Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "FISMA Certification and Accreditation Handbook", Laur

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "FISMA Certification and Accreditation Handbook", Laura Taylor
Date: Fri, 09 Mar 2007 11:56:32 -0800 
BKFISMAC.RVW   20070113

"FISMA Certification and Accreditation Handbook", Laura Taylor, 2007,
1-59749-116-0, U$69.95/C$90.95
%A   Laura Taylor
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-116-0 978-1-59749-116-7
%I   Syngress Media, Inc.
%O   U$69.95/C$90.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491160/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597491160/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491160/robsladesin03-20
%O   Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   498 p.
%T   "FISMA Certification and Accreditation Handbook"

The United States' Federal Information Systems Management Act mandates
certain standards of information security and controls for US federal
agencies.  It extends to contractors and other sources that support
the assets of federal government departments.  However, it may have
wider application yet, since it provides a solid basis for security
management, assessment, and assurance for large corporations as well.

Chapter one looks at definitions of various terms surrounding security
and controls.  It is interesting to note that to the usual
certification (assessment) and accreditation (acceptance) phases the
feds add an audit/evaluation phase between the two.  The National
Information Assurance Certification and Accreditation Process
(NIACAP), National Institute of Standards and Technology outline,
Defense Information Technology Systems Certification and Accreditation
Process  (DITSCAP), and Director of Central Intelligence Directive 6/3
(DCID 6/3), all directions on how to follow FISMA, are briefly
compared in chapter two.  A list of job descriptions, and a brief
outline of general project management steps makes up chapter three. 
Chapter four examines components of a certification and accreditation
program, mostly in terms of documentation.  Chapter five returns to
project management, with a quick look at the initiation phase.  An
even shorter mention of creating a hardware and software inventory is
in chapter six.  Chapter seven is nominally about determining the
proper level for certification (which is, again, primarily related to
the number of documents produced), but turns into an interesting and
valuable outline of information classification.  Much of chapter
eight, on self-assessment, is a reprinting of the NIST 800-26
guideline on that topic.  Security awareness and training is touched
on briefly in chapter nine.  Chapter ten, on rules of behaviour, is a
terse mix of acceptable use and incident response, but it leads rather
nicely into the longer examination of incident response in chapter
eleven.  Chapter twelve lists various types of assessment tools, such
as vulnerability scanners and code analyzers.  I found the privacy
impact assessment, in chapter thirteen, to be an interesting
perspective.  Chapter fourteen's material on business risk assessment
is concise but reasonable.  Business impact assessment, in fifteen, is
not quite as good, since it neglects the analysis of criticality of
operations.  Contingency planning is outlined well in chapter sixteen. 
Chapter seventeen takes a brief look at risk assessment, but manages
to hit all the high points.  Change management is reviewed in chapter
eighteen.  An overview system security plan document is described in
chapter nineteen.  The certification package is detailed from the
perspective of those submitting it (in chapter twenty) and those
evaluating or auditing it (chapter twenty-one).  Preparation of a plan
to correct residual weaknesses is addressed in chapter twenty-two. 
Chapter twenty-three looks at improving the standings and grading on a
Federal Computer Security Report Card.

There is much that is useful and helpful in this book, both in terms
of general information security management structure and process, and
in terms of references for those involved with FISMA related programs. 
However, for those who are new to the operation of US government
certification and accreditation, the basic requirements, and the
relation of the ancillary programs to FISMA itself, could have been
more fully explained.

copyright Robert M. Slade, 2007   BKFISMAC.RVW   20070113


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
             Press any key to continue.  NO, NO, NOT *THAT* ONE!
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "FISMA Certification and Accreditation Handbook", Laura Taylor, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] NEW GROUP, jtckipping
Next by Date:  [CISSP-D] REVIEW: "CD and DVD Forensics", Paul Crowley, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] NEW GROUP, jtckipping
Next by Thread:  [CISSP-D] REVIEW: "CD and DVD Forensics", Paul Crowley, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]