Muutke küpsiste eelistusi

E-raamat: Official (ISC)2® Guide to the CISSP®-ISSEP® CBK® [Taylor & Francis e-raamat]

Edited by
  • Formaat: 1024 pages, 103 Tables, black and white; 143 Illustrations, black and white
  • Sari: ISC2 Press
  • Ilmumisaeg: 29-Sep-2005
  • Kirjastus: Auerbach
  • ISBN-13: 9780429207358
Teised raamatud teemal:
  • Taylor & Francis e-raamat
  • Hind: 133,87 €*
  • * hind, mis tagab piiramatu üheaegsete kasutajate arvuga ligipääsu piiramatuks ajaks
  • Tavahind: 191,24 €
  • Säästad 30%
Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®Suurem pilt
  • Formaat: 1024 pages, 103 Tables, black and white; 143 Illustrations, black and white
  • Sari: ISC2 Press
  • Ilmumisaeg: 29-Sep-2005
  • Kirjastus: Auerbach
  • ISBN-13: 9780429207358
Teised raamatud teemal:
Taylor & Francis e-raamatudRohkem infot Taylor & Francis e-raamatute kohta
Raamatu kodulehekülg: https://www.taylorfrancis.com/books/9780429207358
This guide analyzes all of the topics covered in the newly created CISSP-ISSEP CBK, a compendium of industry best practices. Focus is on the four ISSEP domains of information systems security engineering, certification and accreditation, technical management, and US government information assurance regulations. The book explains ISSE by comparing it to a traditional systems engineering model, and details key points of about 50 US government policies and procedures essential for understanding CBK. Hansche, CISSP-ISSEP, is a training director for information assurance at a private sector company. The book is distributed by CRC. Annotation ©2005 Book News, Inc., Portland, OR (booknews.com)

An essential, one-stop study tool, A Study Guide for the (ISC)2 Information System Security Engineering Professional (ISSEP) Exam provides an inclusive text containing all of the topics covered on the newly-created ISSEP exam. Possibly the first such comprehensive guide for the test, the book promotes understanding of the four ISSEP domains: systems security engineering, certification and accreditation, technical management and United States government IA regulations. It provides a complete look at the information system security field as it relates to the needs of the federal government. The guide also contains 20-25 related sample questions for each of the ISSEP domains.
Preface xxv
About the Author xxix
ISSE Domain 1: Information Systems Security Engineering (ISSE)
Overview
1(3)
Contributors and Reviewers
4(443)
1 ISSE Introduction
7(38)
Introduction
7(1)
SE and ISSE Overview
8(9)
IEEE 1220 Overview
15(2)
The ISSE Model
17(10)
Basic SE and ISSE Principles
21(1)
Principle 1: Always keep the problem and the solution spaces separate
23(1)
Principle 2: The problem space is defined by the customer's mission or business needs.
23(1)
Principle 3: The systems engineer and information systems security engineer define the solution space driven by the problem space.
25(2)
Life Cycle and ISSE
27(1)
NIST SP 800-27, Rev. A: Engineering Principles
28(1)
Risk Management
29(5)
Defense in Depth
34(7)
People
35(1)
Technology
35(1)
Operations
36(1)
Defense in Multiple Places
38(1)
Layered Defenses
39(1)
Security Robustness
40(1)
Deploy KMI/PKI
40(1)
Deploy Intrusion Detection Systems
40(1)
Summary
41(1)
References
42(3)
2 ISSE Model Phase 1: Discover Information Protection Needs
45(62)
Introduction
45(3)
Systems Engineering Activity: Discover Needs
48(1)
ISSE Activity: Discover Information Protection Needs
49(40)
Task 1: Define the Customer's Mission/Business Needs
50(3)
Task 2: Define the Information Management
53(1)
From Mission Needs to Information Management Needs
53(1)
Creating an Information Management Model (IMM)
54(1)
Step 1: Identify Processes
56(1)
Step 2: Identify the Information Being Processed
56(1)
FIPS 199
56(1)
NIST SP 800-60
62(1)
NIST SP 800-59
66(1)
DoD Mission Assurance Categories (MACs)
67(1)
Information Domains
68(1)
Step 3: Identify the Users of the Information and the Process
72(1)
Task 3: Define the Information Protection Policy (IPP)
73(1)
Conducting the Threat Analysis and Developing the Information Protection Policy
73(1)
Potential Harmful Events (PHEs)
75(1)
Harm to Information (HTI)
84(5)
Identifying Security Services and Developing the Information Protection Policy
89(9)
Security Services
90(1)
Access Control
90(1)
Confidentiality
91(1)
Integrity
91(1)
Availability
92(1)
Non-Repudiation
93(1)
Security Management
93(2)
Additional Security Controls
95(3)
Creating the Information Protection Policy (IPP)
98(1)
Creating the IPP Document
99(3)
Introduction
99(1)
General Policies
100(1)
Establish Roles and Responsibilities
100(1)
Identify Decision Makers
100(1)
Define Certification and Accreditation (C&A) Team Members and Procedures
100(1)
Identify Information Domains and Information Management
101(1)
Identify Security Service Requirements
101(1)
Signatures
102(1)
The Information Management Plan (IMP)
102(1)
Final Deliverable of Step 1
103(1)
Summary
103(1)
References
104(3)
3 ISSE Model Phase 2: Define System Security Requirements
107(32)
Introduction
107(6)
System Engineering Activity: Defining System Requirements
113(16)
Defining the System Context
114(1)
IEEE 1220: 5.1.1.1 System Concept
115(2)
Define System Requirements
117(1)
Define Customer Expectations (Task 6.1.1)
120(1)
Define Constraints (Tasks 6.1.2 and 6.1.3)
120(1)
Define Operational Scenarios (Task 6.1.4)
122(1)
Define Measures of Effectiveness (MOEs) (Task 6.1.5)
122(1)
Define System Boundaries (Task 6.1.6)
122(1)
Define Interfaces (Task 6.1.7)
123(1)
Define Utilization Environments (Task 6.1.8)
123(1)
Define Life-Cycle Process Concepts (Task 6.1.9)
123(1)
Define Functional Requirements (Task 6.1.10)
125(1)
Define Performance Requirements (Task 6.1.11)
125(1)
Define Modes of Operations (Task 6.1.12)
126(1)
Define Technical Performance Measures (Task 6.1.13)
126(1)
Define Design Characteristics (Task 6.1.14)
126(1)
Define Human Factors (Task 6.1.15)
126(1)
Establish Requirements Baseline (Task 6.1.16)
126(1)
Define Design Constraints
127(1)
The Preliminary System Concept of Operations (CONOPS)
128(1)
ISSE Activity: Defining System Security Requirements
129(5)
Define the System Security Context
129(2)
Define System Security Requirements
131(1)
Define the Preliminary System Security CONOPS
132(2)
Final Deliverable of Step 2
134(1)
Summary
134(2)
References
136(3)
4 ISSE Model Phase 3: Define System Security Architecture
139(70)
Introduction
139(3)
Defining System and Security Architecture
142(10)
Defining System Architecture
142(2)
Defining System Security Architecture
144(1)
Guidelines for Designing System Architectures from DoDAF and FEAF
144(1)
DoD Architectural Framework
145(1)
Federal Enterprise Architecture Framework (FEAF)
150(2)
System Engineering Activity: Designing System Architecture
152(11)
Perform Functional Analysis and Allocation
153(1)
Functional Analysis
153(1)
Functional Hierarchy Diagram
155(1)
Functional Flow Block Diagrams
156(1)
Timeline Analysis Diagram
158(1)
Functional Allocation
159(1)
Identifying and Allocating Components
159(1)
Describe the Relationship Between the CIs
159(2)
Trace Functions and Components to Requirements
161(2)
ISSE Activity: Define the Security Architecture
163(41)
Design System Security Architecture
166(1)
IATF Information Infrastructure
168(5)
Security Functional Analysis and Allocation
173(2)
Identify Security Components, Controls, or Technologies
175(2)
Additional Security Controls
177(4)
Requirements Traceability and the RTM
181(6)
Interface Identification and Security Architecture
187(2)
Trade-Off Analysis
189(3)
ISSE and Risk Management
192(2)
DoD Goal Security Architecture Example
194(1)
CN Security Allocation
197(1)
LSE Security Service Allocations
197(1)
End System and Relay System Security Service Allocations
197(1)
Security Management Security Service Allocations
199(1)
Transfer System Security Service Allocations
200(1)
Physical and Administrative Environment Security Service Allocations
201(3)
Final Deliverable of Designing System and Security Architectures
204
Summary
201(4)
References
205(4)
5 ISSE Model Phase 4: Develop Detailed Security Design
209(54)
Introduction
209(2)
Systems Engineering Activity: System Design
211(18)
Trade-Off Analysis
214(2)
System Synthesis (Design)
216(1)
System Specifications
216(1)
IEEE Systems Engineering Process: Design Phase
219(1)
System Definition Level
219(1)
Preliminary System Design
221(3)
Detailed System Design
224(51)
Fabrication, Assembly, Integration, and Test (FAIT) Stage
275
Production and Customer Support Stages
225(1)
Component Reliability
226(1)
Prototyping
227(1)
System Design Review
228(1)
System Engineering Management Plan (SEMP)
229(1)
ISSE Activity: System Security Design
229(26)
Conducting the Security Trade-Off Analysis
231(1)
Security Synthesis
232(2)
ISSE Design Phases
234(1)
Preliminary Security Design Phase
234(1)
Detailed Security Design Phase
235(1)
Allocating Security Mechanisms
236(1)
Identifying COTS/GOTS/Custom Security Products
236(1)
Identifying Security Mechanism Interfaces
237(1)
Developing Specifications: Common Criteria Profiles
238(4)
Life-Cycle Security Approach and the System Security Design Document
242(1)
Configuration Management and the Life-Cycle Security Approach
243(1)
Software Design
244(3)
Security Design Validation
247(4)
Prototyping for the ISSE Process
251(4)
ISSE Design and Risk Management
255(1)
Final Deliverables of Step 4
255(1)
Summary
256(2)
References
258(1)
Web Sites
259(1)
Software Design and Development Bibliography
259(4)
6 ISSE Model Phase 5: Implement System Security
263(46)
Introduction
263(2)
System Engineering Activity: System Implementation
265(23)
Constructing the System
268(1)
Creating the Acquisition Plan
268(1)
Developing the Installation Plan
272(1)
Constructing Programs
273(1)
Conducting Unit Testing
273(1)
Establishing the Construction Environment
274(1)
Establishing Development Baselines
275(1)
Developing the Transition Plan
275(1)
Generating Operating Documents
286(1)
Developing a Training Program Plan
278(1)
Integration and Testing Phase
278(1)
Conduct Integration Testing
280(1)
Conduct System Testing
280(1)
Initiate Acceptance Process
282(1)
Conduct Acceptance Test Team Training
283(1)
Develop Maintenance Plan
283(1)
System Delivery
284(1)
IEEE 1220 Perspective on System Implementation Activities
285(1)
Fabrication, Assembly, Integration, and Test (FAIT)
285(1)
Preparing the Customer and Users
287(1)
Is the System Really Ready?
288(1)
ISSE and System Security Implementation
288(17)
Acquire the Security Components
290(1)
NIST Special Publication (SP) 800-23
292(1)
NSTISSP, Number 11
292(4)
Secure Integration Efforts
296(2)
Secure System Configuration
298(1)
Security Test and Evaluation
299(3)
Accept the Security of the System
302(1)
System Security Documentation
303(1)
Training for Secure Operations
304(1)
ISSE and Risk Management
305(1)
Final Deliverable of Phase 5
305(1)
Summary
305(2)
References
307(1)
Web Sites
308(1)
7 ISSE Model Phase 6: Assess Security Effectiveness
309(48)
Introduction
309(2)
System Engineering Activity: System Assessment
311(16)
Benchmarking
312(2)
Baldrige Criteria for Performance Excellence
314(2)
ISO 9001 (2000)
316(5)
Six Sigma
321(2)
Software Engineering Institute Capability Maturity Models (SEI-CMM)
323(3)
Benchmarking, Baldrige, ISO 9001, Six Sigma, and CMM
326(1)
ISSE and System Security Assessment
327(21)
Information Protection Effectiveness Activities
327(2)
System Security Profiling
329(2)
Six Categories of Information Assurances
331(1)
1. Processes (can he obtained by the way the system is built)
331(1)
2. Properties (can he obtained by the way the system is built)
332(1)
3. Analysis (can be obtained by an analysis of system descriptions for conformance to requirements and vulnerabilities)
333(1)
4. Testing (can be obtained by testing the system itself to determine operating characteristics and to find vulnerabilities)
333(1)
5. Guidance (can be obtained by the way the system is built)
333(1)
6. Fielded Systems Evaluation (can be obtained by the operational experience and field evaluation of the system)
333(1)
NIST SP 800-55
334(4)
NIST SP 800-26
338(2)
NIST SP 800-42
340(8)
ISSE and Risk Management
348(1)
Final Deliverable of Phase 6
349(1)
Summary
349(2)
References
351(2)
Web Sites
353(3)
ISSE Domain 2: Certification and Accreditation Contributors and Reviewers 356(91)
8 DITSCAP and NIACAP
357(58)
Introduction
357(2)
DITSCAP and NIACAP Overview
359(1)
DITSCAP Background
359(1)
NIACAP Background
360(1)
DITSCAP/NIACAP Definition
360(4)
Definitions
362(1)
Certification
362(1)
Accreditation
362(1)
Program Manager
362(1)
Designated Approving Authority (DAA)
362(1)
Security Manager
363(1)
Certification Agent (CA)
363(1)
User Representative
363(1)
System Security Authorization Agreement (SSAA)
363(1)
Phase 1: Definition
364(24)
Preparation Activity
377(1)
Registration Activity
377(1)
Registration Task 1: Prepare Business or Operational Functional Description and System Identification
368(1)
Registration Task 2: Inform the DAA, Certifier, and User Representative That the System Will Require C&A Support (Register the System)
370(1)
Registration Task 3: Prepare the Environment and Threat Description
374(1)
Registration Task 4: Prepare System Architecture Description and Describe the C&A Boundary
374(1)
Registration Task 5: Determine the System Security Requirements
375(1)
Security Requirements Traceability Matrix (RTM)
376(1)
Registration Task 6: Tailor the C&A Tasks, Determine the C&A
Level of Effort, and Prepare a C&A Plan
377(1)
Registration Task 7: Identify Organizations That Will Be Involved in the C&A and Identify Resources Required
382(1)
Registration Task 8: Develop the Draft SSAA
383(1)
The Security System Authorization Agreement (SSAA)
383(3)
Negotiation Activity
386(1)
Negotiation Task 1: Conduct the Certification Requirements Review (CRR)
387(1)
Negotiation Task 2: Agree on the Security Requirements, Level of Effort, and Schedule
387(1)
Negotiation Task 3: Approve Final Phase 1 SSAA
387(1)
Phase 2: Verification
388(9)
SSAA Refinement Activity
389(1)
System Development and Integration Activity
390(1)
Initial Certification Analysis (ICA) Activity
390(1)
Initial Certification Analysis Task 1: System Architectural Analysis
391(1)
Initial Certification Analysis Task 2: Software, Hardware, and Firmware Design Analysis
391(1)
Initial Certification Analysis Task 3: Network Connection Rule Compliance Analysis
392(1)
Initial Certification Analysis Task 4: Integrity Analysis of Integrated Products
392(1)
Initial Certification Analysis Task 5: Life-Cycle Management Analysis
392(1)
Initial Certification Analysis Task 6: Security Requirements Validation Procedure Preparation
393(1)
Initial Certification Analysis Task 7: Vulnerability Assessment
394(2)
Analysis of the Certification Results Activity
396(1)
Phase 3: Validation
397(8)
SSAA Refinement Activity
398(1)
Certification Evaluation of the Integrated System Activity
398(1)
Certification Evaluation Task 1: Security Test and Evaluation (ST&E)
399(1)
Certification Evaluation Task 2: Penetration Testing
400(1)
Certification Evaluation Task 3: TEMPEST and RED-BLACK Verification
400(1)
Certification Evaluation Task 4: COMSEC Compliance Evaluation
401(1)
Certification Evaluation Task 5: System Management Analysis
401(1)
Certification Evaluation Task 6: Site Accreditation Survey
402(1)
Certification Evaluation Task 7: Contingency Plan Evaluation
407(1)
Certification Evaluation Task 8: Risk Management Review
402(1)
Recommendation to DAA Activity
403(1)
DAA Accreditation Decision Activity
403(2)
Phase 4: Post Accreditation
405(5)
System and Security Operation Activities
405(1)
System and Security Operation Task 1: SSAA Maintenance
407(1)
System and Security Operation Task 2: Physical, Personnel, and Management Control Review
407(1)
System and Security Operation Task 3: TEMPEST Evaluation
407(1)
System and Security Operation Task 4: COMSEC Compliance Evaluation
408(1)
System and Security Operation Task 5: Contingency Plan Maintenance
408(1)
System and Security Operation Task 6: Configuration Management
408(1)
System and Security Operation Task 7: System Security Management
409(1)
System and Security Operation Task 8: Risk Management Review
409(1)
Compliance Validation Activity
409(1)
Summary
410(5)
9 C&A NIST SP 800-37
415(32)
Introduction
415(6)
Roles and Responsibilities
418(1)
Scope of C&A Activities
419(2)
The C&A Process
421(4)
System Development Life Cycle
423(2)
Phase 1: Initiation
425(5)
Preparation Activity
425(1)
Preparation Task 1: Information System Description
427(1)
Preparation Task 2: Security Categorization
427(1)
Preparation Task 3: Threat Identification
427(1)
Preparation Task 4: Vulnerability Identification
427(1)
Preparation Task 5: Security Control Identification
427(1)
Preparation Task 6: Initial Risk Determination
427(1)
Notification and Resource Identification Activity
428(1)
Notification Task 1: Notification
428(1)
Notification Task 2: Planning and Resources
428(1)
Security Plan Analysis, Update, and Acceptance Activity
428(1)
Security Plan Task 1: Security Categorization Review
429(1)
Security Plan Task 2: SSP Analysis
429(1)
Security Plan Task 3: SSP Update
429(1)
Security Plan Task 4: SSP Acceptance
429(1)
Phase 2: Security Certification
430(4)
Security Control Assessment Activity
431(1)
Security Control Assessment Task 1: Review Documentation and Supporting Materials
431(1)
Security Control Assessment Task 2: Develop Methods and Procedures
431(1)
Security Control Assessment Task 3: Conduct Security Assessment
432(1)
Security Control Assessment Task 4: Create Security Assessment Report
432(1)
Security Certification Documentation Activity
432(1)
Security Certification Document Task 1: Present Findings and Recommendations
432(1)
Security Certification Document Task 2: Update SSP
432(1)
Security Certification Document Task 3: Prepare Plan of Action and Milestones
432(1)
Security Certification Document Task 4: Assemble Accreditation Package
433(1)
Phase 3: Security Accreditation
434(4)
Security Accreditation Decision Activity
436(1)
Security Accreditation Decision Activity Task 1: Final Risk Determination
436(1)
Security Accreditation Decision Activity Task 1: Residual Risk Acceptability
436(1)
Security Accreditation Package Documentation Activity
436(1)
Security Accreditation Package Task 1: Security Accreditation Package Transmission
437(1)
Security Accreditation Package Task 2: SSP Update
437(1)
Phase 4: Continuous Monitoring
438(3)
Configuration Management and Control Activity
438(1)
Configuration Management Task 1: Documentation of Information System Changes
440(1)
Configuration Management Task 2: Security Impact Analysis
440(1)
Ongoing Security Control Verification Activity
440(1)
Ongoing Security Control Verification Task 1: Security Control Selection
440(1)
Ongoing Security Control Verification Task 2: Selected Security Control Assessment
440(1)
Status Reporting and Documentation Activity
440(1)
Status Reporting and Documentation Task 1: SSP Update
441(1)
Status Reporting and Documentation Task 2: Status Reporting
441(1)
Summary
441(1)
Domain 2 References
442(1)
Web Sites
443(1)
Acronyms
443(4)
ISSE Domain 3: Technical Management Contributors and Reviewers 447(89)
10 Technical Management
449(87)
Introduction
449(4)
Elements of Technical Management
451(2)
Planning the Effort
453(8)
Starting Off
453(1)
Goals
454(2)
Plan the Effort
456(1)
Task 1: Estimate Project Scope
456(1)
Task 2: Identify Resources and Availability
457(1)
Task 3: Identify Roles and. Responsibilities
457(1)
Task 4: Estimate Project Costs
458(1)
Task 5: Develop Project Schedule
458(1)
Task 6: Identify Technical Activities
458(1)
Task 7: Identify Deliverables
458(1)
Task 8: Define Management Interfaces
458(1)
Task 9: Prepare Technical Management Plan
459(1)
Task 10: Review Project Management Plan
460(1)
Task 11: Obtain Customer Agreement
460(1)
Managing the Effort
461(3)
Task 1: Direct Technical Effort
461(1)
Task 2: Track Project Resources
462(1)
Task 3: Track Technical Parameters
462(1)
Task 4: Monitor Progress of Technical Activities
462(1)
Task 5: Ensure Quality of Deliverables
463(1)
Task 6: Manage Configuration Elements
463(1)
Task 7: Review Project Performance
463(1)
Task 8: Report Project Status
464(1)
Technical Roles and Responsibilities
464(4)
Technical Documentation
468(48)
System Engineering Management Plan (SEMP)
469(5)
Quality Management Plan
474(1)
The Concept of Quality
474(1)
Quality Management Plan
476(1)
Quality Control
476(1)
Total Quality Management
478(1)
Quality Management
478(1)
Quality Management in a Project — ISO 10006
479(5)
Configuration Management Plan
484(1)
Reasons for Change
487(1)
Implementation of Changes
487(1)
Evolution of Change
488(1)
Configuration Management as a System
489(1)
CM Management and Planning
489(1)
Configuration Identification
492(1)
Configuration Control
494(1)
Change Initiation
495(1)
The Review Process
497(1)
Configuration Status and Accounting
497(1)
Configuration Verification and Audit
500(1)
Risk Management Plan
501(2)
Statement of Work (SOW)
503(1)
Format
505(2)
Work Breakdown Structure (WBS)
507(1)
WBS and the Systems Security Engineering Process
508(1)
Types of WBS
510(1)
Level Identification
510(1)
Selecting WBS Elements
511(1)
WBS Dictionary
512(1)
What a WBS Is Not
512(1)
Other Work Breakdown Structures
514(1)
Milestones
514(1)
Development of Project Schedules
514(1)
Preparation of Cost Projections
515(1)
Technical Management Tools
516(13)
Scheduling Tools
517(1)
The Gantt Chart
517(2)
The PERT Chart
519(1)
PERT Example
519(1)
Key Events and Activities
520(1)
Defining Logical Relationships
521(1)
Assigning Durations
521(1)
Analyzing the Paths
528(1)
Impact of Change
529(1)
Software Tools
529(1)
Summary
530(1)
References
531(2)
Web Sites
533(3)
ISSEP Domain 4: Introduction to United States Government Information Assurance Regulations Contributors and Reviewers 536(227)
11 Information Assurance Organizations, Public Laws, and Public Policies
537(34)
Introduction
537(1)
Section 1: Federal Agencies and Organizations
538(5)
U.S. Congress
539(1)
White House
539(1)
Office of Management and Budget (OMB)
540(1)
Director of Central Intelligence/Director of National Intelligence
540(1)
National Security Agency (NSA)
541(1)
NSA Information Assurance Directorate (IAD)
541(1)
National Institute of Standards and Technology (NIST)
542(1)
Committee on National Security Systems (CNSS)
543(1)
National Information Assurance Partnership (MAP)
543(1)
Section 2: Federal Laws, Executive Directives and Orders, and OMB Directives
543(23)
U.S. Congress: Federal Laws
543(1)
H.R.145 Public Law: 100-235 (01/08/1988)
544(1)
Chapter 35 of title 44, United States Code
544(1)
H.R. 2458-48,
Chapter 35 of Title 44, United States Code TITLE III-Information Security X301 Information Security
546(1)
10 USC 2315 Defense Program
548(1)
5 USC § 552a, PL 93-579: The U.S. Federal Privacy Act of 1974
549(1)
Fraud and Related Activity in Connection with Computers
550(1)
18 USC §
1030. P.L. 99-474: The Computer Fraud and Abuse Act of 1984, Amended in 1994 and 1996, Broadened in 2001
551(1)
Executive Orders
552(1)
Executive Order (E0) 13231: Critical Infrastructure Protection in the Information Age (October 18, 2001)
552(1)
Office of Management and Budget (OMB) Circulars and Memoranda
553(1)
Office of Management and Budget (OMB) Circular A-130
553(1)
History
554(1)
Circular No. A-130, Revised, Transmittal Memorandum No. 4 (November 2000)
558(1)
OMB M-99-18: Privacy Policies and Data Collection on Federal Web Sites (June 1999)
560(1)
OMB M-00-13: Privacy Policies and Data Collection on Federal Web Sites (June 2000)
560(1)
OMB M-00-07: Incorporating and Funding Security in Information Systems Investments (February 2000)
561(1)
OMB M-01-08: Guidance on Implementing the Government Information Security Reform Act (January 2001)
563(1)
OMB M-03-19: Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (August 6, 2003)
564(1)
Director of Central Intelligence Directive DCID 6/3
565(1)
Summary
566(1)
References
567(1)
Web Sites
568(3)
12 Department of Defense (DoD) Information Assurance Organizations and Policies
571(26)
Introduction
571(6)
Background Information
572(1)
Communities of Interest
575(1)
Metadata
575(1)
GIG Enterprise Services (GES)
576(1)
Net-Centric Data Strategy
576(1)
Overview of DoD Policies
577(3)
DoD Information Assurance (IA) Organizations and Departments
580(4)
Defensewide Information Assurance Program (DIAP)
580(1)
Defense Information Systems Agency (DISA)
580(1)
Defense Technical Information Center (DTIC®)
581(1)
National Security Agency (NSA) Information Assurance Directorate (IAD)
582(1)
Networks and Information Integration (NII)
582(1)
Information Assurance Support Environment (IASE)
583(1)
Defense Advanced Research Projects Agency (DARPA)
583(1)
DoD Issuances
584(11)
DoD 8500.1 Information Assurance (1A) (October 2002/November 2003)
585(4)
DoD 8500.2 Information Assurance Implementation (February 2003)
589(1)
Robustness Levels
590(2)
DoD IA Policies and DITSCAP
592(1)
DITSCAP Phases
594(1)
DoD 8510.1-M DITSCAP (July 2000)
594(1)
DoD 8510.xx DIACAP
595(1)
Summary
595(1)
References
596(1)
Web Sites
596(1)
13 Committee on National Security Systems
597(38)
Introduction
597(2)
Overview of CNSS and NSTISSC
599(2)
National Communication Security Committee (NCSC)
601(1)
CNSS and NSTISSC Issuances
601(1)
CNSS Policies
601(7)
NSTISSP No. 6, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems (April 1994)
602(1)
NSTISSP No. 7, National Policy on Secure Electronic Messaging Service (February 1995)
602(1)
NSTISSP No. 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products (Revision June 2003)
603(2)
NSTISSP No. 101, National Policy on Securing Voice Communications (September 1999)
605(1)
NSTISSP No. 200, National Policy on Controlled Access Protection (July 1987)
605(1)
CNSS Policy No. 14, National Policy Governing the Release of Information Assurance Products and Services to Authorized U.S. Persons or Activities That Arc Not a Part of the Federal Government (November 2002), Superseded NCSC-2 (1983)
606(2)
NCSC-5, National Policy on Use of Cryptomaterial by Activities Operating in High Risk Environments (U) (January 1981)
608(1)
CNSS Directive
608(1)
NSTISSD-500, Information Systems Security (INFOSEC) Education, Training, and Awareness (February 1993)
608(1)
CNSS Instructions
609(15)
NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP) (April 2000)
610(1)
NSTISSI No. 4009, National Information System Security (INFOSEC) Glossary (Revised May 2003)
610(1)
CNSS (NSTISSI) Training Standards
610(1)
NSTISSI No. 4011, National Training Standard for INFOSEC Professionals (June 1994)
611(1)
CNSSI No. 4012 (June 2004), National Information Assurance Training Standard for Senior System Managers, Supersedes NSTISSI No. 4012, National Training Standard for Designated Approving Authority (DAA) (August 1997)
612(4)
CNSSI No. 4013 (March 2004), National Information Assurance Training Standard for System Administrators Supersedes NSTISSI No. 4013 National Training Standard for System Administrators (August 1997)
616(1)
CNSSI No. 4014 (April 2004), National Information Assurance Training Standard for Information Systems Security Officers (ISSO), Supersedes NSTISSI No. 4014, National Training Requirements for Information System Security Officers (August 1997)
617(1)
NSTISSI No. 4015, National Training Standard for System Certifiers (December 2000)
618(4)
NSTISSI No. 7003, Protected Distribution Systems (December 1996)
622(1)
NACSI-6002, Protection of Government Contractor Telecommunications (June 1984)
623(1)
CNSS Advisory Memoranda
624(6)
NSTISSAM COMPUSEC 1-98, The Role of Firewalls and Guards in Enclave Boundary Protection (December 1998)
624(3)
NSTISSAM COMPUSEC 1-99, Advisory Memorandum on the Transition from Trusted Computer System Evaluation Criteria to Evaluation Criteria (TCSEC) to the International Common Criteria (CC) for Information Security Technology Evaluation (March 1999)
627(1)
NSTISSAM INFOSEC/1-00, Advisory Memorandum for the Use of FIPS 140 Validated Cryptographic Modules in Protecting Unclassified National Security Systems (February 2000)
627(1)
NSTISSAM INFOSEC 2-00, Advisory Memorandum for the Strategy for Using National Information Assurance Partnership (NIAP) for the Evaluation of Commercial Off-the-Shelf (COTS) Security Enabled Information Technology Products (February 2000)
628(1)
CNSSAM 1-04, Advisory Memorandum for Information Assurance (IA) — Security through Product Diversity (July 2004)
629(1)
Summary
630(1)
References
630(3)
Web Sites
633(2)
14 National Institute of Standards and Technology (NIST) Publications
635(80)
Introduction
635(6)
Federal Information Processing Standards (FIPS)
641(25)
FIPS 46-3, Data Encryption Standard (DES) (Reaffirmed October 1999)
643(2)
DES Background Information
645(2)
FIPS 81, DES Mode of Operation (December 1980)
647(1)
Electronic Codebook (ECB) Mode
648(1)
Cipher Block Chaining (CBC) Mode
650(1)
Cipher Feedback (CFB) Mode
651(1)
Output Feedback (OFB) Mode
652(1)
FIPS 102, Guidelines for Computer Security Certification and Accreditation (September 1983)
652(10)
FIPS 140-2, Security Requirement for Cryptographic Modules (May 2001; Supersedes FIPS 140-1, January 1994)
662(1)
The DES Challenge
662(2)
FIPS 197, Advance Encryption Standard (AES) (November 2001)
664(1)
FIPS 197 and CNSS Policy No. 15
665(1)
NIST Special Publications
666(44)
NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook (October 1995)
666(3)
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996)
669(4)
NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems (December 1998)
673(1)
Developing an SSP
674(5)
NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication (October 2000)
679(1)
NIST SP 800-27 Rev. A, Engineering Principles for Information Technology Security: A Baseline for Achieving Security, Revision A (June 2004)
680(5)
NIST SP 800-30, Risk Management Guide for Information Technology Systems (January 2002)
685(1)
Overview of Risk Management
686(1)
Risk Assessment
688(1)
Risk Mitigation
700(1)
Evaluation and Assessment
705(1)
NIST SP 800-47, Security Guide for Interconnecting information Technology Systems (September 2002)
706(4)
Summary
710(2)
References
712(2)
Web Sites
714(1)
15 National Information Assurance Partnership (NIAP) and Common Criteria (CC)
715(48)
Introduction
715(2)
Note to TSSEP: You are expected to know Common Criteria. Historical View of IT Security Evaluations
717(8)
Trusted Computer System Evaluation Criteria
718(3)
The Trusted Network Interpretation (TNI)
721(1)
Information Technology Security Evaluation Criteria (ITSEC)
722
Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
721(4)
National Information Assurance Partnership (NIAP)
725(1)
The Common Criteria
726(30)
CC Part 1: Introduction and General Model
729(1)
Protection Profile (PP)
729(1)
Security Target (ST)
729(1)
Target of Evaluation (TOE)
730(1)
Evaluation
730(1)
Evaluation Assurance Level (EAL)
730(1)
Security Environment
733(1)
Security Objectives
735(1)
Security Requirements
735(1)
TOE Summary Specification
737(1)
TOE Implementation
737(1)
Protection Profile and Security Target Contents
737(1)
Protection Profile Contents
737(1)
Security Target Contents
739(1)
CC Part 2: Security Functional Requirements
740(1)
CC Part 3: Security Assurance Requirements
741(4)
Protection Profile (PP) and Security Target (ST) Evaluation Criteria
745(1)
Assurance Classes, Families, and Components
745(3)
Assurance Maintenance Class
748(1)
Evaluation Assurance Levels
749(7)
CC Scenario
756(2)
Phase 1: Mission/Business Need
756(1)
Phase 2: Identify Security Requirements
756(1)
Phase 3: Identify Security Architecture
757(1)
Phase 4: Develop Detailed Security Design
757(1)
Phase 5: Implement System Security
758(1)
Phase 6: Assess Security Effectiveness
758(1)
Summary
758(1)
References
759(2)
Web Sites
761(2)
Appendix A: Linking ISSE Phases to SE Phases 763(14)
Appendix B: Enterprise Architecture 777(4)
Appendix C: Combining NIST SP 800-55 and SP 800-26 781(6)
Appendix D: Common Criteria Security Assurance Requirements 787(18)
Appendix E: ISSEP Sample Questions 805(142)
Index 947


Susan Hansche
Püsilink: https://www.kriso.ee/db/9780429207358_pe.html
Märksõnad: