REVIEW: "FISMA Certification and Accreditation Handbook", Laura Taylor
- BKFISMAC.RVW 20070113
"FISMA Certification and Accreditation Handbook", Laura Taylor, 2007,
%A Laura Taylor
%C 800 Hingham Street, Rockland, MA 02370
%G 1-59749-116-0 978-1-59749-116-7
%I Syngress Media, Inc.
%O U$69.95/C$90.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 498 p.
%T "FISMA Certification and Accreditation Handbook"
The United States' Federal Information Systems Management Act mandates
certain standards of information security and controls for US federal
agencies. It extends to contractors and other sources that support
the assets of federal government departments. However, it may have
wider application yet, since it provides a solid basis for security
management, assessment, and assurance for large corporations as well.
Chapter one looks at definitions of various terms surrounding security
and controls. It is interesting to note that to the usual
certification (assessment) and accreditation (acceptance) phases the
feds add an audit/evaluation phase between the two. The National
Information Assurance Certification and Accreditation Process
(NIACAP), National Institute of Standards and Technology outline,
Defense Information Technology Systems Certification and Accreditation
Process (DITSCAP), and Director of Central Intelligence Directive 6/3
(DCID 6/3), all directions on how to follow FISMA, are briefly
compared in chapter two. A list of job descriptions, and a brief
outline of general project management steps makes up chapter three.
Chapter four examines components of a certification and accreditation
program, mostly in terms of documentation. Chapter five returns to
project management, with a quick look at the initiation phase. An
even shorter mention of creating a hardware and software inventory is
in chapter six. Chapter seven is nominally about determining the
proper level for certification (which is, again, primarily related to
the number of documents produced), but turns into an interesting and
valuable outline of information classification. Much of chapter
eight, on self-assessment, is a reprinting of the NIST 800-26
guideline on that topic. Security awareness and training is touched
on briefly in chapter nine. Chapter ten, on rules of behaviour, is a
terse mix of acceptable use and incident response, but it leads rather
nicely into the longer examination of incident response in chapter
eleven. Chapter twelve lists various types of assessment tools, such
as vulnerability scanners and code analyzers. I found the privacy
impact assessment, in chapter thirteen, to be an interesting
perspective. Chapter fourteen's material on business risk assessment
is concise but reasonable. Business impact assessment, in fifteen, is
not quite as good, since it neglects the analysis of criticality of
operations. Contingency planning is outlined well in chapter sixteen.
Chapter seventeen takes a brief look at risk assessment, but manages
to hit all the high points. Change management is reviewed in chapter
eighteen. An overview system security plan document is described in
chapter nineteen. The certification package is detailed from the
perspective of those submitting it (in chapter twenty) and those
evaluating or auditing it (chapter twenty-one). Preparation of a plan
to correct residual weaknesses is addressed in chapter twenty-two.
Chapter twenty-three looks at improving the standings and grading on a
Federal Computer Security Report Card.
There is much that is useful and helpful in this book, both in terms
of general information security management structure and process, and
in terms of references for those involved with FISMA related programs.
However, for those who are new to the operation of US government
certification and accreditation, the basic requirements, and the
relation of the ancillary programs to FISMA itself, could have been
more fully explained.
copyright Robert M. Slade, 2007 BKFISMAC.RVW 20070113
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Press any key to continue. NO, NO, NOT *THAT* ONE!
Dictionary of Information Security www.syngress.com/catalog/?pid=4150