Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "FISMA Certification and Accreditation Handbook", Laura Taylor

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKFISMAC.RVW 20070113 FISMA Certification and Accreditation Handbook , Laura Taylor, 2007, 1-59749-116-0, U$69.95/C$90.95 %A Laura Taylor %C 800 Hingham
    Message 1 of 1 , Mar 9, 2007
      BKFISMAC.RVW 20070113

      "FISMA Certification and Accreditation Handbook", Laura Taylor, 2007,
      1-59749-116-0, U$69.95/C$90.95
      %A Laura Taylor
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2007
      %G 1-59749-116-0 978-1-59749-116-7
      %I Syngress Media, Inc.
      %O U$69.95/C$90.95 781-681-5151 fax: 781-681-3585 www.syngress.com
      %O http://www.amazon.com/exec/obidos/ASIN/1597491160/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1597491160/robsladesin03-20
      %O Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 498 p.
      %T "FISMA Certification and Accreditation Handbook"

      The United States' Federal Information Systems Management Act mandates
      certain standards of information security and controls for US federal
      agencies. It extends to contractors and other sources that support
      the assets of federal government departments. However, it may have
      wider application yet, since it provides a solid basis for security
      management, assessment, and assurance for large corporations as well.

      Chapter one looks at definitions of various terms surrounding security
      and controls. It is interesting to note that to the usual
      certification (assessment) and accreditation (acceptance) phases the
      feds add an audit/evaluation phase between the two. The National
      Information Assurance Certification and Accreditation Process
      (NIACAP), National Institute of Standards and Technology outline,
      Defense Information Technology Systems Certification and Accreditation
      Process (DITSCAP), and Director of Central Intelligence Directive 6/3
      (DCID 6/3), all directions on how to follow FISMA, are briefly
      compared in chapter two. A list of job descriptions, and a brief
      outline of general project management steps makes up chapter three.
      Chapter four examines components of a certification and accreditation
      program, mostly in terms of documentation. Chapter five returns to
      project management, with a quick look at the initiation phase. An
      even shorter mention of creating a hardware and software inventory is
      in chapter six. Chapter seven is nominally about determining the
      proper level for certification (which is, again, primarily related to
      the number of documents produced), but turns into an interesting and
      valuable outline of information classification. Much of chapter
      eight, on self-assessment, is a reprinting of the NIST 800-26
      guideline on that topic. Security awareness and training is touched
      on briefly in chapter nine. Chapter ten, on rules of behaviour, is a
      terse mix of acceptable use and incident response, but it leads rather
      nicely into the longer examination of incident response in chapter
      eleven. Chapter twelve lists various types of assessment tools, such
      as vulnerability scanners and code analyzers. I found the privacy
      impact assessment, in chapter thirteen, to be an interesting
      perspective. Chapter fourteen's material on business risk assessment
      is concise but reasonable. Business impact assessment, in fifteen, is
      not quite as good, since it neglects the analysis of criticality of
      operations. Contingency planning is outlined well in chapter sixteen.
      Chapter seventeen takes a brief look at risk assessment, but manages
      to hit all the high points. Change management is reviewed in chapter
      eighteen. An overview system security plan document is described in
      chapter nineteen. The certification package is detailed from the
      perspective of those submitting it (in chapter twenty) and those
      evaluating or auditing it (chapter twenty-one). Preparation of a plan
      to correct residual weaknesses is addressed in chapter twenty-two.
      Chapter twenty-three looks at improving the standings and grading on a
      Federal Computer Security Report Card.

      There is much that is useful and helpful in this book, both in terms
      of general information security management structure and process, and
      in terms of references for those involved with FISMA related programs.
      However, for those who are new to the operation of US government
      certification and accreditation, the basic requirements, and the
      relation of the ancillary programs to FISMA itself, could have been
      more fully explained.

      copyright Robert M. Slade, 2007 BKFISMAC.RVW 20070113

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Press any key to continue. NO, NO, NOT *THAT* ONE!
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.