Page 529 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 529

desired security goals. The certification analysis includes testing the
               system’s hardware, software, and configuration. All controls are

               evaluated during this phase, including administrative, technical, and
               physical controls.

               After you assess the entire system, you can evaluate the results to
               determine the security level the system supports in its current
               environment. The environment of a system is a critical part of the
               certification analysis, so a system can be more or less secure

               depending on its surroundings. The manner in which you connect a
               secure system to a network can change its security standing. Likewise,
               the physical security surrounding a system can affect the overall
               security rating. You must consider all factors when certifying a system.

               You complete the certification phase when you have evaluated all
               factors and determined the level of security for the system. Remember
               that the certification is valid only for a system in a specific

               environment and configuration. Any changes could invalidate the
               certification. Once you have certified a security rating for a specific
               configuration, you are ready to seek acceptance of the system.
               Management accepts the certified security configuration of a system
               through the accreditation process.


               Accreditation

               In the certification phase, you test and document the security
               capabilities of a system in a specific configuration. With this

               information in hand, the management of an organization compares
               the capabilities of a system to the needs of the organization. It is
               imperative that the security policy clearly states the requirements of a
               security system. Management reviews the certification information
               and decides whether the system satisfies the security needs of the
               organization. If management decides the certification of the system
               satisfies their needs, the system is accredited. Accreditation is the

               formal declaration by the designated approving authority (DAA) that
               an IT system is approved to operate in a particular security mode
               using a prescribed set of safeguards at an acceptable level of risk. Once
               accreditation is performed, management can formally accept the
               adequacy of the overall security performance of an evaluated system.
   524   525   526   527   528   529   530   531   532   533   534