Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Published byElla Nurminen Modified over 4 years ago

Similar presentations

Presentation on theme: "MANAGEMENT of INFORMATION SECURITY, Fifth Edition"— Presentation transcript:

1 MANAGEMENT of INFORMATION SECURITY, Fifth Edition

2 Certification and Accreditation
Management of Information Security, 5th Edition, © Cengage Learning

3 Trends in Certification and Accreditation
In security management, accreditation is the authorization of an IT system to process, store, or transmit information It is issued by a management official and serves as a means of assuring that systems are of adequate quality It also challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements Management of Information Security, 5th Edition, © Cengage Learning

4 Trends in Certification and Accreditation
Certification is “A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements” Organizations pursue accreditation or certification to gain a competitive advantage, or to provide assurance or confidence to customers Management of Information Security, 5th Edition, © Cengage Learning

5 Trends in Certification and Accreditation
In 2009, the U.S. government, through NIST, changed the fundamental approach to the C&A of federal information systems, bringing the government into alignment with industry The focus moved from formal C&A activities to a risk-management life cycle approach With the publication of “NIST SP , Rev. 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” the approach shifted to a process of risk management-based assessment and authorization, much of which was driven by the Federal Information Security Management Act of 2002 (FISMA) Management of Information Security, 5th Edition, © Cengage Learning

6 Management of Information Security, 5th Edition, © Cengage Learning
NIST SP Rev. 1 With the publication of NIST SP , Rev. 1, a common approach to a Risk Management Framework (RMF) for InfoSec practice became the standard for the U.S. government The revised process emphasizes: (i) building InfoSec capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes (iii) providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems Management of Information Security, 5th Edition, © Cengage Learning

7 NIST SP Rev. 1 Management of Information Security, 5th Edition, © Cengage Learning

8 NIST SP 800-37 Rev. 1 The RMF steps include:
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions Implement the security controls and describe how the controls are employed within the information system and its environment of operation Management of Information Security, 5th Edition, © Cengage Learning

9 NIST SP Rev. 1 (cont.) Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials Management of Information Security, 5th Edition, © Cengage Learning

10 Risk management framework
Management of Information Security, 5th Edition, © Cengage Learning

11 Management of Information Security, 5th Edition, © Cengage Learning
NIST SP Rev. 1 Accreditation and certification are not permanent. Just as standards of due diligence and due care require an ongoing maintenance effort, most accreditation and certification processes require reaccreditation or recertification every few years (typically every three to five years) Approaches such as the RMF are designed to follow a continuous-improvement method, ensuring that the organization does not ramp up for a C&A cycle, then relax in the years following, potentially resulting in lapses in security, only to ramp up again prior to the next C&A cycle Management of Information Security, 5th Edition, © Cengage Learning

Download ppt "MANAGEMENT of INFORMATION SECURITY, Fifth Edition"

Similar presentations

Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Reactions to Westlake RMF draft PERSONAL comment by Mikey O’Connor.

Reactions to Westlake RMF draft PERSONAL comment by Mikey O’Connor.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
School of Computing, Dublin Institute of Technology.

School of Computing, Dublin Institute of Technology.
Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.

Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.
Security Management Practices

Security Management Practices
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks

Similar presentations

Ads by Google