Information Security Management Beyond Certification and Accreditation

Download Now Free registration required

Executive Summary

Traditional information security approaches rely too heavily on system Certification & Accreditation (C&A) to ensure that a system is sufficiently secure. Such approaches inadequately address security during acquisition and/or development, which increase the risk of the system containing inherent computer vulnerabilities and exposures that may lead to inappropriate issuance of an Authority To Operate (ATO) as a result of unintentional oversight of problems or pressure to deploy despite recognized residual risks. In certain instances, testing by an independent authority may mitigate some of the risks; however, such testing is often undertaken near the end of the development/acquisition cycle.

  • Format: PDF
  • Size: 449.28 KB