Implementing cybersecurity : a guide to the National Institute of Standards and Technology Risk Management Framework / by Anne Kohnke, Ken Sigler and Dan Shoemaker.
نوع المادة : نصالسلاسل:Internal audit and IT auditالناشر:Boca Raton, FL : CRC Press, 2017وصف:xxiii, 313 pages ; 25 cmنوع المحتوى:- text
- unmediated
- volume
- 9781498785143 (Hardbook : alk. paper)
- QA76.9.A25 K63463 2017
نوع المادة | المكتبة الحالية | رقم الطلب | رقم النسخة | حالة | تاريخ الإستحقاق | الباركود | |
---|---|---|---|---|---|---|---|
كتاب | UAE Federation Library | مكتبة اتحاد الإمارات General Collection | المجموعات العامة | QA76.9.A25 K63463 2017 (إستعراض الرف(يفتح أدناه)) | C.1 | Library Use Only | داخل المكتبة فقط | 30020000027221 | ||
كتاب | UAE Federation Library | مكتبة اتحاد الإمارات General Collection | المجموعات العامة | QA76.9.A25 K63463 2017 (إستعراض الرف(يفتح أدناه)) | C.2 | المتاح | 30020000027222 |
Browsing UAE Federation Library | مكتبة اتحاد الإمارات shelves, Shelving location: General Collection | المجموعات العامة إغلاق مستعرض الرف(يخفي مستعرض الرف)
QA76.9.A25 K6346 2016 The complete guide to cybersecurity risks and controls / | QA76.9.A25 K6346 2016 The complete guide to cybersecurity risks and controls / | QA76.9.A25 K63463 2017 Implementing cybersecurity : a guide to the National Institute of Standards and Technology Risk Management Framework / | QA76.9.A25 K63463 2017 Implementing cybersecurity : a guide to the National Institute of Standards and Technology Risk Management Framework / | QA76.9.A25 K68 2003 The information systems security officer's guide : establishing and managing an information protection program / | QA76.9.A25 L336 2015 Laboratory manual to accompany managing risk in information systems: version 2.0 | QA76.9.A25 L3367 2015 Laboratory manual to accompany security policies and implementation issues: version 2.0 |
Introduction to organizational security risk management -- Survey of existing risk management models -- Categorize information and information systems -- Select security controls -- Implement security controls -- Assess security controls -- Authorize information systems -- Monitor security state -- Practical application of the NIST risk management framework.
Cover -- Half Title -- Title Page -- Copyright page -- Contents -- Foreword -- Preface -- Why the NIST RMF Is Important -- Practical Benefits of Implementing the Risk Management Model -- Who Should Read This Book -- Organization of This Text -- Chapter 1: Introduction to Organizational Security Risk Management -- Chapter 2: Survey of Existing Risk Management Models -- Chapter 3: Step 1-Categorize Information and Information Systems -- Chapter 4: Step 2-Select Security Controls -- Chapter 5: Step 3-Implement Security Controls -- Chapter 6: Step 4-Assess Security Controls -- Chapter 7: Step 5-Authorize Information Systems -- Chapter 8: Step 6-Monitor Security State -- Chapter 9: Practical Application of the NIST RMF -- Appendix: (ISC)2 Certified Authorization Professional (CAP) Certification -- Authors -- Chapter 1: Introduction to Organizational Security Risk Management -- 1.1 Introduction to the Book -- 1.2 Risk Is Inevitable -- 1.3 Strategic Governance and Risk Management -- 1.4 Elements of Risk Management -- 1.5 Risk Types and Risk Handling Strategies -- 1.6 Overview of the Risk Management Process -- 1.6.1 Establishing the Risk Management Planning Process -- 1.6.2 Identifying and Categorizing the Risk Environment -- 1.6.3 Risk Assessment -- 1.6.4 Designing for Effective Risk Management -- 1.6.5 Evaluating Candidates for Control -- 1.6.6 Implementing Risk Management Controls -- 1.6.7 Assessing the Effectiveness of Risk Controls -- 1.6.8 Sustainment: Risk Assessment and Operational Evaluation of Change -- 1.6.9 Evaluating the Overall Risk Management Function -- 1.7 Chapter Summary -- Glossary -- Chapter 2: Survey of Existing Risk Management Frameworks -- 2.1 Survey of Existing Risk Management Models and Frameworks -- 2.2 Standard Best Practice -- 2.3 Making Risk Management Tangible -- 2.4 Formal Architectures
2.5 General Shape of the RMF Process -- 2.6 RMF Implementation -- 2.7 Other Frameworks and Models for Risk Management -- 2.8 International Organization for Standardization 31000:2009 -- 2.9 ISO 31000 Implementation Process: Establishment -- 2.10 COSO Enterprise Risk Management Framework -- 2.11 Health Information Trust Alliance Common Security Framework -- 2.12 Implementing the HITRUST CSF Control Structure -- 2.13 NIST SP 800-30 and NIST SP 800-39 Standards -- 2.14 Chapter Summary -- Glossary -- References -- Chapter 3: Step 1- Categorize Information and Information Systems -- 3.1 Introduction -- 3.2 Security Impact Analysis -- 3.3 FIPS 199, Standards for Security Categorization of Federal Information and Information Systems -- 3.3.1 FIPS 199-Security Categorization of Information Types -- 3.3.2 FIPS 199-Security Categorization of Information Systems -- 3.4 CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems -- 3.4.1 Implementation of Step 1-Security Categorization -- 3.5 Security Categorization from the Organizational Perspective -- 3.5.1 Establish Relationships with Organizational Entities -- 3.5.2 Develop an Organization-Wide Categorization Program -- 3.5.3 Prepare an Organization-Wide Guidance Program -- 3.5.4 Lead Organization-Wide Categorization Sessions -- 3.5.5 Security Categorization from the Management Perspective -- 3.5.6 Security Categorization from the System Perspective -- 3.5.7 Preparing for System Security Categorization -- 3.5.8 Step 1: Identify System Information Types -- 3.5.9 Step 2: Select Provisional Impact Values for Each Information Type -- 3.5.10 Step 3: Adjust the Provisional Impact Levels of Information Types -- 3.5.11 Step 4: Determine the Information System Security Impact Level -- 3.5.12 Obtain Approval for the System Security Category and Impact Level
3.5.13 Maintain the System Security Category and Impact Levels -- 3.6 Chapter Summary -- References -- Chapter 4: Step 2-Select Security Controls -- 4.1 Understanding Control selection -- 4.2 Federal Information Processing Standard Publication 200 -- 4.3 Implementation of Step 2-Select Security Controls -- 4.4 Document Collection and Relationship Building -- 4.5 Select Initial Security Control Baselines and Minimum Assurance Requirements -- 4.6 Apply Scoping Guidance to Initial Baselines -- 4.7 Determine Need for Compensating Controls -- 4.8 Determine Organizational Parameters -- 4.9 Supplement Security Controls -- 4.10 Determine Assurance Measures for Minimum Assurance Requirements -- 4.11 Complete Security Plan -- 4.12 Develop Continuous Monitoring Strategy -- 4.13 Approval of Security Plan and Continuous Monitoring Strategy -- 4.14 Other Control Libraries -- 4.14.1 Control Objectives for Information and Related Technology (COBIT 5) -- 4.14.2 CIS Critical Security Controls -- 4.14.3 Industrial Automation and Control Systems Security Life Cycle -- 4.14.4 ISO/IEC 27001 -- 4.15 Chapter Summary -- Glossary -- References -- Chapter 5: Step 3- Implement Security Controls -- 5.1 Introduction -- 5.2 Implementation of the Security Controls Specified by the Security Plan -- 5.3 A System Perspective to Implementation -- 5.4 A Management Perspective to Implementation -- 5.5 Implementation via Security Life Cycle Management -- 5.6 Establishing Effective Security Implementation through Infrastructure Management -- 5.7 Finding the Fit: Security Implementation Projects and Organization Portfolios -- 5.8 Security Implementation Project Management -- 5.9 Document the Security Control Implementation in the Security Plan -- 5.10 Chapter Summary -- Glossary -- References -- Chapter 6: Step 4- Assess Security Controls -- 6.1 Understanding Security Control Assessment
6.2 Components of Security Control Assessment -- 6.3 Control Assessment and the SDLC -- 6.4 Ensuring Adequate Control Implementation -- 6.5 Assessment Plan Development, Review, and Approval -- 6.6 Security Control Assessment Procedures and Methodologies -- 6.7 Assess Controls in Accordance with Assessment Plan -- 6.8 Prepare the Security Assessment Report -- 6.9 Initial Remedy Actions of Assessment Findings -- 6.10 Chapter Summary -- Glossary -- References -- Chapter 7: Step 5- Authorize: Preparing the Information System for Use -- 7.1 Authorizing the Formal Risk Response -- 7.2 Elements of Risk Management -- 7.3 Certification and Accreditation -- 7.4 Application of the RMF -- 7.5 Security Authorizations/Approvals to Operate -- 7.6 Certification of the Correctness of Security Controls -- 7.7 Risk Management and Enterprise Architecture -- 7.8 Particular Role of Requirements -- 7.9 Drawing Hard Perimeters -- 7.10 Preparing the Action Plan -- 7.11 Preparing the Security Authorization Package -- 7.12 Standard Risk Determination -- 7.13 Chapter Summary -- Glossary -- References -- Chapter 8: Step 6- Monitor Security State -- 8.1 Sustaining the Organization's Risk Management Response -- 8.2 Overview of the Process: Sustaining Effective Risk Monitoring -- 8.3 Structuring the Risk-Monitoring Process -- 8.4 Sustaining an Ongoing Control-Monitoring Process -- 8.5 Establishing a Continuous Control Assessment Process -- 8.6 Implementing a Practical Control System Monitoring Process -- 8.7 Conducting Continuous Monitoring -- 8.8 Practical Considerations -- 8.9 Quantitative Measurement Considerations -- 8.10 Keeping the Control Set Correct over Time -- 8.11 Chapter Summary -- Glossary -- References -- Chapter 9: Practical Applications of the National Institute of Standards and Technology Risk Management Framework -- 9.1 Applying the NIST RMF
9.2 RMF Application -- 9.3 Certification and Accreditation in the Federal Space -- 9.4 In the Beginning: The Clinger-Cohen Act (1996) -- 9.5 The E-Government Act of 2002: FISMA -- 9.6 Implementing Information Security Controls-NIST 800-53 -- 9.7 Evaluating the Control Set -- 9.8 Chapter Summary -- Glossary -- References -- Appendix -- Index