Certifier

The individual responsible for making a technical judgment of the system’s compliance with stated requirements, identifying and assessing the risks associated with operating the system, coordinating the certification activities, and consolidating the final certification and accreditation packages.
[view]

<p><b>1.&nbsp;Initiation and planning</b><br> At this stage, the administration initiates and plans the implementation of the program. A C&amp;A implementation expert lays out the documentation (including the business case and requirement documents) and presents it to the administration in the form of a comprehensive C&amp;A package.<br> &nbsp;</p> <p><b>2. Certification</b><br> At this stage, an external auditing team analyzes the C&amp;A package and the information security systems of the organization. The audits will include running vulnerability scans, conducting interviews, and checking if everything complies with the accepted standards and norms.<br> &nbsp;</p> <p><b>3. Accreditation</b><br> In the accreditation stage, the certifying authority will review the compiled C&amp;A package and will also go through the recommendations put forward by the auditing team. Before granting the accreditation, the authority will make its examination and see if there is a possibility of accepting non-remedied risks in the system.<br> &nbsp;</p> <p><b>4. Periodic monitoring</b><br> The system, the personnel, and the whole organization in general will be monitored periodically by a team whose sole responsibility is to ensure that the program stays operational as it should. Any risks, vulnerabilities, or threats that might arise during the monitoring stage will also have to be dealt with by the security enforcers of the organization.<br> &nbsp;</p>
[view]

<p>Original Publication: <a target="_blank" href="https://cloudsecurityalliance.org/guidance">https://cloudsecurityalliance.org/guidance</a> <br>Original Document: <a target="_blank" href="https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf">https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf</a> <br></p><p>The issue with Original Document, is that it's not very Kindle compatible and is very hard on eyes. Document below has improved contrast and is easier to read.</p><p><strong>Kindle-Compatible PDF:<br></strong> <a target="_blank" href="https://www.sunflower-cissp.com/downloads/security-guidance-v4-FINAL/security-guidance-v4-FINAL_Sunflower.pdf">https://www.sunflower-cissp.com/downloads/security-guidance-v4-FINAL/security-guidance-v4-FINAL_Sunflower.pdf</a> <br><br></p><p><strong>File in DOCX format:<br></strong> <a target="_blank" href="https://www.sunflower-cissp.com/downloads/security-guidance-v4-FINAL/security-guidance-v4-FINAL_Sunflower.docx">https://www.sunflower-cissp.com/downloads/security-guidance-v4-FINAL/security-guidance-v4-FINAL_Sunflower.docx</a> </p>
[view]

(1) A program whereby a laboratory demonstrates that something is operating under accepted standards to ensure quality assurance. (2) A management or administrative process of accepting a specific site installation/implementation for operational use based upon evaluations and certifications. (3) A formal declaration by a Designated Approving Authority (DAA) that the AIS is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the DAA and shows that due care has been taken for security. (4) Formal declaration by a (DAA) that an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Formal declaration by a Designated Accrediting Authority (DAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. (. See security safeguards. )The formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.
[view]

A detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. Process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; costbenefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. (NIST Special Pub 80053)The discipline of identifying and measuring security risks associated with an information system, and controlling and reducing those risks to an acceptable level. The goal of risk management is to invest organizational resources to mitigate security risks in a costeffective manner, while enabling timely and effective mission accomplishment. Risk management is an important aspect of information assurance and defenseindepth.
[view]