Certification and Accreditation Policy

Version: 1.00Issue Date: 1/13/2015

This Certification and Accreditation Policy specifies when and how servers will be certified and accredited.

1.0 Overview

This Certification and Accreditation Policy will help ensure that servers are properly secure and the business managers realize the risks associated with new and existing projects.

2.0 Purpose

This Certification and Accreditation Policy is intended to ensure the proper and secure operation of servers and to ensure that the business need is being met. It will also ensure that the business managers are aware of associated risks. Certification and Accreditation is especially important when addressing systems with high security needs.

3.0 Scope

This Certification and Accreditation Policy applies to all servers operated by the organization or that are used to support any business functions for the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Security Certification - A complete evaluation of an information system to determine its technical and non-technical security features and to evaluate its effectiveness in meeting the security requirements based on business need. The certification is done to acquire the information required to make a decision about whether the system can be accreditated. Therefore a certification is a overall assessment of a system to determine whether the controls and design are sufficient with appropriate working safeguards to protect the system and any associated data. The certification should discover any vulnerabilities.
  • Security Accreditation - A management decision based on the information produced by a certification. The certification is the evaluation of the system. Accreditation is a management decision to allow the system to operate in its current state. The decision is based on an acceptable level of risk in the specific environment with the approved controls evaluated by the certification.

5.0 Certification/Accreditation Compentencies

This section discusses internal and external certification and accreditation skills that must be available.

  • Personnel policies must support the acquisition and development of skills in the organization that can be used for certification and accreditation tasks.
  • Adequate training plans must be developed and implemented to ensure the proper skill set to perform certifications and accreditations is developed and maintained.
  • Management must select internal staff who can perform certifications and accreditation procedures based on their skills.
  • Management must ensure that certification/accreditation staff are properly trained and understand computer security along with internal controls, threats, and vulnerabilities.
  • Adequate resources such as staff members with appropriate skills must exist to provide certification assurance in a timely manner with proper depth of evaluation including appropriate analysis with a risk based approach and proper documentation.
  • If internal resources are not sufficient to perform certification activities in a timely manner, external resources should be used.
  • If external certification and accreditation teams are used, compentencies are checked by contract and must be confirmed prior to acceptance of the contract.
  • If external organization is used to perform certification and accreditations the scope of the work must be defined by contract prior to the start of work. Additionally, confidentiality must be assured and required by contract. Liability concerns about errors must also be addressed by contract.
  • If an external organization is used to perform certification and accreditations and a formal certificate is to be acquired, the external organization must be accredited as a certification authority.
  • Certification team members must have and maintain, through continuous education, a professional certification in computer security.

6.0 Certification/Accreditation Requirements

This section specifies when and how systems and servers will be certified and accredited.

  • All systems or services that are critical to the operation of the organization must be independently certified and accredited prior to the system or service being placed into operation. The certification must focus on security and control mechanisms to prevent intrusion, data compromise, or system compromise.
  • Assessment of the certification and accreditation process is periodically done to determine its effectiveness and make improvements. Customer feedback and assessment team recommendations are used to assess and improve the process.
  • Certification reviews are performed according to written certification standards.

7.0 Enforcement

Since server certification and accreditation is important for ensuring security of systems, especially those with high risk, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

8.0 Other Requirements

  • Tests for certifications and accreditation must be developed. Tests must reflect system requirements and show that the requirements for the system are functioning properly. Test results must be kept.
  • Certification and accreditation procedures must be developed for new projects requiring new services and for continued operation of the service so the certification is revisited periodically. Part of the certification and accreditation procedures includes test conclusions being contained in a formal report to project stakeholders. Procedures include information required to perform an assessment.
  • Certification standards must be developed for performing assessments.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________