Scribd Logo
Upload

Welcome to Scribd!

  • Module 9-1 Certification

    Uploaded by

    sasanaravi2020
    12 views18 pages

    Original Title

    module 9-1 Certification

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views18 pages

    Module 9-1 Certification

    Uploaded by

    sasanaravi2020

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    CERTIFICATION

    , ACCREDITATION AND
    SECURITY
    ASSESSMENTS
    MODULE 9
    WHY CERTIFICATION,
    ACCREDITATION, AND SECURITY
    ASSESSMENTS??
     They are important activities that support a risk management process and an
    integral part of an agency's information security program.
     It is designed to ensure that an information system will operate with the
    appropriate management review, that there is ongoing monitoring of security
    controls, and that reaccreditation occurs periodically.
     Three organizations: Security of Federal Automated Information Resources,
    The Federal Information Security Management Act (FISMA) and Information
    Technology Laboratory (ITL).
     Security certification is a comprehensive assessment of the management,
    operational, and technical security controls in an information system, made in
    support of security accreditation, to determine the extent to which the controls
    are implemented correctly
     By accrediting an information system, an agency official accepts the risks
    associated with operating the system and the associated implications on agency
    operations, agency assets, or agency individuals.
    Provides the Layer of Confidence
    SOME
    GUIDELINES
     Enable more consistent, comparable, and repeatable assessments
    of security controls in federal information systems.
     Promote a better understanding of agency-related mission risks
    resulting from the operation of information systems.
     Create more complete, reliable, and trustworthy information for
    authorizing officials to facilitate more informed security
    accreditation decisions.
    ROLES AND
    RESPONSIBILITIES
    Chief Information Officer: He works closely with authorizing officials
    and their designated representatives to ensure that an agency- wide
    security program is implemented effectively, including all aspects of the
    security certification and accreditation program component.
    i. Promulgate cost-effective practices.
    ii. Threat and vulnerability assessments.
    iii. Risk assessments.
    iv. Results from common security control assessments.
    v. Any other general information that may be of assistance.
    vi. Appropriate allocation of resources for security programs and systems.
    vii. Operate as the authorizing official for agency-wide general
    support systems.
    ROLES AND
    RESPONSIBILITIES
    Authorizing Official: He is a senior management official or executive with the
    authority to formally assume responsibility for operating an information system
    at an acceptable level of risk to an agency.
     It is possible that a particular system may require more than one authorizing
    official. If so, agreements should be established among the authorizing officials
    and documented in the system security plan.
    i. Oversee the budget and business operations of the system.
    ii. Approve system security requirements, system security plans, and
    memorandums of understanding (MOU) and/or memorandums of agreement
    (MOA).
    iii. Make and issue final or interim decision on granting, conditionally granting,
    or denying authority to operate system.
    iv. Appoint a designated representative to act on the authorizing official’s behalf
    in coordinating and carrying out the necessary activities required during the
    security certification and accreditation of a system.
    ROLES AND
    RESPONSIBILITIES
    Senior Agency Information Security Officer: He may serve as the
    authorizing official's designated representative.
     He serves as the Chief Information Officer’s primary liaison to the agency’s
    authorizing officials, information system owners, and Information System
    Security Officers (ISSOs).
     Information Owner: He has statutory or operational authority for specified
    information and is responsible for establishing the controls for its generation,
    collection, processing, dissemination, and disposal.
    i. Establish rules for appropriate use and protection of the subject information.
    ii. Communicate level of information assurance required for the system with
    the
    appropriate system owner.
    ROLES AND
    RESPONSIBILITIES
     Information System Owner: He is responsible for the overall procurement,
    development, integration, modification, or operation and maintenance of an information
    system.
    i. Develop and maintain the system security plan.
    ii. Ensure system is deployed and operated according to the agreed-upon
    security requirements.
    iii. Authorize user access to the information system.
    iv. Ensure system users and support personnel receive the requisite security training.
    v. Inform key agency officials of the need to conduct a security certification
    and accreditation;
    vi. Ensure appropriate resources are available.
    vii. Provide necessary system-related documentation to the certification agent;
    viii. Take appropriate steps system vulnerabilities identified.
    ix. Assemble the security accreditation package and submit it to authorizing official.
    ROLES AND
    RESPONSIBILITIES
     Information System Security Officer: He is responsible to the authorizing
    official, information system owner, or the SAISO for ensuring that the
    appropriate operational security posture is maintained for an information
    system or program.
    i. Serve as the principal advisor to the authorizing official, information system
    owner or Senior Agency Information Security Officer.
    ii. Perform or oversee performance of day-to-day security operations of
    the system.
    iii. Develop or assist in development of system security policy.
    iv. Ensure compliance with system security policy.
    v. Manage changes to the system with the system owner and the information
    owner.
    vi. Assess security impact of system changes.
    vii. Develop and update the system security plan.
    ROLES AND
    RESPONSIBILITIES
     Certification Agent: He is either an individual, a group, or an organization
    responsible for conducting a security certification or a comprehensive

    • assessment of the effectiveness of security controls in an information


    system.
    i. Assess the system security plan to ensure the plan provides applicable
    security controls prior to initializing the certification process.
    ii. Performs a comprehensive assessment of the management,
    operational, and
    • technical controls in the information system.
    iii. Recommend corrective actions to reduce or eliminate vulnerabilities.
    •  User Representatives: He is responsible for identifying
    mission/operational requirements and for complying with the security

    You might also like