INTRODUCTION -- Who is the target audience? -- Terminology -- Overview of the contents -- CHAPTER 1: AN ABRIDGED HISTORY OF INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS SECURITY -- From physical to virtual - a highly abridged history of information technology -- Information systems and information systems security - merging concerns -- 40 years ago: The Dinosaur Age - the mainframe -- 30 years ago: The caveman and the wheel - ftp, email, and telnet -- 20 years ago: The automobile meets the road - rise of the personal computer -- 10 years ago: The Autobahn - the information super-highway -- Today: The sky is the limit - networking without boundaries! -- References -- CHAPTER 2: THE ESSENTIAL INFORMATION SYSTEMS SECURITY REGULATIONS -- Information systems security regulations you need to know -- Executive orders, laws, regulations, and standards -- Laws -- Executive orders -- Regulations -- Policy, guidance and standards -- Miscellaneous legislation affecting the authorization process -- Health Information Portability and Accountability Act (HIPAA) -- Sarbanes-Oxley -- Federal Information System Controls Audit Manual (FISCAM) -- The C&A transformation - The future is here (near) -- References -- CHAPTER 3: THE AUTHORIZATION PROCESS FRAMEWORK -- Commonly found authorization process deficiencies -- Risk assessments were not conducted or did not provide an adequate basis for a risk-based decision -- Information system sensitivity levels were inconsistent or incorrect -- Inappropriate or insufficient security controls -- Authorization decisions were based on inadequate and inconsistent testing -- Processes for security controls reviews were inadequate or nonexistent -- Authorization process commonalities -- The basic authorization framework -- Factors that influence authorization activities -- Joint or reciprocal authorization -- Joint accreditation.

Reciprocal accreditations -- References -- CHAPTER 4: THE AUTHORIZATION PROCESS - ESTABLISHING A FOUNDATION -- Authorization is only one part of an effective security program -- Making the business case - what is the ROSI? -- Don't sell FUD - tell them what they have to gain -- Designing an effective information security program -- Defining the program -- The 5000 meter view -- Getting and keeping resources -- Security governance - establishing the right roles and responsibilities -- Senior leadership -- Chief information officer (CIO) -- Senior agency information security officer (SAISO)/chief information security officer (CISO) -- Authorizing official (AO)/designated accrediting authority (DAA) -- Information systems security manager (ISSM)/information assurance manager (IAM) -- Information system security officer (ISSO)/information assurance officer (IAO) -- Certifying authority (CA) -- Information owner/information steward -- Information system owner or program manager (PM)/information system steward -- Users -- Subject matter experts (SME) -- Contractors -- But I'm just a small organization… -- Can roles and responsibilities be delegated? -- Systems security training and certification -- Developing and publishing plans and policies -- Measuring progress -- Milestones from the "establishing a foundation" activities -- References -- CHAPTER 5: PRE-AUTHORIZATION ACTIVITIES - THE FUNDAMENTALS -- Establish the authorization team -- Authorization roles by team member -- Training the authorization team should not be an afterthought -- Categorizing the information system -- Identifying the type of information system -- Enclave -- Automation information system (AIS) application -- Outsourced IT -- Platform IT -- Identifying the information -- Defining the boundary ensures manageable and measurable authorization -- Network topology -- Organization.

Mission -- Location -- Data sensitivity or classification -- Boundary considerations: too narrow or too broad -- Helpful hints -- Establishing a risk management process -- The risk assessment process -- The risk assessment process -- Step 1: Prepare and plan the risk assessment -- Step 2: Identifying assets -- Step 3: Perform asset sensitivity analysis -- Step 4: Conduct a threat analysis -- Step 5: Conduct a vulnerability analysis -- Step 6: Execute cost/impact analysis -- Step 7: Finalize risk assessment and analysis -- Step 8: Assess residual risk against risk tolerance -- The full risk assessment: Yes or No? -- Align with the system life cycle (SLC) -- Milestones from the pre-certification and accreditation activities: -- References -- CHAPTER 6: PLAN, INITIATE AND IMPLEMENT AUTHORIZATION - PREPARING FOR AUTHORIZATION -- UNDERSTAND the information and the information system -- Who is involved? -- Scope and level of effort -- Information obtained from documentation -- Plan and schedule -- Cost -- System security categorization for information -- Subtask 1: Identify the information type(s) -- Subtask 2: Select the provisional or initial impact level -- Subtask 3: Review the provisional/initial impact levels and adjust -- Subtask 4: Assign system security category -- Additional notes on security category -- The final output: Identification of the security controls baseline -- Selecting the initial baseline -- Supplementing the initial baseline -- Identifying common or inherited controls -- REGISTER the information system -- Who is involved? -- The registration process -- It's all about the money! -- NEGOTIATE the authorization approach -- Negotiations associated with system type -- Major applications (MAs)/AIS applications -- General support system (GSS) or enclave -- The authorization plan -- IMPLEMENT the security controls.

Implementation factors -- Technology-related implementation factors -- Infrastructure-related implementation factors -- Public access-related implementation factors -- Scalability-related implementation factors -- Common/inherited control-related implementation factors -- Risk-related implementation factors -- Implementation guidance -- Operational or management control -- Technical control -- Results of implementation: Evidence or artifacts -- Milestones from the plan, initiate, and implement authorization activities -- CHAPTER 7: VERIFY, VALIDATE & AUTHORIZE - CONDUCTING THE AUTHORIZATION -- ASSESS the security controls -- What is security control testing? -- What should be tested? -- Who executes security control testing? -- Validation testing in federal agencies -- Validation testing within DOD -- Security control test procedures -- Security control assessment methods -- Examine - "E" -- Interview - "I" -- Test - "T" -- Observation - "O" -- Executing the security controls assessment -- Plan the security controls assessment -- Execute the security controls test -- Analyze, document, and report the results in the security assessment report (SAR) -- DEVELOP the plan of action and milestones (POA&M) -- Importance of the POA&M - -- How the POA&M fits into the information system security evaluation -- Benefits of the POA&M process -- The POA&M process of weakness remediation -- Summary -- AUTHORIZE the operation of the information system -- The security authorization package -- The system security plan (SSP) -- A plan of action and milestones (POA&M) -- The certification statement -- Importance of the certifying authority and the certification statement -- The security authorization decision -- Authorization to operate (ATO) -- Interim authorization to operate (IATO) -- Denial of authorization to operate (DATO) -- Interim authority to test (IATT).

Accreditation decision letter -- Milestones from the verify, validate and authorize activities -- CHAPTER 8: OPERATE & MAINTAIN - MAINTAINING AUTHORIZATION -- MONITOR the security control status: situational awareness -- Change and configuration management -- What is a security relevant event? -- Configuration management processes -- What is a configuration management plan? -- Why have a configuration management plan? -- When should you develop a CMP? -- Ongoing security control verification -- CONDUCT the annual review and security reporting -- MAINTAIN the authorization -- Milestones from the operate and maintain activities -- CHAPTER 9: REMOVE THE INFORMATION SYSTEM FROM OPERATION -- Required actions when removing an information system from operation -- The removal from operation or decommissioning plan -- Avoiding self-inflicted security issues through effective system removal -- Methods of removing an information system and/or its data from operation -- Data you may not know you have -- Some examples of tools -- CHAPTER 10: AUTHORIZATION PACKAGE AND SUPPORTING EVIDENCE -- The authorization package in detail -- System security plan (SSP) -- Developing the SSP -- A sample table of contents (TOC) for your SSP -- System security plan approval -- The POA&M elements and format -- Column 1: Weakness identifier -- Column 2: Weakness description -- Column 3: Point of contact (POC) -- Column 4: Resources required -- Column 5: Scheduled completion date -- Column 6: Milestones with completion dates -- Column 7: Changes to milestones -- Column 8: Identified in audit or review -- Column 9: Status -- Column 10: Comments -- Column 11: Risk level -- Risk level determination -- Establishing a POA&M process -- Security assessment report (SAR) -- Report structure -- Submitting the SAR -- Certification statement -- Contents of the certification statement.

Supporting evidence for the authorization decision - security control documentation.