»
FISMA and the Risk Management Framework
 
 

FISMA and the Risk Management Framework, 1st Edition

The New Practice of Federal Cyber Security

 
FISMA and the Risk Management Framework, 1st Edition,Stephen Gantz,Daniel Philpott,ISBN9781597496414
 
 
Up to
25%
off
 

  &      

Syngress

9781597496414

9781597496421

584

235 X 191

Learn how to meet federal information security compliance requirements and manage security risks for your organization's information systems!

Print Book + eBook

USD 83.34
USD 138.90

Buy both together and save 40%

Print Book

Paperback

In Stock

Estimated Delivery Time
USD 52.46
USD 69.95

eBook
eBook Overview

VST (VitalSource Bookshelf) format

DRM-free included formats : EPUB, Mobi (for Kindle), PDF

USD 51.71
USD 68.95
Add to Cart
 
 

Key Features

  • Learn how to build a robust, near real-time risk management system and comply with FISMA
  • Discover the changes to FISMA compliance and beyond
  • Gain your systems the authorization they need

Description

FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security deals with the Federal Information Security Management Act (FISMA), a law that provides the framework for securing information systems and managing risk associated with information resources in federal government agencies. Comprised of 17 chapters, the book explains the FISMA legislation and its provisions, strengths and limitations, as well as the expectations and obligations of federal agencies subject to FISMA. It also discusses the processes and activities necessary to implement effective information security management following the passage of FISMA, and it describes the National Institute of Standards and Technology's Risk Management Framework. The book looks at how information assurance, risk management, and information systems security is practiced in federal government agencies; the three primary documents that make up the security authorization package: system security plan, security assessment report, and plan of action and milestones; and federal information security-management requirements and initiatives not explicitly covered by FISMA. This book will be helpful to security officers, risk managers, system owners, IT managers, contractors, consultants, service providers, and others involved in securing, managing, or overseeing federal information systems, as well as the mission functions and business processes supported by those systems.

Readership

Information Security Auditors; Information Security Analysts, Penetration Testers, FISMA compliance staff, ST&E contractors, Information Security Engineers

Stephen Gantz

Stephen Gantz (CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO) is an information security and IT consultant with over 20 years of experience in security and privacy management, enterprise architecture, systems development and integration, and strategic planning. He currently holds an executive position with a health information technology services firm primarily serving federal and state government customers. He is also an Associate Professor of Information Assurance in the Graduate School at University of Maryland University College. He maintains a security-focused website and blog at http://www.securityarchitecture.com. Steve’s security and privacy expertise spans program management, security architecture, policy development and enforcement, risk assessment, and regulatory compliance with major legislation such as FISMA, HIPAA, and the Privacy Act. His industry experience includes health, financial services, higher education, consumer products, and manufacturing, but since 2000 his work has focused on security and other information resources management functions in federal government agencies. His prior work history includes completing projects for government clients including the Departments of Defense, Labor, and Health and Human Services, Office of Management and Budget, Federal Deposit Insurance Corporation, U.S. Postal Service, and U.S. Senate. Steve holds a master’s degree in public policy from the Kennedy School of Government at Harvard University, and also earned his bachelor’s degree from Harvard. He is nearing completion of the Doctor of Management program at UMUC, where his dissertation focuses on trust and distrust in networks and inter-organizational relationships. Steve currently resides in Arlington, Virginia with his wife Reneé and children Henry, Claire, and Gillian.

Affiliations and Expertise

CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, Founder and Principal Architect of SecurityArchitecture.com.

Daniel Philpott

Daniel Philpott is a Federal Information Security Architect with the Information Assurance Division of Tantus Technologies where he works with Federal agencies on FISMA compliance and Risk Management. Dan is a respected information security practitioner specializing in Federal information security needs including FISMA, Cybersecurity, SCAP, FDCC, HSPD-12, risk management, governance, cloud computing, social media and web application security. He is founder of the FISMApedia.org wiki and FISMA Arts training project. You can find his comments and analysis at Guerilla-CISO.com and ArielSilverstone.com, where he is a guest blogger. As a sought after public speaker on Federal information security he is frequently featured in interviews and articles by a variety of security news sources and podcasts. Dan started his career in IT at age 13, beta testing display terminals at ProType Corporation. Since that time he has held a variety of positions in the field. While often working on security issues (cryptography, host hardening, network hardening, resilient architectures and application security) he made information security his career in 1998 during his work at National Institute of Standards and Technology. In the Federal space he has worked with the National Institutes of Health, Department of Commerce Technology Administration, U.S. Agency for International Development and NIST. Having experienced Federal information security before and after FISMA he is a strong proponent of the changes FISMA has brought about. Approaching information security with a strong focus on effective reduction of risk, Dan brings an technical and operational security perspective to the theory and practice of FISMA compliance. His long experience in the IT security field provides his Federal clients with depth of knowledge and a diverse skill set encompassing compliance, governance, practice, technology and risk management.

Affiliations and Expertise

Daniel Philpott, Federal Information Security Architect, Information Assurance Division of Tantus Technologies

FISMA and the Risk Management Framework, 1st Edition

Dedication

Trademarks

Acknowledgements

About the Author

Chapter 1. Introduction

Introduction

FISMA Applicability and Implementation

FISMA Provisions

Strengths and Shortcomings of FISMA

Structure and Content

Relevant Source Material

Summary

References

Chapter 2. Federal Information Security Fundamentals

Information Security in the Federal Government

Certification and Accreditation

Organizational Responsibilities

Relevant Source Material

Summary

References

Chapter 3. Thinking About Risk

Understanding Risk

Trust, Assurance, and Security

Risk Associated with Information Systems

Relevant Source Material

Summary

References

Chapter 4. Thinking About Systems

Defining Systems in Different Contexts

Perspectives on Information Systems

Establishing Information System Boundaries

Maintaining System Inventories

Relevant Source Material

Summary

References

Chapter 5. Success Factors

Prerequisites for Organizational Risk Management

Managing the Information Security Program

Compliance and Reporting

Organizational Success Factors

Measuring Security Effectiveness

Relevant Source Material

Summary

References

Chapter 6. Risk Management Framework Planning and Initiation

Planning

Planning the RMF Project

Prerequisites for RMF Initiation

Establishing a Project Plan

Roles and Responsibilities

Getting the Project Underway

Relevant Source Material

Summary

References

Chapter 7. Risk Management Framework Steps 1 & 2

Purpose and Objectives

Standards and Guidance

Step 1: Categorize Information System

Step 2: Select Security Controls

Relevant Source Material

Summary

References

Chapter 8. Risk Management Framework Steps 3 & 4

Working with Security Control Baselines

Roles and Responsibilities

Step 3: Implement Security Controls

Step 4: Assess Security Controls

Relevant Source Material

Summary

References

Chapter 9. Risk Management Framework Steps 5 & 6

Preparing for System Authorization

Step 5: Authorize Information System

Step 6: Monitor Security Controls

Relevant Source Material

Summary

References

Chapter 10. System Security Plan

Purpose and Role of the System Security Plan

Structure and Content of the System Security Plan

Developing the System Security Plan

Managing System Security Using the SSP

Relevant Source Material

Summary

References

Chapter 11. Security Assessment Report

Security Assessment Fundamentals

Performing Security Control Assessments

The Security Assessment Report in Context

Relevant Source Material

Summary

References

Chapter 12. Plan of Action and Milestones

Regulatory Background

Structure and Content of the Plan of Action and Milestones

Weaknesses and Deficiencies

Producing the Plan of Action and Milestones

Maintaining and Monitoring the Plan of Action and Milestones

Relevant Source Material

Summary

References

Chapter 13. Risk Management

Risk Management

Three-Tiered Approach

Components of Risk Management

Information System Risk Assessments

Relevant Source Material

Summary

References

Chapter 14. Continuous Monitoring

The Role of Continuous Monitoring in the Risk Management Framework

Continuous Monitoring Process

Technical Solutions for Continuous Monitoring

Relevant Source Material

Summary

References

Chapter 15. Contingency Planning

Introduction to Contingency Planning

Contingency Planning and Continuity of Operations

Information System Contingency Planning

Developing the Information System Contingency Plan

Operational Requirements for Contingency Planning

Relevant Source Material

Summary

References

Chapter 16. Privacy

Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act

Federal Agency Requirements Under the Privacy Act

Privacy Impact Assessments

Protecting Personally Identifiable Information (PII)

Other Legal and Regulatory Sources of Privacy Requirements

Relevant Source Material

Summary

References

Chapter 17. Federal Initiatives

Network Security

Cloud Computing

Application Security

Identity and Access Management

Other Federal Security Management Requirements

Relevant Source Material

Summary

References

Appendix A. References

References

Appendix B. Acronyms

Acronyms and Abbreviations

Appendix C. Glossary

Glossary

Index

Quotes and reviews

"For the person who needs to build a solid IT system and get it through the process of security authorization, this work will be a perfect source. The authors structured the contents logically, which makes it easy to find information. The book can be used as a compendium of security knowledge, to which one can return many times to find important details when needed."--IEEE Communications, July 2014
"Gantz explains the Federal Information Security Management Act (FISMA), describes the obligations it places on federal agencies and others subject to the legislation's rules about securing information systems, and details the processes and activities needed to implement effective information security management following FISMA and using the Risk Management Framework of the National Institute of Standards and Technology."--Reference and Research Book News, August 2013

 
 
Free Shipping
Shop with Confidence

Free Shipping around the world
▪ Broad range of products
▪ 30 days return policy
FAQ

Contact Us