Page 528 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 528

assessing the security of a system. Certification and accreditation

               processes are used to assess the effectiveness of application security as
               well as operating system and hardware security.

               The process of evaluation provides a way to assess how well a system
               measures up to a desired level of security. Because each system’s
               security level depends on many factors, all of them must be taken into
               account during the evaluation. Even though a system is initially
               described as secure, the installation process, physical environment,

               and general configuration details all contribute to its true general
               security. Two identical systems could be assessed at different levels of
               security because of configuration or installation differences.




                             The terms certification, accreditation, and maintenance

                  as used in the following sections are official terms used by the
                  defense establishment, and you should be familiar with them.



               Certification and accreditation are additional steps in the software and
               IT systems development process normally required from defense
               contractors and others working in a military environment. The official
               definitions of these terms as used by the U.S. government are from
               Department of Defense Instruction 5200.40, Enclosure 2.


               Certification


               The first phase in a total evaluation process is certification.
               Certification is the comprehensive evaluation of the technical and
               nontechnical security features of an IT system and other safeguards
               made in support of the accreditation process to establish the extent to
               which a particular design and implementation meets a set of specified
               security requirements.

               System certification is the technical evaluation of each part of a

               computer system to assess its concordance with security standards.
               First, you must choose evaluation criteria (we will present criteria
               alternatives in later sections). Once you select criteria to use, you
               analyze each system component to determine whether it satisfies the
   523   524   525   526   527   528   529   530   531   532   533