James Broad - Risk Management Framework: A Lab-Based Approach to Securing Information Systems

James Broad

Aaron (AJ) Mitchneck, Technical Editor

Acquiring Editor: Chris Katsaropoulos

Development Editor: Heather Scherer

Project Manager: Malathi Samayan

Designer: Matthew Limbert

Syngress is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

Copyright 2013 Elsevier, Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Broad, James.

Risk management framework : a lab-based approach to securing information systems / James Broad.

pages cm

Includes bibliographical references and index.

ISBN 978-1-59749-995-8 (alkaline paper) 1. Computer securityGovernment policyUnited States. 2. Information technologySecurity measuresUnited States. 3. Electronic government informationSecurity measuresUnited States. 4. Risk managementGovernment policyUnited States. 5. Information technologyUnited StatesManagement. I. Title.

QA76.9.A25B72 2013

005.8dc23

2013016641

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library.

ISBN: 978-1-59749-995-8

Printed in the United States of America

13 14 15 12 11 10 9 8 7 6 5 4 3 2 1

For information on all Syngress publications, visit our website at www.syngress.com

This book is dedicated to my family.

To my wife, Dee, and my children, Mike and Temara, thank you for your endless support while I spent too many sunny days in front of a computer.

To my sisters, Mary, Teresa, and Lisa, thank you for helping me become the person I am today.

To my father, thank you for showing me anything is possible.

Loaded logging trucks always have the right of way.

Ed Broad

I would like to thank many people who contributed to the writing and publishing of this book.

To Heather and all of the staff at Syngress, thank you for your patience as this first-time author shifted the delivery dates of his book all over the calendar. Your help and guidance have been truly monumental. I have learned so much from all of you throughout this process.

To Dr. Ron Ross and the staff of the National Institute of Standards and Technology (NIST), the Joint Transformation Task Force, and the Committee on National Security Systems (CNSS), thank you for providing such extensive documentation on this subject. Your publications provided the foundation for this book, and in many instances I have quoted from them. Your devotion to information security and information assurance is remarkable.

To Steven Rodrigo, thank you for all the knowledge you have shared with me. Short conversations over coffee and in the hallways have enlightened and informed me more than you will ever know. Your insights on the topics in this book are remarkable. Keep up the good fight.

To those in my past who set me on the path I am on today, thank you all. Of special note are Charles Parker, an Army executive officer who took a young combat arms NCO off the line and put him in front of a computer, and Derrol Trippet, Deputy Director for Information Management, who set me on a full-time information assurance/security career. Thank you both for giving me a chance.

Thank you to the CAT team. You know who you are, and I could not think of a better group to work with.

James Broad (CISSP, C|EH, CPTS, Security +, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nations most critical sectors including defense, law enforcement, intelligence, finance and healthcare.

Aaron (AJ) Mitchneck (Security +, C|EH, MCT, MCP, CSM), works as a Structured Query Language database administrator (SQL DBA) and Internet technology (IT) security engineer. He is currently contracted in Sierra Vista, Arizona, helping to develop and maintain security policies and standards and ensuring compliance throughout the organization.

As an IT and security professional for more than fifteen years, AJ has experience in security engineering and penetration testing, as well as standards and compliance for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Risk Management Framework (RMF).

This book has companion material including all of the referenced materials, extended exercises for each chapter, templates and examples of the RMF documents, as well as updates to the book. Please visit, www.cyber-recon.com to register and dowload the files.

Table of Contents

Information in this Chapter:

Book overview and key learning points

Book audience

Introduction to the risk management framework (RMF)

How this book is organized

This books goal is to provide a basic understanding of the Risk Management Framework (RMF) as it pertains to the systems development life cycle (SDLC) of federal IT systems and to provide guidance on how to use this understanding during the development, assessment, and continuous monitoring of those systems. The book discusses the RMF process in terms of its six phases, which allows the reader to develop a full understanding of how each phase influences and leads to the next. This framework provides a structured process that allows organizations to comply with a number of laws, regulations, and policies, including the Federal Information Security Management Act (FISMA).