fisma certification and accreditation handbook phần 1 pptx

Formerly, Ms.Taylor was Director of Security Research at TEC.Ms.Taylor also served as CIO of Schafer Corporation and Director of Information Security at Navisite.. Earlier in her career,

w w w s y n g r e s s c o m

Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment

of value-added features such as free e-books related to the topic of this book, URLs

of related Web site, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE E-BOOKS

For readers who can’t wait for hard copy, we offer most of our titles in able Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably.

download-SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our e-books onto servers

in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.

Visit us at

tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

FISMA Certification & Accreditation Handbook

Copyright © 2007 by Syngress Publishing, Inc All rights reserved Except as permitted under the

Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the pub- lisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1 2 3 4 5 6 7 8 9 0

ISBN: 1-59749-116-0

ISBN-13: 978-1-59749-116-7

Publisher: Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Gary Byrne Copy Editor: Adrienne Rebello

Technical Editor: Matthew Shepherd Indexer: Richard Carlson

Cover Designer: Michael Kavish

Distributed by O’Reilly Media, Inc in the United States and Canada.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,

at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585.

The incredibly hardworking team at Elsevier Science, including JonathanBunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, KristaLeppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, DavidLockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and ChrisReinders for making certain that our vision remains worldwide in scope.David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang AiHua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributorsfor the enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslanefor distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji,Tonga, Solomon Islands, and the Cook Islands

Author

Laura Tayloris Director of Security Certification andAccreditation at COACT, Inc, a leading provider of security compli-ance solutions Additionally, Ms.Taylor is the Founder of RelevantTechnologies, a security research and advisory firm Her securityresearch has been used by the FDIC, the FBI, the IRS, various U.S.Federal Reserve Banks, U.S Customs, the U.S.Treasury, the WhiteHouse, and many publicly held Fortune 500 companies Ms.Taylorspecializes in security audits of financial institutions and has pro-vided information security consulting services to some of the largestfinancial institutions in the world, including the U.S Internal

Revenue Service, the U.S.Treasury, the U.S GovernmentwideAccounting System, and National Westminster Bank, a division ofthe Royal Bank of Scotland

Formerly, Ms.Taylor was Director of Security Research at TEC.Ms.Taylor also served as CIO of Schafer Corporation and Director

of Information Security at Navisite Earlier in her career, Ms.Taylorheld various positions at Sun Microsystems, where she was awardedseveral Outstanding Performance awards, and a CIS Security Award.Ms.Taylor has also received awards from a division of the U.S.Financial Management Services commissioner for her assistancewith FISMA-compliant Security C&A of highly sensitive systems.Ms.Taylor is a Certified Information Security Manager (CISM).Ms.Taylor has been featured in many media forums, including

ABC-TV Business Now, CNET Radio, the Boston Business Journal,

Computerworld, and The Montreal Gazette Her research and popular

security columns have been published on Web sites and in

maga-zines, including Business Security Advisor, Forbes, SecurityWatch,

eSecurityOnline, SecurityFocus, NetworkStorageForum, ZDNet,

Datamation, MidRangeComputing, and Securify Ms.Taylor has

authored hundreds of research articles and papers on informationsecurity topics and has contributed to multiple books Ms.Taylor

graduated from Skidmore College with honors, and is a member ofthe Society of Professional Journalists, the IEEE Standards

Association, and the National Security Agency’s IATFF Forum

Glenn Jacobson is a Senior Certification and Accreditation (C&A)Engineer with COACT Inc Prior to working for COACT, Mr.Jacobson worked for SysNet Technologies Inc, where he worked onvarious C&A activities for the FAA Mr Jacobson’s FAA projectsincluded security testing and planning, vulnerability analysis, reme-diation identification, and risk management Prior to SysNetTechnologies, Mr Jacobson worked as a consultant for both govern-ment and civilian organizations, specializing in network and securitysolutions development and implementation Currently, Mr Jacobson

is working on developing a C&A training class

Contributing Author

a network administrator, IT manager, and security architect todeliver high-quality solutions for Project Performance Corporation’sclients Currently, he is supporting the US Patent and TrademarkOffice’s Certification and Accreditation program.

Matt holds bachelor’s degrees from St Mary’s College ofMaryland and is currently working on his Master’s of Science inInformation Assurance Matt would like to thank his wife, Leena, forher invaluable support and guidance throughout his career, hisfamily for their love and support, and Olive for making every dayspecial

Technical Editor

x

Contents

Foreword xxiii

Preface xxv

Chapter 1 What Is Certification and Accreditation? 1

Introduction 2

Terminology 3

Audit and Report Cards 6

A Standardized Process 7

Templates, Documents, and Paperwork 8

Certification and Accreditation Laws Summarized 9

Summary 10

Notes 11

Chapter 2 Types of Certification and Accreditation 13

Introduction 14

The NIACAP Process 15

The NIST Process 16

NIACAP and NIST Phases, Differences, and Similarities 16 NIACAP and NIST Compared 17

DITSCAP 18

DCID 6/3 19

The Common Denominator of All C&A Methodologies 20

C&A for Private Enterprises 21

Summary 23

Notes 23

Chapter 3 Understanding the Certification and Accreditation Process 25

Introduction 26

Recognizing the Need for C&A 26

Roles and Responsibilities 27

Chief Information Officer 27

Authorizing Official 29

Senior Agency Information Security Officer 30

Senior Agency Privacy Official 31

Certification Agent/Evaluation Team 31

Business Owner 33

System Owner 33

Information Owner 33

Information System Security Officer 34

C&A Preparers 35

Agency Inspectors 35

GAO Inspectors 36

Levels of Audit 36

Stepping through the Process 37

The Initiation Phase 37

The Certification Phase 40

The Accreditation Phase 41

The Continuous Monitoring Phase 42

Summary 44

Chapter 4 Establishing a C&A Program 45

Introduction 46

C&A Handbook Development 46

What to Include in Your Handbook 47

Who Should Write the Handbook? 48

Template Development 48

Provide Package Delivery Instructions 50

Create an Evaluation Process 51

Authority and Endorsement 51

Improve Your C&A Program Each Year 52

Problems of Not Having a C&A Program 52

Missing Information 52

Lack of Organization 53

Inconsistencies in the Evaluation Process 53

Unknown Security Architecture and Configuration 53

Unknown Risks 54

Laws and Report Cards 54

Summary 55

Contents xiii

Chapter 5 Developing a Certification Package 57

Introduction 58

Initiating Your C&A Project 58

Put Together a Contact List 58

Hold a Kick-Off Meeting 59

Obtain Any Existing Agency Guidelines 60

Analyze Your Research 61

Preparing the Documents 61

It’s Okay to Be Redundant 62

Different Agencies Have Different Requirements 62

Including Multiple Applications and Systems in One Package 63

Verify Your Information 64

Retain Your Ethics 64

Summary 66

Chapter 6 Preparing the Hardware and Software Inventory 67

Introduction 68

Determining the Accreditation Boundaries 68

Collecting the Inventory Information 70

Structure of Inventory Information 71

Delivery of Inventory Document 72

Summary 74

Chapter 7 Determining the Certification Level 75

Introduction 76

What Are the C&A Levels? 76

Level 1 76

Level 2 77

Level 3 77

Level 4 78

Importance of Determining the C&A Level 79

Don’t Make This Mistake 79

Criteria to Use for Determining the Levels 81

Confidentiality, Integrity, and Availability 81

Confidentiality 82

Determining the Confidentiality Level 83

Integrity 84

Determining the Integrity Level 84

Availability 85

Determining the Availability Level 86

How to Categorize Multiple Data Sets 86

Impact Levels and System Criticality 87

System Attribute Characteristics 89

Interconnection State (Interfacing Mode) 89

Access State (Processing Mode) 90

Accountability State (Attribution Mode) 91

Mission Criticality 92

Determining Level of Certification 93

Template for Levels of Determination 94

Rationale for the Security Level Recommendation 97

Process and Rationale for the C&A Level Recommendation 99 The Explanatory Memo 102

Template for Explanatory Memo 103

Summary 105

Chapter 8 Performing and Preparing the Self-Assessment 107

Introduction 108

Objectives 108

Designing the Survey 109

Levels of Compliance 109

Management Controls 111

Operational Controls 112

Technical Controls 113

Correlation with Security Policies and Laws 113

Answering the Questions 114

Questions for Self-Assessment Survey 116

Summary 137

Notes 138

Chapter 9 Addressing Security Awareness and Training Requirements 139

Introduction 140

Contents xv

Purpose of Security Awareness and Training 140

Security Training 141

Security Awareness 142

The Awareness and Training Message 142

Online Training Makes It Easy 144

Document Your Plan 144

Security Awareness and Training Checklist 145

Security Awareness Material Evaluation 145

Security Awareness Class Evaluation 147

Summary 148

Notes 148

Chapter 10 Addressing End-User Rules of Behavior 149

Introduction 150

Implementing Rules of Behavior 150

What Rules to Include 151

Rules for Applications, Servers, and Databases 151

Additional Rules for Handhelds 152

Additional Rules for Laptops and Desktop Systems 153

Additional Rules for Privileged Users 154

Consequences of Noncompliance 155

Rules of Behavior Checklist 155

Summary 156

Chapter 11 Addressing Incident Response 157

Introduction 158

Purpose and Applicability 158

Policies and Guidelines 159

Reporting Framework 160

Roles and Responsibilities 162

Agency CSIRC 162

Information System Owner and ISSO 163

Incident Response Manager 164

Definitions 165

Incident 165

Impact, Notification, and Escalation 166

Incident Handling 168

Detecting an Incident 169

Containment and Eradication 171

Recovery and Closure 172

Forensic Investigations 173

Incident Types 176

Incident Response Plan Checklist 180

Security Incident Reporting Form 181

Summary 183

Additional Resources 183

Incident Response Organizations 183

Additional Resources 184

Articles and Papers on Incident Response 185

Notes 186

Chapter 12 Performing the Security Tests and Evaluation 187

Introduction 188

Types of Security Tests 188

Confidentiality Tests 189

Integrity Tests 191

Availability Tests 192

Types of Security Controls 193

Management Controls 193

Operational Controls 194

Technical Controls 194

Testing Methodology and Tools 194

Algorithm Testing 197

Code and Memory Analyzers 198

Network and Application Scanners 199

Port Scanners 200

Port Listeners 201

Modem Scanners .201

Wireless Network Scanner 202

Wireless Intrusion Detection Systems 202

Wireless Key Recovery 203

Password Auditing Tools 203

Database Vulnerability Testing Tools 204

Contents xvii

Test Management Packages 204

Who Should Perform the Tests? 205

Documenting the Tests 205

Analyzing the Tests and Their Results 205

Summary 207

Additional Resources 207

Books Related to Security Testing 207

Articles and Papers Related to Security Testing 208

Notes 209

Chapter 13 Conducting a Privacy Impact Assessment 211 Introduction 212

Privacy Laws, Regulations, and Rights 212

OMB Memoranda 213

Laws and Regulations 213

PIA Answers Questions 214

Personally Identifiable Information (PII) 215

Persistent Tracking Technologies 217

Determine Privacy Threats and Safeguards 218

Decommissioning of PII 219

System of Record Notice (SORN) 220

Posting the Privacy Policy 220

PIA Checklist 220

Summary 222

Books on Privacy 222

Notes 222

Chapter 14 Performing the Business Risk Assessment 225 Introduction 226

Determine the Mission 227

Create a Mission Map 229

Construct Risk Statements 230

Describe the Sensitivity Model 232

Impact Scale 233

Likelihood Scale 234

Calculating Risk Exposure 234

Lead the Team to Obtain the Metrics 235

Analyze the Risks 235

Make an Informed Decision 237

Accept the Risk 237

Transfer the Risk 238

Mitigate the Risk .238

Summary 241

Books and Articles on Risk Assessment 241

Notes 242

Chapter 15 Preparing the Business Impact Assessment 243

Introduction 244

Document Recovery Times 244

Establish Relative Recovery Priorities 245

Telecommunications 246

Infrastructure Systems 247

Secondary Systems 247

Define Escalation Thresholds 248

Record License Keys 249

BIA Organization 250

Summary 252

Additional Resources 252

Chapter 16 Developing the Contingency Plan 253

Introduction 254

List Assumptions 255

Concept of Operations 255

System Description 255

Network Diagrams and Maps 256

Data Sources and Destinations 256

Roles and Responsibilities 257

Contingency Planning Coordinator 258

Damage Assessment Coordinator 259

Emergency Relocation Site Adviser and Coordinator 260 Information Systems Operations Coordinator 260

Logistics Coordinator 260

Security Coordinator 261

Telecommunications Coordinator 261

Contents xix

Levels of Disruption 262

Procedures 263

Backup and Restoration Procedures 263

Procedures to Access Off-site Storage 264

Operating System Recovery Procedures 264

Application Recovery Procedures 265

Connectivity Recovery Procedures 265

Key Recovery Procedures 266

Power Recovery Procedures 266

Recovering and Assisting Personnel 267

Notification and Activation 267

Line of Succession 269

Service Level Agreements 269

Contact Lists 270

Testing the Contingency Plan 270

Appendices 271

Contingency Plan Checklist 271

Additional Resources 272

Chapter 17 Performing a System Risk Assessment 275

Introduction 276

Risk Assessment Creates Focus 276

Determine Vulnerabilities 278

Threats 280

Threats Initiated by People 280

Threats Initiated by Computers or Devices 280

Threats from Natural Disasters 281

Qualitative Risk Assessment 282

Quantitative Risk Assessment 283

Qualitative versus Quantitative Risk Assessment 287

Present the Risks 288

Make Decisions 291

Checklist 291

Summary 293

Additional Resources 293

Notes 294

Chapter 18 Developing a Configuration Management Plan 295

Introduction 296Establish Definitions 296Describe Assets Controlled by the Plan 297Describe the Configuration Management System 298Define Roles and Responsibilities 299Establish Baselines 301Change Control Process 302Change Request Procedures 303Emergency Change Request Procedures 303Change Request Parameters 304Configuration Control Board 304Configuration Management Audit 306Configuration and Change Management Tools 307Configuration Management Plan Checklist 308Summary 309Additional Resources .309

Chapter 19 Preparing the System Security Plan 311

Introduction 312Laws, Regulations, and Policies 312The System Description 313System Boundaries 315System Mission 316Data Flows 318Security Requirements and Controls 318Management Controls 325Risk Mitigation 325Reporting and Review by Management 326System Lifecycle Requirements 328Security Planning 329Documentation for Managers 329Operational Controls 330Personnel Security 330Physical and Environmental Controls and Safeguards 331Administration and Implementation 332

Contents xxi

Preventative Maintenance 333Contingency and Disaster Recovery Planning 334Training and Security Awareness 334Incident Response Procedures 335Preservation of Data Integrity 335Network and System Security Operations 336Technical Controls 338Authentication and Identity Verification 338Logical Access Controls 341Secure Configurations 341Interconnectivity Security 344Audit Mechanisms 346ISSO Appointment Letter 349System Security Plan Checklist 351Summary 353Additional Resources 353Notes 354

Chapter 20 Submitting the C&A Package 355

Introduction 356Structure of Documents 356Who Puts the Package Together? 357Markings and Format 357Signature Pages 358

A Word About “Not Applicable” Information 359Submission and Revision 360Defending the Certification Package 360Checklist 362Summary 363Additional Resources 363

Chapter 21 Evaluating the Certification Package for Accreditation 365

Introduction 366The Security Assessment Report 366Checklists for Compliance 366Compliance Checklist for Management Controls 368

Compliance Checklist for Operational Controls 380Compliance Checklist for Technical Controls 392Recommendation to Accredit or Not 404Accreditation and Authority to Operate 405Interim Authority to Operate 405Evaluations by an OIG 407Evaluations by the GAO 408Checklist 409Summary 410

Chapter 22 Addressing C&A Findings 411

Introduction 412POA&Ms 412Development and Approval 412POA&M Elements 413

A Word to the Wise 416Checklist 416Summary 417

Chapter 23 Improving Your Federal Computer Security Report Card Scores 419

Introduction 420Elements of the Report Card 420Actions for Improvement 421Trends 422Summary 423

Chapter 24 Resources 425

Acronyms 428

Appendix A FISMA 431 Appendix B OMB Circular A-130: Appendix III 453 Appendix C FIPS 199 473 Index 485

When I was the Security Staff Director of the Federal Deposit InsuranceCorporation (FDIC), the Federal Information Security Management Act of

2002 (FISMA) was not yet in existence; however, the Government InformationSecurity Reform Act (GISRA) was Since GISRA was signed into law onOctober 30, 2000, U.S federal agencies have been paying far more attention toinformation security than they did previously

In 2002, FISMA was signed into law, creating more specific regulations forU.S federal agencies than those established by GISRA.Today, with FISMA, andthe process known to support FISMA, Certification and Accreditation (C&A),agencies are far more diligent about assessing their security controls and vulner-abilities Despite what you may read in the news, however, many federal agen-cies are far more secure than their commercial counterparts in the privatesector

C&A is still a nascent science, and although excellent guidance exists onhow to evaluate the risk exposure of federal information systems, agencies arestill working on improving their C&A programs C&A is, however, a largeendeavor Although the process has been proven to reduce risk to federal infor-mation systems, many people new to C&A don’t know where to start or how

to get going on their C&A projects Seasoned C&A experts continue to lookfor new ideas on how to improve their existing processes.This book is the firstpublication with numerous practical examples that can help you step throughthe C&A process from beginning to end I wish this book had existed while Iwas the Security Staff Director of the FDIC so that I could have providedcopies to my staff

xxiii

Foreword

Federal agencies aside, the principles discussed in this book can be applied

to almost any organization that cares about the security of its information nology systems and infrastructure Cyber criminals, identity thieves, and terror-ists have made information security assessments a requisite fundamental part ofdoing business today Laws mandate information security compliance, and fed-eral and private organizations are allocating budgets to ensure that their confi-dential information remains private and secure Although the C&A process wasfirst rolled out by federal agencies, I anticipate that private industry organiza-tions will adopt C&A principles to assess their own systems going forward.There is a lot more to securing an infrastructure of systems and applicationsthan simply performing penetration tests and security scans.This book waswritten so that almost anyone can understand it If you’re interested in learninghow to assess all the different security aspects of your systems, networks, andapplications, this book is for you.With an abundance of pointers to outside ref-erences, this book includes almost all the resources you need to learn C&A Ihope you’ll find it as easy to follow as I have

tech-—Sunil J Porter Former Security Staff Director of the FDIC

www.syngress.com