Defense Information Assurance Risk Management Framework (DIARMF) 171
description 71–72
DoD See Department of Defense (DoD)
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) 35
DSM See Department of social media (DSM)
DSS See Data security standard (DSS)
E
Encryption techniques 95
EO See Executive orders (EO)
Examine assessment method 273–274
description 13
presidential directive (PD) 13
FedRAMP 173
HIPAA 173
PCI 173–174
process updates 172
DoD 171
IC implementation 170–171
private sector 171
F
FIPS 199 20
FIPS 200 20
“CIA triad” 18
security programs 18
training 18
NIST 34
Federal Risk and Authorization Management Program (FedRAMP) 173
G
Gramm-Leach-Bliley Act 17
H
Health Information Technology for Economic and Critical Health (HITECH) Act of 2009 19
HITECH Act, 2009 See Health Information Technology for Economic and Critical Health (HITECH) Act of 2009
Homeland Security Presidential Directive (HSPD) 7 18–19
I
IC See Intelligence community (IC)
authorizing official 63–64
authorizing official designated representative 64–65
CIO 61–62
common control provider 64–65
head of agency/CEO 59–61
information owner/steward 62–63
information security architect 66–67
information system owner 65–66
ISSE 67–68
ISSO 65–66
risk executive (function) 60–62
SCA 67–68
SISO 63–64
antivirus product 126
architecture and availability 126
assessment objective 125
civil organizations 129–130
control allocation 126–127
enterprise’s architecture 126
hybrid controls, development 127
information and security professionals 128
NIST SP 800-53A 123–124
personnel 124–125
potential assessment methods and objects 125
responsibility and maintenance 127
Risk Management Framework Process 124f
self-assessments 124–125
The System Development Lifecycle 124f
technology components 128
third-party-provided security documentation 129
training requirements 127
Incremental assessment 141
Independent verification and validation (IV&V) 135–136
Information assurance officer (IAO) See Information systems security officer (ISSO)
Information security architect 66–67
acronym 84
description 85
loudspeaker authorizing official 85
applicable laws See (Applicable laws, IS)
architectural description 91
authorization See (Authorization, IS)
boundary definition 83
and CCP See (Common control provider (CCP))
cross domain devices and requirements 94
cryptographic key management information 95
email traffic 93–94
encryption techniques 95
custom and legacy systems 86
description 86
loudspeaker system 86
standalone systems 86
system components 86
firmware and hardware devices 92
flows and paths 93–94
hardware, software and system interfaces 93
incident response points of contact 96
integration 87
interconnected 94–95
location 86
mission/business process supported 87
information system baseline 157
security implications 158–159
security-relevant changes, identification 158–159
system components 158–159
system owner approvals 159
network connection rules 94
organizationally required information 97
owner 65–66
loudspeaker information system owner 84
POC 84
ownership/operation 96
portfolio management office 102
purpose, function and capability 87
SDLC/acquisition life cycle phase 88
authorization date 96
authorization/risk boundary 88
categorization See (Security categorization)
POC and designated contacts information 85
software and applications 92
subsystems 93
system and unique identifier 83–84
tasks, categorization 53
types 88
users 95–96
version release number 87
Information system security engineer (ISSE) 67–68
Information systems security officer (ISSO) 65–66
Intelligence community (IC) 170–171
Intelligence Reform and Terrorism Act, 2004 36
Interview assessment method 274–276
IS See Information system (IS)
J
and C&A 37–38
description 36–37
SP 800-37 36–37
L
risk executive (function) 73
AO 72–73
Executive Order 13231 17
Financial Services Modernization Act, 1999 17
FISMA 18
HIPAA 16
HITECH Act 19
HSPD 7 18–19
Information Technology Management Reform Act, 1996 16
OMB M-02-01 17–18
Privacy Act, 1974 15–16
privacy policies and data collection, Federal Web Sites 17
security categorization and CNSSI 19
Transmittal Memorandum No. 4 16
CNSS 14
DoD 15
NIST 13–14
ODNI 14–15
OMB 13
orders, President of United States of America 13
M
DIACAP 35
DITSCAP 35
information system 31
mission/business processes 30
organizational risk management 28–30
N
E-Government Act, 2002 14
FIPS 199 20
FIPS 200 20
FIPS and SP 19–20
NIST SP 300-39 20
NSS definition 35
SP 300-37 20–21
SP 800-18 22
SP 800-37 36–37
SP 800-53 21
SP 800-59 22
SP 800-60 21
SP 800-70 22
SP 800-53A 21
definition 35
description 4
and NIACAP 35–36
National Security Telecommunications Advisory Committee (NSTAC) 17
National Security Telecommunications and Information Systems Security Committee (NSTISSC) 14
NIST SP 800-39 31–32
NIST SP 800-66 173
NIST SP 800-30, risk management and SDLC 24
NIST SP 800-37, RMF implementation 59
NSA See National Security Agency (NSA)
NSA standards 184
NSS See National Security Systems (NSS)
NSTISSC See National Security Telecommunications and Information Systems Security Committee (NSTISSC)
O
Office of the Director of National Intelligence (ODNI) 14–15
O&M See Operations and maintenance (O&M)
Ongoing monitoring 159–160
Operations and maintenance (O&M) 127–128
Organizational leadership and security staff 171
common controls 28
control enhancements 29
defining terms 30
description 28
NIST SP 800-53 29–30
organizational leaders 28–29
roles and responsibilities 29
P
Payment card industry (PCI) 173–174
PCI See Payment card industry (PCI)
PIA See Privacy impact assessment (PIA)
authorization documents 148–149
changes to milestone dates 150
key milestones and milestone completion dates 150
office/organization responsible for resolving weakness 149
defined structure 149
organization 149
required funding and source of funding 150
scheduled completion date 150
security assessment report 148
source of weakness 150
status of finding 150
system owner and authorizing official 149
identification 149
type 149
Plans of action and milestones (POA&M) 17–18
PM See Program management (PM)
POA&M See Plans of action and milestones (POA&M)
POC See Points of contact (POC)
Points of contact (POC) 134–135
President’s Critical Infrastructure Protection Board (PCIPB) 17
Privacy impact assessment (PIA) 41
Program management (PM) 187
Public Law 107-347 34
Q
Qualified security assessors (QSA) 173–174
R
Reciprocity 141–142
boards 174
description 25
framing the risk 25–26
monitoring risk 27
risk assessment 26–27
risk response 27
multi-tiered See (Multi-tiered risk management)
coordination, senior leaders and executive 31–32
description 31
members 32
C&A process 24
NIST SP 800-30 24
administrative professionals 2
authorization 52–53
development 51–52
earlier certification and accreditation program 52–53
implementation See (Implementation, RMF)
management professionals 2
phase 1 See (Information system (IS))
phase 2 See (Security control)
phase 3 See (Implementation, security control)
phase 4 See (Security control, assessment)
phase 5 See (Authorization, IS)
phase 6 See (Security control, monitoring)
and risk management 24
security controls See (Security control)
technical professionals 3
Risk tolerances 25
RMF See Risk management framework (RMF)
ROE See Rules of engagement (ROE)
Rules of engagement (ROE) 134–135
S
SAR See Security assessment report (SAR)
SCA See Security control assessor (SCA)
SDLC See System development life cycle (SDLC)
interim security assessment reports 142–143
reciprocity determination 142
test director 140
benefits management information type 80–81
catastrophic defense 81
confidentiality 78–79
FIPS 199 78–79
information owner/steward 77–78
legacy systems 82
potential impact 79
results 88
SSP 82
Security changes 159
AO 183
approval 122
authorization and reauthorization testing 140
automated tools 140
common controls evaluation 141
continuous monitoring program 159–160
incremental 141
independent SCA 141
plan 134–139
reciprocity 141–142
report 142–143
and SAR 160–161
tasks 55
test director 140
approval process 108–109
authorization 110
authorization document 108–109
authorizing official 109
benefits 107–108
evaluation 110
high-level organizational policies 109
information system owners 111
system development time 110
training department 110–111
determinations 129
AC-2 account management 104–105
control section 106
priority and baseline allocations section 107
reference section 107
supplemental guidance 106
formal plan and explanation document 131
“Information Security Awareness and Training (AT-1, AT-2, AT-3, AT-4)” 131–132
professionals 131
and SCTM 131
systems security plan updation 131–132
monitoring 56
documentation, updation 162–163
information system and environment changes See Information system, monitoring and environment changes
remediation actions 161
risk determination and acceptance 165–166
SCA 159–161
status reporting 164
system removal and decommissioning 166–167
authorizing official 119
leadership 119
and NIST SP 800-37 118
organizational continuous monitoring program 117
organizational historical documentation 118–119
system development decisions 118
remediation actions 143–145
baseline categorization 208
CNSSI 1253 baseline categorization 225
FEDRAMP controls 258–265
NIST SP 800-53A assessment methods 189–208
NIST SP 800-53 Revision 4 252–258
PCI DSS standards 271–272
SP 800-53 security controls to HIPAA security rule 266–271
compensating control guidance 115
controls and enhancements 112–113
description 111–112
net-centric systems 115–116
parameterization 114–115
scoping/tailoring 114
and subsystems 116
system’s categorization 112
system security plan 114
tasks 54–55
wireless technology 116
and SSP 119–122
assessment plan 134–135
authorization and reauthorization testing 140
common controls 136
description 67–68
independent and competent 141–142
role 68
system examination methods 138
test director 141
Security documentation, updation 162–163
Security professionals 172
Security status reporting 164
Security technical implementation guides (STIG) 129
Senior information security officer (SISO) 63–64
SP See Special Publications (SP)
NIST SP 300-39 20
SP 300-37 20–21
SP 800-18 22
SP 800-53 21
SP 800-53 revision 4 172
SP 800-59 22
SP 800-60 21
SP 800-70 22
SSP See Systems security plan (SSP)
Sysadmin, Audit, Networking and Security (SANS) 129–130
System controls’ traceability matrix (SCTM) 131
agile system development 44–45
traditional See (Traditional SDLC)
System removal and decommissioning 166–167
System’s registration 176
Systems security plan (SSP) See also Security control
development 82
system owner control 129
updation 131–132
T
Test assessment method 276–277
Test director 140
The Health Insurance Portability and Accountability Act (HIPAA) 173
description 40
activities 41–42
outputs 42
test cases 42
activities 43
media 43–44
outputs 44
implementation/assessment 42–43
group charters and systems 41
information types 41
systems of record 41
configuration control board (CCB) 43
outputs 43
repeating phases and cycling/changes 44
U
United States Government Configuration Baseline (USGCB) 184
W
Waterfall SDLC process See Traditional SDLC
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.