بحث متقدم
عرض عادي

Implementing cybersecurity : a guide to the National Institute of Standards and Technology Risk Management Framework / by Anne Kohnke, Ken Sigler and Dan Shoemaker.

بواسطة:المساهم (المساهمين):نوع المادة : نصنصالسلاسل:Internal audit and IT auditالناشر:Boca Raton, FL : CRC Press, 2017وصف:xxiii, 313 pages ; 25 cmنوع المحتوى:
  • text
نوع الوسائط:
  • unmediated
نوع الناقل:
  • volume
تدمك:
  • 9781498785143 (Hardbook : alk. paper)
الموضوع:تصنيف مكتبة الكونجرس:
  • QA76.9.A25 K63463 2017
المحتويات:
Introduction to organizational security risk management -- Survey of existing risk management models -- Categorize information and information systems -- Select security controls -- Implement security controls -- Assess security controls -- Authorize information systems -- Monitor security state -- Practical application of the NIST risk management framework.
ملخص:Cover -- Half Title -- Title Page -- Copyright page -- Contents -- Foreword -- Preface -- Why the NIST RMF Is Important -- Practical Benefits of Implementing the Risk Management Model -- Who Should Read This Book -- Organization of This Text -- Chapter 1: Introduction to Organizational Security Risk Management -- Chapter 2: Survey of Existing Risk Management Models -- Chapter 3: Step 1-Categorize Information and Information Systems -- Chapter 4: Step 2-Select Security Controls -- Chapter 5: Step 3-Implement Security Controls -- Chapter 6: Step 4-Assess Security Controls -- Chapter 7: Step 5-Authorize Information Systems -- Chapter 8: Step 6-Monitor Security State -- Chapter 9: Practical Application of the NIST RMF -- Appendix: (ISC)2 Certified Authorization Professional (CAP) Certification -- Authors -- Chapter 1: Introduction to Organizational Security Risk Management -- 1.1 Introduction to the Book -- 1.2 Risk Is Inevitable -- 1.3 Strategic Governance and Risk Management -- 1.4 Elements of Risk Management -- 1.5 Risk Types and Risk Handling Strategies -- 1.6 Overview of the Risk Management Process -- 1.6.1 Establishing the Risk Management Planning Process -- 1.6.2 Identifying and Categorizing the Risk Environment -- 1.6.3 Risk Assessment -- 1.6.4 Designing for Effective Risk Management -- 1.6.5 Evaluating Candidates for Control -- 1.6.6 Implementing Risk Management Controls -- 1.6.7 Assessing the Effectiveness of Risk Controls -- 1.6.8 Sustainment: Risk Assessment and Operational Evaluation of Change -- 1.6.9 Evaluating the Overall Risk Management Function -- 1.7 Chapter Summary -- Glossary -- Chapter 2: Survey of Existing Risk Management Frameworks -- 2.1 Survey of Existing Risk Management Models and Frameworks -- 2.2 Standard Best Practice -- 2.3 Making Risk Management Tangible -- 2.4 Formal Architecturesملخص:2.5 General Shape of the RMF Process -- 2.6 RMF Implementation -- 2.7 Other Frameworks and Models for Risk Management -- 2.8 International Organization for Standardization 31000:2009 -- 2.9 ISO 31000 Implementation Process: Establishment -- 2.10 COSO Enterprise Risk Management Framework -- 2.11 Health Information Trust Alliance Common Security Framework -- 2.12 Implementing the HITRUST CSF Control Structure -- 2.13 NIST SP 800-30 and NIST SP 800-39 Standards -- 2.14 Chapter Summary -- Glossary -- References -- Chapter 3: Step 1- Categorize Information and Information Systems -- 3.1 Introduction -- 3.2 Security Impact Analysis -- 3.3 FIPS 199, Standards for Security Categorization of Federal Information and Information Systems -- 3.3.1 FIPS 199-Security Categorization of Information Types -- 3.3.2 FIPS 199-Security Categorization of Information Systems -- 3.4 CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems -- 3.4.1 Implementation of Step 1-Security Categorization -- 3.5 Security Categorization from the Organizational Perspective -- 3.5.1 Establish Relationships with Organizational Entities -- 3.5.2 Develop an Organization-Wide Categorization Program -- 3.5.3 Prepare an Organization-Wide Guidance Program -- 3.5.4 Lead Organization-Wide Categorization Sessions -- 3.5.5 Security Categorization from the Management Perspective -- 3.5.6 Security Categorization from the System Perspective -- 3.5.7 Preparing for System Security Categorization -- 3.5.8 Step 1: Identify System Information Types -- 3.5.9 Step 2: Select Provisional Impact Values for Each Information Type -- 3.5.10 Step 3: Adjust the Provisional Impact Levels of Information Types -- 3.5.11 Step 4: Determine the Information System Security Impact Level -- 3.5.12 Obtain Approval for the System Security Category and Impact Levelملخص:3.5.13 Maintain the System Security Category and Impact Levels -- 3.6 Chapter Summary -- References -- Chapter 4: Step 2-Select Security Controls -- 4.1 Understanding Control selection -- 4.2 Federal Information Processing Standard Publication 200 -- 4.3 Implementation of Step 2-Select Security Controls -- 4.4 Document Collection and Relationship Building -- 4.5 Select Initial Security Control Baselines and Minimum Assurance Requirements -- 4.6 Apply Scoping Guidance to Initial Baselines -- 4.7 Determine Need for Compensating Controls -- 4.8 Determine Organizational Parameters -- 4.9 Supplement Security Controls -- 4.10 Determine Assurance Measures for Minimum Assurance Requirements -- 4.11 Complete Security Plan -- 4.12 Develop Continuous Monitoring Strategy -- 4.13 Approval of Security Plan and Continuous Monitoring Strategy -- 4.14 Other Control Libraries -- 4.14.1 Control Objectives for Information and Related Technology (COBIT 5) -- 4.14.2 CIS Critical Security Controls -- 4.14.3 Industrial Automation and Control Systems Security Life Cycle -- 4.14.4 ISO/IEC 27001 -- 4.15 Chapter Summary -- Glossary -- References -- Chapter 5: Step 3- Implement Security Controls -- 5.1 Introduction -- 5.2 Implementation of the Security Controls Specified by the Security Plan -- 5.3 A System Perspective to Implementation -- 5.4 A Management Perspective to Implementation -- 5.5 Implementation via Security Life Cycle Management -- 5.6 Establishing Effective Security Implementation through Infrastructure Management -- 5.7 Finding the Fit: Security Implementation Projects and Organization Portfolios -- 5.8 Security Implementation Project Management -- 5.9 Document the Security Control Implementation in the Security Plan -- 5.10 Chapter Summary -- Glossary -- References -- Chapter 6: Step 4- Assess Security Controls -- 6.1 Understanding Security Control Assessmentملخص:6.2 Components of Security Control Assessment -- 6.3 Control Assessment and the SDLC -- 6.4 Ensuring Adequate Control Implementation -- 6.5 Assessment Plan Development, Review, and Approval -- 6.6 Security Control Assessment Procedures and Methodologies -- 6.7 Assess Controls in Accordance with Assessment Plan -- 6.8 Prepare the Security Assessment Report -- 6.9 Initial Remedy Actions of Assessment Findings -- 6.10 Chapter Summary -- Glossary -- References -- Chapter 7: Step 5- Authorize: Preparing the Information System for Use -- 7.1 Authorizing the Formal Risk Response -- 7.2 Elements of Risk Management -- 7.3 Certification and Accreditation -- 7.4 Application of the RMF -- 7.5 Security Authorizations/Approvals to Operate -- 7.6 Certification of the Correctness of Security Controls -- 7.7 Risk Management and Enterprise Architecture -- 7.8 Particular Role of Requirements -- 7.9 Drawing Hard Perimeters -- 7.10 Preparing the Action Plan -- 7.11 Preparing the Security Authorization Package -- 7.12 Standard Risk Determination -- 7.13 Chapter Summary -- Glossary -- References -- Chapter 8: Step 6- Monitor Security State -- 8.1 Sustaining the Organization's Risk Management Response -- 8.2 Overview of the Process: Sustaining Effective Risk Monitoring -- 8.3 Structuring the Risk-Monitoring Process -- 8.4 Sustaining an Ongoing Control-Monitoring Process -- 8.5 Establishing a Continuous Control Assessment Process -- 8.6 Implementing a Practical Control System Monitoring Process -- 8.7 Conducting Continuous Monitoring -- 8.8 Practical Considerations -- 8.9 Quantitative Measurement Considerations -- 8.10 Keeping the Control Set Correct over Time -- 8.11 Chapter Summary -- Glossary -- References -- Chapter 9: Practical Applications of the National Institute of Standards and Technology Risk Management Framework -- 9.1 Applying the NIST RMFملخص:9.2 RMF Application -- 9.3 Certification and Accreditation in the Federal Space -- 9.4 In the Beginning: The Clinger-Cohen Act (1996) -- 9.5 The E-Government Act of 2002: FISMA -- 9.6 Implementing Information Security Controls-NIST 800-53 -- 9.7 Evaluating the Control Set -- 9.8 Chapter Summary -- Glossary -- References -- Appendix -- Index
المقتنيات
نوع المادة المكتبة الحالية رقم الطلب رقم النسخة حالة تاريخ الإستحقاق الباركود
كتاب كتاب UAE Federation Library | مكتبة اتحاد الإمارات General Collection | المجموعات العامة QA76.9.A25 K63463 2017 (إستعراض الرف(يفتح أدناه)) C.1 Library Use Only | داخل المكتبة فقط 30020000027221
كتاب كتاب UAE Federation Library | مكتبة اتحاد الإمارات General Collection | المجموعات العامة QA76.9.A25 K63463 2017 (إستعراض الرف(يفتح أدناه)) C.2 المتاح 30020000027222

Introduction to organizational security risk management -- Survey of existing risk management models -- Categorize information and information systems -- Select security controls -- Implement security controls -- Assess security controls -- Authorize information systems -- Monitor security state -- Practical application of the NIST risk management framework.

Cover -- Half Title -- Title Page -- Copyright page -- Contents -- Foreword -- Preface -- Why the NIST RMF Is Important -- Practical Benefits of Implementing the Risk Management Model -- Who Should Read This Book -- Organization of This Text -- Chapter 1: Introduction to Organizational Security Risk Management -- Chapter 2: Survey of Existing Risk Management Models -- Chapter 3: Step 1-Categorize Information and Information Systems -- Chapter 4: Step 2-Select Security Controls -- Chapter 5: Step 3-Implement Security Controls -- Chapter 6: Step 4-Assess Security Controls -- Chapter 7: Step 5-Authorize Information Systems -- Chapter 8: Step 6-Monitor Security State -- Chapter 9: Practical Application of the NIST RMF -- Appendix: (ISC)2 Certified Authorization Professional (CAP) Certification -- Authors -- Chapter 1: Introduction to Organizational Security Risk Management -- 1.1 Introduction to the Book -- 1.2 Risk Is Inevitable -- 1.3 Strategic Governance and Risk Management -- 1.4 Elements of Risk Management -- 1.5 Risk Types and Risk Handling Strategies -- 1.6 Overview of the Risk Management Process -- 1.6.1 Establishing the Risk Management Planning Process -- 1.6.2 Identifying and Categorizing the Risk Environment -- 1.6.3 Risk Assessment -- 1.6.4 Designing for Effective Risk Management -- 1.6.5 Evaluating Candidates for Control -- 1.6.6 Implementing Risk Management Controls -- 1.6.7 Assessing the Effectiveness of Risk Controls -- 1.6.8 Sustainment: Risk Assessment and Operational Evaluation of Change -- 1.6.9 Evaluating the Overall Risk Management Function -- 1.7 Chapter Summary -- Glossary -- Chapter 2: Survey of Existing Risk Management Frameworks -- 2.1 Survey of Existing Risk Management Models and Frameworks -- 2.2 Standard Best Practice -- 2.3 Making Risk Management Tangible -- 2.4 Formal Architectures

2.5 General Shape of the RMF Process -- 2.6 RMF Implementation -- 2.7 Other Frameworks and Models for Risk Management -- 2.8 International Organization for Standardization 31000:2009 -- 2.9 ISO 31000 Implementation Process: Establishment -- 2.10 COSO Enterprise Risk Management Framework -- 2.11 Health Information Trust Alliance Common Security Framework -- 2.12 Implementing the HITRUST CSF Control Structure -- 2.13 NIST SP 800-30 and NIST SP 800-39 Standards -- 2.14 Chapter Summary -- Glossary -- References -- Chapter 3: Step 1- Categorize Information and Information Systems -- 3.1 Introduction -- 3.2 Security Impact Analysis -- 3.3 FIPS 199, Standards for Security Categorization of Federal Information and Information Systems -- 3.3.1 FIPS 199-Security Categorization of Information Types -- 3.3.2 FIPS 199-Security Categorization of Information Systems -- 3.4 CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems -- 3.4.1 Implementation of Step 1-Security Categorization -- 3.5 Security Categorization from the Organizational Perspective -- 3.5.1 Establish Relationships with Organizational Entities -- 3.5.2 Develop an Organization-Wide Categorization Program -- 3.5.3 Prepare an Organization-Wide Guidance Program -- 3.5.4 Lead Organization-Wide Categorization Sessions -- 3.5.5 Security Categorization from the Management Perspective -- 3.5.6 Security Categorization from the System Perspective -- 3.5.7 Preparing for System Security Categorization -- 3.5.8 Step 1: Identify System Information Types -- 3.5.9 Step 2: Select Provisional Impact Values for Each Information Type -- 3.5.10 Step 3: Adjust the Provisional Impact Levels of Information Types -- 3.5.11 Step 4: Determine the Information System Security Impact Level -- 3.5.12 Obtain Approval for the System Security Category and Impact Level

3.5.13 Maintain the System Security Category and Impact Levels -- 3.6 Chapter Summary -- References -- Chapter 4: Step 2-Select Security Controls -- 4.1 Understanding Control selection -- 4.2 Federal Information Processing Standard Publication 200 -- 4.3 Implementation of Step 2-Select Security Controls -- 4.4 Document Collection and Relationship Building -- 4.5 Select Initial Security Control Baselines and Minimum Assurance Requirements -- 4.6 Apply Scoping Guidance to Initial Baselines -- 4.7 Determine Need for Compensating Controls -- 4.8 Determine Organizational Parameters -- 4.9 Supplement Security Controls -- 4.10 Determine Assurance Measures for Minimum Assurance Requirements -- 4.11 Complete Security Plan -- 4.12 Develop Continuous Monitoring Strategy -- 4.13 Approval of Security Plan and Continuous Monitoring Strategy -- 4.14 Other Control Libraries -- 4.14.1 Control Objectives for Information and Related Technology (COBIT 5) -- 4.14.2 CIS Critical Security Controls -- 4.14.3 Industrial Automation and Control Systems Security Life Cycle -- 4.14.4 ISO/IEC 27001 -- 4.15 Chapter Summary -- Glossary -- References -- Chapter 5: Step 3- Implement Security Controls -- 5.1 Introduction -- 5.2 Implementation of the Security Controls Specified by the Security Plan -- 5.3 A System Perspective to Implementation -- 5.4 A Management Perspective to Implementation -- 5.5 Implementation via Security Life Cycle Management -- 5.6 Establishing Effective Security Implementation through Infrastructure Management -- 5.7 Finding the Fit: Security Implementation Projects and Organization Portfolios -- 5.8 Security Implementation Project Management -- 5.9 Document the Security Control Implementation in the Security Plan -- 5.10 Chapter Summary -- Glossary -- References -- Chapter 6: Step 4- Assess Security Controls -- 6.1 Understanding Security Control Assessment

6.2 Components of Security Control Assessment -- 6.3 Control Assessment and the SDLC -- 6.4 Ensuring Adequate Control Implementation -- 6.5 Assessment Plan Development, Review, and Approval -- 6.6 Security Control Assessment Procedures and Methodologies -- 6.7 Assess Controls in Accordance with Assessment Plan -- 6.8 Prepare the Security Assessment Report -- 6.9 Initial Remedy Actions of Assessment Findings -- 6.10 Chapter Summary -- Glossary -- References -- Chapter 7: Step 5- Authorize: Preparing the Information System for Use -- 7.1 Authorizing the Formal Risk Response -- 7.2 Elements of Risk Management -- 7.3 Certification and Accreditation -- 7.4 Application of the RMF -- 7.5 Security Authorizations/Approvals to Operate -- 7.6 Certification of the Correctness of Security Controls -- 7.7 Risk Management and Enterprise Architecture -- 7.8 Particular Role of Requirements -- 7.9 Drawing Hard Perimeters -- 7.10 Preparing the Action Plan -- 7.11 Preparing the Security Authorization Package -- 7.12 Standard Risk Determination -- 7.13 Chapter Summary -- Glossary -- References -- Chapter 8: Step 6- Monitor Security State -- 8.1 Sustaining the Organization's Risk Management Response -- 8.2 Overview of the Process: Sustaining Effective Risk Monitoring -- 8.3 Structuring the Risk-Monitoring Process -- 8.4 Sustaining an Ongoing Control-Monitoring Process -- 8.5 Establishing a Continuous Control Assessment Process -- 8.6 Implementing a Practical Control System Monitoring Process -- 8.7 Conducting Continuous Monitoring -- 8.8 Practical Considerations -- 8.9 Quantitative Measurement Considerations -- 8.10 Keeping the Control Set Correct over Time -- 8.11 Chapter Summary -- Glossary -- References -- Chapter 9: Practical Applications of the National Institute of Standards and Technology Risk Management Framework -- 9.1 Applying the NIST RMF

9.2 RMF Application -- 9.3 Certification and Accreditation in the Federal Space -- 9.4 In the Beginning: The Clinger-Cohen Act (1996) -- 9.5 The E-Government Act of 2002: FISMA -- 9.6 Implementing Information Security Controls-NIST 800-53 -- 9.7 Evaluating the Control Set -- 9.8 Chapter Summary -- Glossary -- References -- Appendix -- Index

شارك

أبوظبي، الإمارات العربية المتحدة

reference@ecssr.ae

97124044780 +

حقوق النشر © 2024 مركز الإمارات للدراسات والبحوث الاستراتيجية جميع الحقوق محفوظة