- You'll save an extra 5% on Books purchased from Amazon.ca, now through July 29th. No code necessary, discount applied at checkout. Here's how (restrictions apply)
FISMA Certification and Accreditation Handbook Paperback – Dec 28 2006
|New from||Used from|
There is a newer edition of this item:
Special Offers and Product Promotions
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.
To get the free app, enter your mobile phone number.
About the Author
Laura Taylor leads the technical development of FedRAMP, the U.S. government's initiative to apply the Federal Information Security Management Act to cloud computing. In 2006, Taylor's FISMA Certification and Accreditation Handbook was the first book published on FISMA. Taylor has contributed to four other books on information security and has authored hundreds of articles and white papers on infosec topics for a variety of web publications and magazines. Specializing in assisting federal agencies and private industry comply with computer security laws, Taylor is a thought leader on cyber security compliance. Taylor has led large technology migrations, developed enterprise wide information security programs, and has performed risk assessments and security audits for numerous financial institutions.
Most Helpful Customer Reviews on Amazon.com (beta)
The core of this book is understanding the C&A process. C&A is essentially a giant preparatory paperwork exercise conducted before "game day." When the game is being played (i.e., when .gov systems are being compromised) FISMA demonstrates its irrelevance. Still, it would be nearly impossible to understand FISMA and C&A by looking at agency documentation and applicable laws. The Handbook lays out FISMA and C&A in an easy-to-understand manner, probably sharply reducing the slope of the learning curve for the FISMA and C&A newbie.
One of my favorite aspects of the Handbook is the use of templates. If you need to build a C&A program from (nearly) scratch, or if you want to apply best practices to an existing program, the Handbook's templates and suggested language will be invaluable. The Handbook also includes many tables of examples and checklists that could be dropped right into relevant documents.
I considered giving the Handbook five stars, even though I detest FISMA and C&A. Given the technical errors and oddities I found, I could only offer four stars. The Handbook claims to have been reviewed by a technical editor, but several comments made me question the level of attention paid to technical details. Ch 12 (Performing the Security Tests and Evaluation) features the comment "Many network scanners also scan for open ports" (p 200). I should hope so; otherwise, they might not know what to examine. One of the suggested port scanners is Strobe, which was popular in 1997 (no lie). I really liked this comment on p 207, which I assume is meant to reassure those tasked with C&A: "Don't get bogged down trying to figure out how a port listener differs from a port scanner." If a so-called "security consultant" doing C&A doesn't know the difference, they need to hang it up immediately. The "Suspicious Events That Are Worth Auditing" chart on p 348 really made me laugh. Item "SE 6" says "Invalid IP addresses that are not in the range of acceptable octets, for example: 2184.108.40.206." Are they SERIOUS?
In brief, if you are stuck doing C&A for FISMA, take a look at the Handbook. If you are tasked with doing anything remotely technical regarding FISMA, you won't find help in this book.
If you are interested in INFOSEC/Information Assurance and attempting to understand the voodoo of C&A, this book is a good resource to start your journey !
Look for similar items by category
- Books > Business & Investing
- Books > Computers & Technology > Certification Central
- Books > Computers & Technology > History & Culture > Manager's Guides to Computing
- Books > Computers & Technology > History & Culture > Privacy
- Books > Computers & Technology > Networking & Cloud Computing > Network Administration
- Books > Computers & Technology > Networking & Cloud Computing > Network Security
- Books > Computers & Technology > Web Development > Security & Encryption > Encryption
- Books > Textbooks > Computer Science & Information Systems > Computer Science