BKFISMAC.RVW 20070113 "FISMA Certification and Accreditation Handbook", Laura Taylor, 2007, 1-59749-116-0, U$69.95/C$90.95 %A Laura Taylor %C 800 Hingham Street, Rockland, MA 02370 %D 2007 %G 1-59749-116-0 978-1-59749-116-7 %I Syngress Media, Inc. %O U$69.95/C$90.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597491160/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597491160/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597491160/robsladesin03-20 %O Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 498 p. %T "FISMA Certification and Accreditation Handbook" The United States' Federal Information Systems Management Act mandates certain standards of information security and controls for US federal agencies. It extends to contractors and other sources that support the assets of federal government departments. However, it may have wider application yet, since it provides a solid basis for security management, assessment, and assurance for large corporations as well. Chapter one looks at definitions of various terms surrounding security and controls. It is interesting to note that to the usual certification (assessment) and accreditation (acceptance) phases the feds add an audit/evaluation phase between the two. The National Information Assurance Certification and Accreditation Process (NIACAP), National Institute of Standards and Technology outline, Defense Information Technology Systems Certification and Accreditation Process (DITSCAP), and Director of Central Intelligence Directive 6/3 (DCID 6/3), all directions on how to follow FISMA, are briefly compared in chapter two. A list of job descriptions, and a brief outline of general project management steps makes up chapter three. Chapter four examines components of a certification and accreditation program, mostly in terms of documentation. Chapter five returns to project management, with a quick look at the initiation phase. An even shorter mention of creating a hardware and software inventory is in chapter six. Chapter seven is nominally about determining the proper level for certification (which is, again, primarily related to the number of documents produced), but turns into an interesting and valuable outline of information classification. Much of chapter eight, on self-assessment, is a reprinting of the NIST 800-26 guideline on that topic. Security awareness and training is touched on briefly in chapter nine. Chapter ten, on rules of behaviour, is a terse mix of acceptable use and incident response, but it leads rather nicely into the longer examination of incident response in chapter eleven. Chapter twelve lists various types of assessment tools, such as vulnerability scanners and code analyzers. I found the privacy impact assessment, in chapter thirteen, to be an interesting perspective. Chapter fourteen's material on business risk assessment is concise but reasonable. Business impact assessment, in fifteen, is not quite as good, since it neglects the analysis of criticality of operations. Contingency planning is outlined well in chapter sixteen. Chapter seventeen takes a brief look at risk assessment, but manages to hit all the high points. Change management is reviewed in chapter eighteen. An overview system security plan document is described in chapter nineteen. The certification package is detailed from the perspective of those submitting it (in chapter twenty) and those evaluating or auditing it (chapter twenty-one). Preparation of a plan to correct residual weaknesses is addressed in chapter twenty-two. Chapter twenty-three looks at improving the standings and grading on a Federal Computer Security Report Card. There is much that is useful and helpful in this book, both in terms of general information security management structure and process, and in terms of references for those involved with FISMA related programs. However, for those who are new to the operation of US government certification and accreditation, the basic requirements, and the relation of the ancillary programs to FISMA itself, could have been more fully explained. copyright Robert M. Slade, 2007 BKFISMAC.RVW 20070113