No system or architecture will ever be completely secure; there will always be a certain level of risk. Security professionals must understand this risk and be comfortable with it, mitigate it, or offset it to a third party. All the documentation and guidelines already discussed dealt with ways to measure and assess risk. These can be a big help in ensuring that the implemented systems meet our requirements. However, before we begin to use the systems, we must complete two additional steps.
U.S. federal agencies are required by law to have their IT systems and infrastructures certified and accredited. Although you shouldn’t expect to see this information on the exam, it is worth knowing if you plan to interact with any agencies that require their use. Depending on the agency, one of the following methodologies is typically used:
- Defense Information Technology Systems Certification and Accreditation Process (DITSCAP)– Typically used for defense agencies, but can be used by civilian firms
- National Information Assurance Certification and Accreditation Process (NIACAP)– A certification process developed by the National Security Telecommunications and Information System Security Instruction
- National Institute of Standards and Technology (NIST)– A certification process that is based on Special Publication 800-37 and can be used by government and civilian industries
All of these methodologies look at much more than your standard penetration test. In reality, they are more like an audit. They must validate that the systems are implementing, configuring, and operating as expected and meet all security policies and procedures.
Certification and Accreditation
Certification is the process of validating that systems we implement are configured and operating as expected. It also validates that the systems are connected to and communicate with other systems in a secure and controlled manner, and that they handle data in a secure and approved manner. The certification process is a technical evaluation of the system that can be carried out by independent security teams or by the existing staff. Its goal is to uncover any vulnerabilities or weaknesses in the implementation.
The results of the certification process are reported to the organization’s management for mediation and approval. If management agrees with the findings of the certification, the report is formally approved. The formal approval of the certification is the accreditation process. Management usually issues this in a formal written approval that the certified system is approved for use and specified in the certification documentation. If changes are made to the system, it is reconfigured; if there are other changes in the environment, a recertification and accreditation process must be repeated. The entire process is periodically repeated at intervals depending on the industry and the regulations they must comply with. As an example, Section 404 of Sarbanes-Oxley requires an annual evaluation of internal systems that deal with financial controls and reporting systems.
**Source by wikipedia**
To Become Certified For CISSP Please Visit This Link;