| Foreword |
|
xiii | |
| Preface |
|
xv | |
| Authors |
|
xxiii | |
| 1 Introduction to Organizational Security Risk Management |
|
1 | (34) |
|
1.1 Introduction to the Book |
|
|
1 | (1) |
|
|
|
2 | (5) |
|
1.3 Strategic Governance and Risk Management |
|
|
7 | (1) |
|
1.4 Elements of Risk Management |
|
|
8 | (3) |
|
1.5 Risk Types and Risk Handling Strategies |
|
|
11 | (4) |
|
1.6 Overview of the Risk Management Process |
|
|
15 | (16) |
|
1.6.1 Establishing the Risk Management Planning Process |
|
|
16 | (1) |
|
1.6.2 Identifying and Categorizing the Risk Environment |
|
|
17 | (2) |
|
|
|
19 | (2) |
|
1.6.4 Designing for Effective Risk Management |
|
|
21 | (2) |
|
|
|
21 | (1) |
|
1.6.4.2 Scope and Boundaries |
|
|
21 | (1) |
|
1.6.4.3 Roles and Responsibilities |
|
|
21 | (1) |
|
1.6.4.4 Definition of Priorities |
|
|
22 | (1) |
|
1.6.4.5 Sensitivity of the Information |
|
|
22 | (1) |
|
1.6.5 Evaluating Candidates for Control |
|
|
23 | (1) |
|
1.6.6 Implementing Risk Management Controls |
|
|
24 | (3) |
|
1.6.6.1 Management Controls |
|
|
25 | (1) |
|
1.6.6.2 Technical Controls |
|
|
25 | (1) |
|
|
|
25 | (2) |
|
1.6.7 Assessing the Effectiveness of Risk Controls |
|
|
27 | (1) |
|
1.6.7.1 Qualitative Measurement |
|
|
27 | (1) |
|
1.6.7.2 Quantitative Measurement |
|
|
27 | (1) |
|
1.6.8 Sustainment: Risk Assessment and Operational Evaluation of Change |
|
|
28 | (1) |
|
1.6.9 Evaluating the Overall Risk Management Function |
|
|
29 | (2) |
|
|
|
31 | (3) |
|
|
|
34 | (1) |
| 2 Survey of Existing Risk Management Frameworks |
|
35 | (36) |
|
2.1 Survey of Existing Risk Management Models and Frameworks |
|
|
35 | (2) |
|
2.2 Standard Best Practice |
|
|
37 | (1) |
|
2.3 Making Risk Management Tangible |
|
|
37 | (2) |
|
|
|
39 | (1) |
|
2.5 General Shape of the RMF Process |
|
|
40 | (2) |
|
|
|
42 | (3) |
|
2.7 Other Frameworks and Models for Risk Management |
|
|
45 | (1) |
|
2.8 International Organization for Standardization 31000:2009 |
|
|
46 | (5) |
|
2.9 ISO 31000 Implementation Process: Establishment |
|
|
51 | (1) |
|
2.10 COSO Enterprise Risk Management Framework |
|
|
52 | (5) |
|
2.11 Health Information Trust Alliance Common Security Framework |
|
|
57 | (3) |
|
2.12 Implementing the HITRUST CSF Control Structure |
|
|
60 | (1) |
|
2.13 NIST SP 800-30 and NIST SP 800-39 Standards |
|
|
61 | (5) |
|
|
|
66 | (2) |
|
|
|
68 | (1) |
|
|
|
69 | (2) |
| 3 Step 1-Categorize Information and Information Systems |
|
71 | (30) |
|
|
|
71 | (2) |
|
3.2 Security Impact Analysis |
|
|
73 | (3) |
|
3.3 FIPS 199, Standards for Security Categorization of Federal Information and Information Systems |
|
|
76 | (3) |
|
3.3.1 FIPS 199-Security Categorization of Information Types |
|
|
77 | (1) |
|
3.3.2 FIPS 199-Security Categorization of Information Systems |
|
|
78 | (1) |
|
3.4 CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems |
|
|
79 | (3) |
|
3.4.1 Implementation of Step 1-Security Categorization |
|
|
81 | (1) |
|
3.5 Security Categorization from the Organizational Perspective |
|
|
82 | (17) |
|
3.5.1 Establish Relationships with Organizational Entities |
|
|
84 | (1) |
|
3.5.2 Develop an Organization-Wide Categorization Program |
|
|
84 | (2) |
|
3.5.3 Prepare an Organization-Wide Guidance Program |
|
|
86 | (1) |
|
3.5.4 Lead Organization-Wide Categorization Sessions |
|
|
87 | (1) |
|
3.5.5 Security Categorization from the Management Perspective |
|
|
87 | (1) |
|
3.5.6 Security Categorization from the System Perspective |
|
|
88 | (1) |
|
3.5.7 Preparing for System Security Categorization |
|
|
89 | (1) |
|
3.5.8 Step 1: Identify System Information Types |
|
|
90 | (3) |
|
3.5.9 Step 2: Select Provisional Impact Values for Each Information Type |
|
|
93 | (1) |
|
3.5.10 Step 3: Adjust the Provisional Impact Levels of Information Types |
|
|
94 | (1) |
|
3.5.11 Step 4: Determine the Information System Security Impact Level |
|
|
95 | (2) |
|
3.5.12 Obtain Approval for the System Security Category and Impact Level |
|
|
97 | (1) |
|
3.5.13 Maintain the System Security Category and Impact Levels |
|
|
98 | (1) |
|
|
|
99 | (1) |
|
|
|
100 | (1) |
| 4 Step 2-Select Security Controls |
|
101 | (38) |
|
4.1 Understanding Control Selection |
|
|
103 | (4) |
|
4.2 Federal Information Processing Standard Publication 200 |
|
|
107 | (3) |
|
4.3 Implementation of Step 2-Select Security Controls |
|
|
110 | (1) |
|
4.4 Document Collection and Relationship Building |
|
|
110 | (3) |
|
4.5 Select Initial Security Control Baselines and Minimum Assurance Requirements |
|
|
113 | (3) |
|
4.6 Apply Scoping Guidance to Initial Baselines |
|
|
116 | (6) |
|
4.7 Determine Need for Compensating Controls |
|
|
122 | (1) |
|
4.8 Determine Organizational Parameters |
|
|
123 | (1) |
|
4.9 Supplement Security Controls |
|
|
124 | (1) |
|
4.10 Determine Assurance Measures for Minimum Assurance Requirements |
|
|
125 | (1) |
|
4.11 Complete Security Plan |
|
|
126 | (1) |
|
4.12 Develop Continuous Monitoring Strategy |
|
|
127 | (1) |
|
4.13 Approval of Security Plan and Continuous Monitoring Strategy |
|
|
128 | (1) |
|
4.14 Other Control Libraries |
|
|
129 | (5) |
|
4.14.1 Control Objectives for Information and Related Technology (COBIT 5) |
|
|
129 | (1) |
|
4.14.2 CIS Critical Security Controls |
|
|
130 | (1) |
|
4.14.3 Industrial Automation and Control Systems Security Life Cycle |
|
|
131 | (1) |
|
|
|
132 | (2) |
|
|
|
134 | (2) |
|
|
|
136 | (1) |
|
|
|
137 | (2) |
| 5 Step 3-Implement Security Controls |
|
139 | (32) |
|
|
|
139 | (2) |
|
5.2 Implementation of the Security Controls Specified by the Security Plan |
|
|
141 | (8) |
|
5.3 A System Perspective to Implementation |
|
|
149 | (5) |
|
5.4 A Management Perspective to Implementation |
|
|
154 | (1) |
|
5.5 Implementation via Security Life Cycle Management |
|
|
155 | (3) |
|
5.6 Establishing Effective Security Implementation through Infrastructure Management |
|
|
158 | (1) |
|
5.7 Finding the Fit: Security Implementation Projects and Organization Portfolios |
|
|
159 | (3) |
|
5.8 Security Implementation Project Management |
|
|
162 | (3) |
|
5.9 Document the Security Control Implementation in the Security Plan |
|
|
165 | (1) |
|
|
|
166 | (2) |
|
|
|
168 | (2) |
|
|
|
170 | (1) |
| 6 Step 4-Assess Security Controls |
|
171 | (28) |
|
6.1 Understanding Security Control Assessment |
|
|
173 | (3) |
|
6.2 Components of Security Control Assessment |
|
|
176 | (2) |
|
6.3 Control Assessment and the SDLC |
|
|
178 | (1) |
|
6.4 Ensuring Adequate Control Implementation |
|
|
179 | (2) |
|
6.5 Assessment Plan Development, Review, and Approval |
|
|
181 | (4) |
|
6.6 Security Control Assessment Procedures and Methodologies |
|
|
185 | (3) |
|
6.7 Assess Controls in Accordance with Assessment Plan |
|
|
188 | (2) |
|
6.8 Prepare the Security Assessment Report |
|
|
190 | (2) |
|
6.9 Initial Remedy Actions of Assessment Findings |
|
|
192 | (2) |
|
|
|
194 | (3) |
|
|
|
197 | (1) |
|
|
|
198 | (1) |
| 7 Step 5-Authorize: Preparing the Information System for Use |
|
199 | (32) |
|
7.1 Authorizing the Formal Risk Response |
|
|
199 | (3) |
|
7.2 Elements of Risk Management |
|
|
202 | (2) |
|
7.3 Certification and Accreditation |
|
|
204 | (2) |
|
7.4 Application of the RMF |
|
|
206 | (5) |
|
7.5 Security Authorizations/Approvals to Operate |
|
|
211 | (1) |
|
7.6 Certification of the Correctness of Security Controls |
|
|
212 | (2) |
|
7.7 Risk Management and Enterprise Architecture |
|
|
214 | (1) |
|
7.8 Particular Role of Requirements |
|
|
215 | (1) |
|
7.9 Drawing Hard Perimeters |
|
|
216 | (1) |
|
7.10 Preparing the Action Plan |
|
|
217 | (2) |
|
7.11 Preparing the Security Authorization Package |
|
|
219 | (2) |
|
7.12 Standard Risk Determination |
|
|
221 | (4) |
|
|
|
225 | (4) |
|
|
|
229 | (1) |
|
|
|
230 | (1) |
| 8 Step 6-Monitor Security State |
|
231 | (32) |
|
8.1 Sustaining the Organization's Risk Management Response |
|
|
231 | (3) |
|
8.2 Overview of the Process: Sustaining Effective Risk Monitoring |
|
|
234 | (4) |
|
8.3 Structuring the Risk-Monitoring Process |
|
|
238 | (2) |
|
8.4 Sustaining an Ongoing Control-Monitoring Process |
|
|
240 | (1) |
|
8.5 Establishing a Continuous Control Assessment Process |
|
|
241 | (2) |
|
8.6 Implementing a Practical Control System Monitoring Process |
|
|
243 | (1) |
|
8.7 Conducting Continuous Monitoring |
|
|
244 | (3) |
|
8.8 Practical Considerations |
|
|
247 | (1) |
|
8.9 Quantitative Measurement Considerations |
|
|
248 | (6) |
|
8.10 Keeping the Control Set Correct over Time |
|
|
254 | (4) |
|
|
|
258 | (3) |
|
|
|
261 | (1) |
|
|
|
262 | (1) |
| 9 Practical Applications of the National Institute of Standards and Technology Risk Management Framework |
|
263 | (34) |
|
9.1 Applying the NIST RMF |
|
|
264 | (1) |
|
|
|
264 | (2) |
|
9.3 Certification and Accreditation in the Federal Space |
|
|
266 | (3) |
|
9.4 In the Beginning: The Clinger-Cohen Act (1996) |
|
|
269 | (2) |
|
9.5 The E-Government Act of 2002: FISMA |
|
|
271 | (4) |
|
9.6 Implementing Information Security Controls-NIST 800-53 |
|
|
275 | (3) |
|
9.7 Evaluating the Control Set |
|
|
278 | (10) |
|
|
|
288 | (6) |
|
|
|
294 | (1) |
|
|
|
295 | (2) |
| Appendix |
|
297 | (12) |
| Index |
|
309 | |
