Information Security Management Beyond Certification and Accreditation

Date Added: Feb 2013
Format: PDF

Traditional information security approaches rely too heavily on system Certification & Accreditation (C&A) to ensure that a system is sufficiently secure. Such approaches inadequately address security during acquisition and/or development, which increase the risk of the system containing inherent computer vulnerabilities and exposures that may lead to inappropriate issuance of an Authority To Operate (ATO) as a result of unintentional oversight of problems or pressure to deploy despite recognized residual risks. In certain instances, testing by an independent authority may mitigate some of the risks; however, such testing is often undertaken near the end of the development/acquisition cycle.