Official (ISC)2® Guide to the CAP® CBK®
eBook - ePub

Official (ISC)2® Guide to the CAP® CBK®

  1. 462 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Official (ISC)2® Guide to the CAP® CBK®

About this book

Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP) Common Body of Knowledge (CBK) and NIST SP 800-37, the Official

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Official (ISC)2® Guide to the CAP® CBK® by Patrick D. Howard in PDF and/or ePUB format, as well as other popular books in Business & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Auerbach Publications
Year
2016
Print ISBN
9781439820759
eBook ISBN
9781466576032
Topic
Business
Subtopic
Cyber Security
Index
Business
Chapter 1

Security Authorization of Information Systems

Security authorization includes a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise. The authorization process incorporates the application of a Risk Management Framework (RMF), a review of the organizational structure, and the business process/mission as the foundation for the implementation and assessment of specified security controls. This authorization management process identifies vulnerabilities and countermeasures and determines residual risks. The residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risk. The system may be deployed only when the residual risks are acceptable to the enterprise.
Certified Authorization Professional (CAP®) Candidate Information Bulletin, November 2010

Introduction

I once made the acquaintance of an information system security officer (ISSO) in a federal department who had what he defined as airtight security for his major application. During my assessment, I found that he had implemented government security authorization guidance for his application as well as could possibly be imagined and had fully documented all the controls protecting the system. Three years later when I returned to recertify the system for reauthorization, the system could not be recertified. When I was told that the ISSO had been transferred, the problem became quite clear to me. The process that the ISSO had used to protect his system was limited only to his single, well-protected application and had not been institutionalized elsewhere in the organization.
To be effective, a system authorization program must be greater than the efforts of isolated, well-intentioned individuals like this ISSO and must be implemented on an enterprise-wide level. A program implemented at this highest organizational level first and foremost permits consistency across the entire organization. Further, the implementation of a successful enterprise system authorization program can greatly promote the implementation of a likewise effective information security program for an organization.
An enterprise security authorization program can be considered successful if it provides an effective means of identifying and meeting requirements, permits efficient oversight of its activities, and provides assurance that necessary controls are implemented at the system level. For the purposes of this discussion, an enterprise program is one that supports the entire organization and that either is independent of any other program or has a significant degree of independence to implement guidance of a higher-level program. This equates to a corporate- or department-level government organization. An enterprise program is distinct from its business unit-level components, which relate to elements of the overall enterprise program. Security authorization for a line of business will normally focus on an interrelated grouping of information technology systems that support a tightly focused business function.
The information contained in this chapter applies to efforts to build an enterprise security authorization program from the ground up, as well as efforts to expand an existing program with additional capabilities or with a revised orientation. This chapter discusses the ingredients necessary to construct a successful enterprise system authorization program. This includes information sections on key elements of such a program; a detailed discussion of system authorization roles and responsibilities; incorporation of system authorization into the system development life cycle (SDLC); causes of the failure of many system security authorization programs; system authorization project planning; elements of an organization-level system inventory process; and the work of dealing with interconnected systems. Also, this chapter provides an overview of the application of the Risk Management Framework (RMF) of the National Institute of Standards and Technology (NIST) to information systems as well as fundamentals of information system risk management according to NIST Special Publication (SP) 800-37, Revision 1.
System authorization is a comprehensive methodology that consists of a number of individual processes, most of which the reader will probably recognize. It is the combining of these related processes into a unified risk management approach that gives...

Table of contents

  1. Preface
  2. Acknowledgments
  3. About the Author
  4. Chapter 1: Security Authorization of Information Systems
  5. Chapter 2: Information System Categorization
  6. Chapter 3: Establishment of the Security Control Baseline
  7. Chapter 4: Application of Security Controls
  8. Chapter 5: Assessment of Security Controls
  9. Chapter 6: Information System Authorization
  10. Chapter 7: Security Controls Monitoring
  11. Chapter 8: System Authorization Case Study
  12. Chapter 9: The Future of Information System Authorization
  13. Appendix A: References
  14. Appendix B: Glossary
  15. Appendix C: Sample Statement of Work
  16. Appendix D: Sample Project Work Plan
  17. Appendix E: Sample Project Kickoff Presentation Outline
  18. Appendix F: Sample Project Wrap-Up Presentation Outline
  19. Appendix G: Sample System Inventory Policy
  20. Appendix H: Sample Business Impact Assessment
  21. Appendix I: Sample Rules of Behavior (General Support System)
  22. Appendix J: Sample Rules of Behavior (Major Application)
  23. Appendix K: Sample System Security Plan Outline
  24. Appendix L: Sample Memorandum of Understanding
  25. Appendix M: Sample Interconnection Security Agreement
  26. Appendix N: Sample Risk Assessment Outline
  27. Appendix O: Sample Security Procedure
  28. Appendix P: Sample Certification Test Results Matrix
  29. Appendix Q: Sample Risk Remediation Plan
  30. Appendix R: Sample Certification Statement
  31. Appendix S: Sample Accreditation Letter
  32. Appendix T: Sample Interim Accreditation Letter
  33. Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
  34. Appendix V: Answers to Review Questions