eBook - ePub
Official (ISC)2Âź Guide to the CAPÂź CBKÂź
Patrick D. Howard
This is a test
Partager le livre
- 462 pages
- English
- ePUB (adapté aux mobiles)
- Disponible sur iOS et Android
eBook - ePub
Official (ISC)2Âź Guide to the CAPÂź CBKÂź
Patrick D. Howard
DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations
Ă propos de ce livre
Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP) Common Body of Knowledge (CBK) and NIST SP 800-37, the Official
Foire aux questions
Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier lâabonnement ». Câest aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via lâapplication. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă la bibliothĂšque et Ă toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode dâabonnement : avec lâabonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă 12 mois dâabonnement mensuel.
Quâest-ce que Perlego ?
Nous sommes un service dâabonnement Ă des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă toute une bibliothĂšque pour un prix infĂ©rieur Ă celui dâun seul livre par mois. Avec plus dâun million de livres sur plus de 1 000 sujets, nous avons ce quâil vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Ăcouter sur votre prochain livre pour voir si vous pouvez lâĂ©couter. Lâoutil Ăcouter lit le texte Ă haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, lâaccĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que Official (ISC)2Ÿ Guide to the CAPŸ CBKŸ est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă Official (ISC)2Âź Guide to the CAPÂź CBKÂź par Patrick D. Howard en format PDF et/ou ePUB ainsi quâĂ dâautres livres populaires dans Computer Science et Cyber Security. Nous disposons de plus dâun million dâouvrages Ă dĂ©couvrir dans notre catalogue.
Informations
Chapter 1
Security Authorization of Information Systems
Security authorization includes a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise. The authorization process incorporates the application of a Risk Management Framework (RMF), a review of the organizational structure, and the business process/mission as the foundation for the implementation and assessment of specified security controls. This authorization management process identifies vulnerabilities and countermeasures and determines residual risks. The residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risk. The system may be deployed only when the residual risks are acceptable to the enterprise.
Certified Authorization Professional (CAPÂź) Candidate Information Bulletin, November 2010
Introduction
I once made the acquaintance of an information system security officer (ISSO) in a federal department who had what he defined as airtight security for his major application. During my assessment, I found that he had implemented government security authorization guidance for his application as well as could possibly be imagined and had fully documented all the controls protecting the system. Three years later when I returned to recertify the system for reauthorization, the system could not be recertified. When I was told that the ISSO had been transferred, the problem became quite clear to me. The process that the ISSO had used to protect his system was limited only to his single, well-protected application and had not been institutionalized elsewhere in the organization.
To be effective, a system authorization program must be greater than the efforts of isolated, well-intentioned individuals like this ISSO and must be implemented on an enterprise-wide level. A program implemented at this highest organizational level first and foremost permits consistency across the entire organization. Further, the implementation of a successful enterprise system authorization program can greatly promote the implementation of a likewise effective information security program for an organization.
An enterprise security authorization program can be considered successful if it provides an effective means of identifying and meeting requirements, permits efficient oversight of its activities, and provides assurance that necessary controls are implemented at the system level. For the purposes of this discussion, an enterprise program is one that supports the entire organization and that either is independent of any other program or has a significant degree of independence to implement guidance of a higher-level program. This equates to a corporate- or department-level government organization. An enterprise program is distinct from its business unit-level components, which relate to elements of the overall enterprise program. Security authorization for a line of business will normally focus on an interrelated grouping of information technology systems that support a tightly focused business function.
The information contained in this chapter applies to efforts to build an enterprise security authorization program from the ground up, as well as efforts to expand an existing program with additional capabilities or with a revised orientation. This chapter discusses the ingredients necessary to construct a successful enterprise system authorization program. This includes information sections on key elements of such a program; a detailed discussion of system authorization roles and responsibilities; incorporation of system authorization into the system development life cycle (SDLC); causes of the failure of many system security authorization programs; system authorization project planning; elements of an organization-level system inventory process; and the work of dealing with interconnected systems. Also, this chapter provides an overview of the application of the Risk Management Framework (RMF) of the National Institute of Standards and Technology (NIST) to information systems as well as fundamentals of information system risk management according to NIST Special Publication (SP) 800-37, Revision 1.
System authorization is a comprehensive methodology that consists of a number of individual processes, most of which the reader will probably recognize. It is the combining of these related processes into a unified risk management approach that gives...