Module LVIII - Evaluation and
Certification of Information Systems
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Independent Business C...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Security Concerns in t...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Accredita...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Accreditation
Ty...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Accreditation
Accreditation ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Accreditation
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Type Accreditation
Type accr...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Type Accreditation (cont’d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Site Accreditation
A site ac...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Significance of NSTISSP
NSTI...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Approval to Operate (ATO)
Ap...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Approval to Operate Form
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Interim Approval to Operate
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Interim Approval to Operate
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample IATO Letter: Screensh...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Security Authorizatio...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contents of SSAA
• Mission D...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contents of SSAA (cont’d)
Mi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contents of SSAA (cont’d)
• ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contents of SSAA (cont’d)
Or...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Justification for Waiver
• I...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cost-Benefit Analysis
Cost-b...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Classification
C...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Information
Cl...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigative Authorities
• ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Key Management Infrastructur...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Key Management Infrastructur...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Marking
Classify...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Certification Test & Evaluat...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Certification Tools
Certific...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Product Assurance
Product as...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Protection Profiles
Protecti...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security Targets
Security ta...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contracting For Security
Ser...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disposition of Classified Ma...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Optical Remanence
Residue of...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Magnetic Remanence
Magnetic ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Facilities Planning
Facility...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Facilities Pla...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Disposition/Reutiliza...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Life Cycle System Security
P...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Security Architecture...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
C&A Process for the Informat...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
C&A Life Cycle
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Responsibilities Associated ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Roles Associated with Certif...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Roles Associated with Certif...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Ownership
Inform...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Accreditation is the...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Upcoming SlideShare
Loading in...5
×

File000171

270
-1

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
270
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000171

  1. 1. Module LVIII - Evaluation and Certification of Information Systems
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Independent Business Continuity Validation and Certification Services Now Available Source: http://www.prlog.org/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Security Concerns in the SaaS Environment Source: http://www.itworld.com/
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Accreditation • Type Accreditation • Approval to Operate (ATO) • System Security Authorization Agreement (SSAA) • Cost-Benefit Analysis • Certification Test & Evaluation (CT&E) • System Security Architecture • C&A Process for Information System This module will familiarize you with
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Accreditation Type Accreditation Approval to Operate (ATO) System Security Authorization Agreement (SSAA) Cost-Benefit Analysis Certification Test & Evaluation (CT&E) System Security Architecture C&A Process for Information System
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Accreditation Accreditation is the voluntary process of being certified for meeting minimum requirements designated by an accrediting agency This process certifies the competency, authority, and credibility of an organization These certificates are issued by certification specialists after testing every standard in laboratories in compliance with established standards These standards can be for physical, chemical, forensic, quality, and security standards Types of accreditation: • Type accreditation • Site accreditation
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Accreditation Accreditation is important to support a risk management process It assures about the quality and standards of the organization It guides managers and technical staff to implement: • Effective security controls • Mission requirements • Technical constraints • Operational constraints • Cost/schedule constraints
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Type Accreditation Type accreditation may be issued by the Designated Approving Authority (DAA) for operating environments It is used to accredit multiple instances of application or system to operate in approved location with the similar type of computing environment The DAA must contain a statement of residual risk and clearly defined operating environment for the application and or system The DAA must identify the uses and operational procedures of the application or system Security Test and Evaluation (ST&E) should take place at central integration facility to support accreditation of application and system
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Type Accreditation (cont’d)
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Site Accreditation A site accreditation includes site-specific security and protection methods It also contains the same information as type accreditation It identifies the usage and protection features of the training device • Access policies • Protection methods for securing sensitive data • Physical security measures It contains the documentation of:
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Significance of NSTISSP NSTISSP is a national security community policy governing the acquisition of information assurance (IA), and IA enabled information technology products The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC) It provides the standard to test the design, quality, and performance of the information technology products to provide confidentiality for data and to authenticate the identities of individuals or organizations exchanging sensitive information The products which validate the NSTISSP performance claims are marketed as IA products which ensures that these products are responsive to the security needs of the intended user
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approval to Operate (ATO) Approval to operate (ATO) is an official permission granted by Designated Approval Authority (DAA) to operate an AIS or network in a particular security mode Before granting the permission, DAA verifies an accreditation statement to ensure that the residual risk is within the acceptable limits DAA ensures that each AIS is fulfilled with the AIS security requirements, as reported by the Information System Security Officers (ISSOs) • Establishing and managing security for the systems which are operated by an agency, contractors, and command personnel • Assigning levels of classification required for applications which are operated in the network environment • Verifying the accreditation plan and signing the accreditation statement for the network and AIS • Verifying the documentation for AIS security requirements which are defined in the AIS network security program Responsibilities of ISSOs to get an ATO:
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approval to Operate Form
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Interim Approval to Operate (IATO) IATO grants temporary authorization to process information and operate an Automated Information System (AIS) under defined conditions IATO is provided by the DAA and generally granted for one year It gives provision for operating AIS with the condition that AIS reaches an acceptable level of risk Purpose of IATO: • Specifies security mode • Provides technical and non-technical protection measures against a defined threat • Properly secures operational environment • Achieves short and long term goals • Connects to other AIS or network
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Interim Approval to Operate (cont’d) • The organization’s letterhead and date of signature • The specified security mode of operations and a specified data sensitivity or classification level • Defined security safeguards • System/Operational Applications • A defined threat and stated vulnerabilities • Stated interconnection to other systems • A statement of acceptance of risk for the system • A specified period of time • A specified suite of hardware and software • A specified operational environment • Signature and signature block of the DAA The Interim approval letter contains:
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample IATO Letter: Screenshot
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Security Authorization Agreement (SSAA) A SSAA is an information security document used in the United States Department of Defense (DoD) to describe and accredit networks and systems The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) The DoD instruction describes DITSCAP and provides an outline for the SSAA document
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contents of SSAA • Mission Description and System Identification • Environment Description • System Architectural Description • System Security Requirements • Organizations and Resources • DITSCAP Plan SSAA is divided into six sections:
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contents of SSAA (cont’d) Mission Description and System Identification: • System name and identification • System description • Functional description • System capabilities • System criticality • Classification and sensitivity of data processed • System user description and clearance levels • Life cycle of the system • System CONOPS summary Environment Description: • Operating Environment • Facility description • Physical security • Administrative issues • Personnel • COMSEC • TEMPEST • Maintenance procedures • Training plans • Software Development and Maintenance Environment • Threat description
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contents of SSAA (cont’d) • System architecture description • System interfaces and external connections • Data flow • Accreditation boundary System Architectural Description: • National and DoD security requirements • Governing security requisites • Data security requirements • Security CONOPS • Network connection rules • Configuration management requirements • Reaccreditation requirements System Security Requirements:
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contents of SSAA (cont’d) Organizations and Resources: • Organizations • Resources • Training • Other supporting organizations DITSCAP Plan: • Tailoring factors • Programmatic considerations • Security environment • Information system characteristics • Reuse of previously approved solutions • Tasks and milestones • Schedule summary • Level of effort • Roles and responsibilities
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Justification for Waiver • If an employee from one organization serves for another organization, and as an assigned official duty, the integrity of the services would be affected • If an employee discloses the official matters outside of the organization • If an employee is not involved in any service grants or contracts, or other financial matters of an organization • If an employee is involved in problematic matters such as funding, regulatory, or investigatory matters affecting the financial interests of the organization A waiver is justified in the following situations:
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost-Benefit Analysis Cost-benefit analysis is a decision-making process used in public finance This process is used to determine which alternative is expected to provide the best return for a proposed investment This is a suitable process for the businesses as well as to not-for-profit entities and governmental units It might be beneficial for a business to use cost-benefit analysis to evaluate whether additional funds should be invested in a facility in the home country or in another country It is used by the federal governmental agency to evaluate which of the several projects is expected to be most used by interested citizens
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Classification Classification of information is important for protecting information from leakage It can be done according to the sensitivity and importance of the information Information can be differentiated as: • Restricted • Sensitive • Operational • Unrestricted
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Information Classification Classified information helps to protect the important and confidential information from leakage It also helps to prevent the unauthorized access to the information Classification make the sensitivity of the information clear It also suggests when and how to use the information strategically
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigative Authorities • The proper investigative channels are used according to the appropriate expertise and jurisdiction • Appropriate resources and expertise are brought for the timely and thorough review of reports • Communications occur across investigative channels as and when necessary to ensure coordinated and comprehensive attention • Steps are taken to monitor significant elements and progress of investigations • Timely advice is provided on the corrective and remedial action that may be needed to address investigative findings Roles and responsibilities of investigative authorities include:
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Key Management Infrastructure IEEE standard P1619 Security in Storage Working Group (SISWG) will make it easier to manage the keys used to encrypt data in storage This standard abstracts the components of a cryptographic system into a key- management server, a key-management client, and a cryptographic unit Key-management server creates and distributes keys as well as the policies Key-management clients get keys and policies from a key-management server on behalf of a cryptographic unit Actual encryption and decryption operations with the keys of the key-management clients are done at the cryptographic unit
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Key Management Infrastructure (cont’d) Key Management Server Cryptographic Unit Cryptographic Unit Key Management Client Key Management Client Key Management Server
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Marking Classifying the information according to the sensitivity and confidentiality is called as information marking Information marking helps in separately identifying the sensitive information from the other non-critical information and helps in determining appropriate control for it This also helps to decide the accessibility to the information according to the designation and authority of the user
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Certification Test & Evaluation (CT&E) CT&E is the software and hardware security tests conducted during the development of the information system Penetration testing is conducted to test the security of the information system It is the complex test process which follows the standards and guidelines provided by the accredited certification bodies
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Certification Tools Certification tools provide assistance in different stages of certification process These tools analyze several dimensions such as the certification stages supported, targeted industry sectors, and features These tools provide support for the system analysis, system implementation, system review, and maintenance stages These tools are targeted specifically for the manufacturing sector, general business sector, assessment activities, and for documentation No single tool covers all activities of the certification process
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Product Assurance Product assurance is defined as the management function which verifies customer requirements Protection profile standard is followed to provide product assurance All the security targets are tested to provide product assurance Characteristics of Product Assurance: • All critical activities are identified • Required resources are made available for each activity • All resources are applied efficiently and effectively
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Protection Profiles Protection Profile is an implementation independent specification of information assurance security requirements They provide a complete combination of security objectives, security related functional requirements, information assurance requirements, assumptions, and rationale It is necessary to state a security problem rigorously for a given collection of systems or products It specifies security requirements to address that problem without dictating how these requirements will be implemented
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Targets Security target is defined as the information assurance security requirements for the given information system product It is a complete and rigorous description of a security problem in terms of Target of Evaluation (TOE) description, threats, assumptions, security objectives, security functional requirements (SFRs), security assurance requirements (SARs), and rationales It contains some implementation-specific information that demonstrates how the product addresses the security requirements It may refer to one or more protection profiles
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contracting For Security Services • Lay down clear written policies and procedures governing the procurement of contract security services • Cover the methods to be adopted in obtaining these services in the procedures • Ensure the procurement process is fair and transparent so that all eligible contractors can compete e.g. Competitive tendering • Regularly review/update these procurement policies and procedures Guidelines for contracting security services:
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Disposition of Classified Material Destruction method is chosen depending on the media type and the data storage mechanism • Non-Volatile Magnetic: Hard Disk Drives • Pattern wiping, Incineration, and Physical Destruction • Write Once Optical: CDROM and DVD-R • Abrasion, Incineration, and Physical Destruction • Write Many Optical: CD-RW and DVD-RW • Abrasion, Incineration, and Physical Destruction • Solid-State • Pattern wiping and Physical destruction • Paper Based • Shredding, Incineration The media and data destruction methods are as follows:
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Optical Remanence Residue of the information remains even after the removal of the data from the optical storage media Optical Remanence deals with residual information that remains on the storage media Physical destruction helps to fully erase the information stored on CD-ROM, CD-R, and DVD-R Shredders are inexpensive and convenient mean of disposing optical storage media
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Magnetic Remanence Magnetic Remanence is the magnetic representation of residual information stored in hard drives, floppy disks, or magnetic tapes Some residue of the information remains on hard drives, floppy disks even after the removal of the data It can be tackled by the degausser device Degaussing is a process of thoroughly deleting the data in the magnetic media
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Facilities Planning Facility planning is important for the smooth functioning of the organization Steps in the facility planning: • Problem definition • Analysis & synthesis • Alternatives • Evaluation • Selection • Implementation Facility planning should be: • Flexible and open-ended • Attentive to the needs • Affordable
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Facilities Planning Facilities planning helps to minimize overall production time It effectively utilizes space, people, equipment, and energy It facilitates ease of maintenance
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Disposition/Reutilization The steps for the system disposition/reutilization are as follows: • Develop system disposition plan: • Verify that software/applications have not been compromised • Archive or transfer data, software components, and life cycle documentation and artifacts • Dispose of equipment: • Ensure that the equipment is disposed of in accordance with the system’s disposition plan • Any equipment that can be used elsewhere in the organization shall be recycled • Conduct a disposition review: • Document the lessons learned from the shutdown and archiving of the terminated system Improper system disposition can lead to disruption in routine system operations
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Life Cycle System Security Planning Steps for Life Cycle System Security Planning are as follows: • Appraise the life-cycle system security planning proposed by the development team • Assist with the information security planning for life-cycle system security • Explain the life-cycle system security planning to the development team • Influence the development team's approach to life-cycle system security planning • Verify that the life-cycle system security planning has been accomplished It is important because it is always evaluated by the development team to find deficiency in the existing security plan
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Security Architecture Security architecture is a simple view of the overall system architecture from a security perspective It should be established as an integral part of the system’s architecture It consists of those attributes of the architect that deals with the protection or safeguarding the operational assets It includes network architecture or physical connectivity architectures It focuses on: • System security services and high level mechanisms • Allocation of security related functionality • Identified independencies among security related components, services, mechanisms, and technologies
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C&A Process for the Information System • This phase deals with documentation of the security requirements, assigning responsibilities, and negotiating agreement among stakeholders Phase I:Definition: • This phase begins with preparing the system security authorization agreement and continues with the certification analysis Phase II: Verification: • This phase deals with analyzing the findings of vulnerability test and certification test and statement of certification provided by the certification authority Phase III: Validation/Certification & Accreditation: • This phase deals with reviewing the system’s security authorization agreement for monitoring system operations to fulfill the requirements Phase IV: Post Accreditation:
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C&A Life Cycle
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Responsibilities Associated with Accreditation The C&A process guarantees that the Information System will achieve the standard security requirements and continuously maintain the accredited security postures by using the process of periodic recertification Information assurance security controls are the management protection schemes provided to an information system to achieve the required level of confidentiality, integrity, availability by identifying the threats and vulnerabilities through the process of risk assessment The C&A process identifies security requirements and provides the process of identifying and testing the IA security controls for those requirements
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles Associated with Certification • Chief Information Officer: • Agency official responsible for designating a senior agency information security officer • Authorizing Official: • Senior management official responsible to operate an information system at an acceptable level of risk to agency operations, agency assets, or individuals • Designated Representative: • Responsible for coordinating and carrying out the necessary activities during the security certification and accreditation of an information system • Senior Agency Information Security Officer: • Agency official responsible for carrying out the Chief Information Officer responsibilities under FISMA • User Representatives: • Represent the operational interests of the user community and serve as liaisons for that community throughout the system development life cycle of the information system Roles Associated with Certification:
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles Associated with Certification (cont’d) • Information System Owner: • Responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system • Information Owner: • Statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, and dissemination • Information System Security Officer: • Responsible to the authorizing official, information system owner for ensuring the appropriate operational security posture is maintained for an information system • Certification Agent: • Responsible for conducting a security certification or comprehensive assessment of the management in an information system Roles Associated with Certification:
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Ownership Information ownership is a responsibility for protecting the confidential data It allows the selected group of people to view the confidential information • Confidentiality: • Only authorized persons will be allowed to view the document • Integrity: • Only appropriate persons can change the content of the document • Availability: • Ensures that the information is available when you need it It provides the following types of protections:
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Accreditation is the voluntary process of being certified for meeting minimum requirements designated by an accrediting agency Type accreditation may be issued by the Designated Approving Authority (DAA) for operating environments NSTISSP is a national security community policy governing the acquisition of information assurance (IA), and IA enabled information technology products IATO grants temporary authorization to process information and operate an Automated information system (AIS)under defined conditions The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) CT&E is the software and hardware security tests conducted during the development of the information system
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×