close

What Is Truth to Power?

[+] A research and advisory resource...

dedicated to bridging the gaps between governance and practice, technology and business, regulation and control, risk management and real market pressures, and your own knowledge and the knowledge of your peers.

[+] An open forum and community...

built to create a common pool of knowledge—one big brain—that lets you work more efficiently, build technology and business practices more effectively, and endure audits more effortlessly.

[+] A plexus nexus...

a neutral hub through which you can reach many valuable information nodes, resource collections, and organizations that are helping people like you already, but in fractured ways.

[+] A rebellion...

against the idea that auditors, analysts, and consultancies can control information simply through their ability to collect and distill it. T2P's goal is to unlock the vast body of knowledge, insight, and conventional wisdom that we all have, make it freely available to you, and help you digest and interpret it—without undue cost, bias, or hype.

Top Panel
WHAT IS T2P?
Top Panel
Submit in FaceBook
Submit System%20Security%20Certification%2FAccreditation%2C%20Annual%20%28Policy%29 in Google Bookmarks
Tweet this!
|
Print
E-mail
 
System Security Certification/Accreditation, Annual (Policy)
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------

Open IT Policy Index

-------------------------------------------------------------------------------------------------

Overview and Purpose

[variable: Covered Organization]'s [variable: Individual responsible for certifying systems], must certify that [variable: Covered application or system] has appropriate safeguards in place and that the data processed are secure.

The requirement to certify and accredit a system to process data is contained in the [variable: Covered Organization or System] Security Program Handbook. Certification and accreditation provides a form of quality control; it forces managers and technical staff to find the best fit for security, given technical constraints, operational constraints, and mission requirements. By certifying and accrediting a system, a manager accepts the risk associated with it.

Coverage

All divisions must certify and accredit systems that store, contain, process, or transmit sensitive information

Policy

[variable: Covered Organization] requires all systems that access [variable: Covered Organization] data to be certified and accredited. For new application systems, the certification process must begin during the design and development stage. [variable: Covered application/s or system/s] must be recertified at least once every [variable: time period, usually one year or less] or whenever they undergo a significant modification or are breached.

The [variable: Individual Responsible for Certifying Systems] must complete the certification procedure defined in the System Security Certification and Accreditation Procedure. A copy of the System Security Certification/Accreditation, Annual (Form) should be attached to the [variable: Covered Organization] security plan.

If the [variable: Covered application/s or system/s] do not meet [variable: Covered Organization] security requirements, the system should not be accredited. In such cases, the [variable: Individual Responsible for Certifying Systems] must complete a Deferral of System Security Certification or Accreditation, Annual (Form) statement. When a Deferral of Certification/Accreditation statement is executed, the [variable: Individual Responsible for Certifying Systems] must report the security weakness to [variable: Individual or office ultimately responsible for system security] .

Roles and Responsibilities

[Note: Redefine this section to reflect your own organizations roles and responsibilities covering security certification. Titles and responsibilities offered below are just one example of this structure.]

Director

Information Security Officer (ISO)

  • Prepares policy guidelines for authorizing systems to process [variable: Covered Organization] data
  • Ensures all systems that process [variable: Covered Organization] data have an associated System Security Certification/Accreditation, Annual (Form)
  • If any system that processes [variable: Covered Organization] data does not meet the security requirements, completes three copies of the Deferral of System Security Certification or Accreditation, Annual (Form) statement and lists deficiencies that must be remedied within the calendar year
  • Ensures that a re-authorization is obtained every [variable: time period] or when a system is significantly modified
  • Reviews and certifies that [variable: Covered application or system]'s security controls are adequate, prepares System Security Certification/Accreditation, Annual (Form) for the Director's signature
  • Attaches signed System Security Certification Statement to the [variable: covered application or system] Security Plan

Supervisors

  • Review and certify, at least every [variable: time period] that the system that accesses [variable: Covered Organization] data contains adequate security controls
  • Mitigate any deficiencies contained in the Deferral of System Security Certification or Accreditation within the next calendar year.

Rules for Authorizing/Accrediting a System

Based on the [variable: Covered Organization] Security Handbook, the following are the minimum security controls that must be in place prior to authorizing a system for processing:

  • Security plan developed, updated, and reviewed
  • Technical and/or security evaluation complete
  • Risk assessment conducted
  • [Variable: Covered application or system] security rules provided to users and signed by users
  • Contingency plan developed and tested
  • System meets all applicable laws, regulations, policies, guidelines, and standards
  • Security specifications and test results
  • In-place and planned security safeguards appear to be adequate and appropriate
  • In-place safeguards are operating as intended.

Enforcement

Gross negligence or willful disregard of this policy, in principle and action, may result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student.

Additionally, individuals are subject to loss of [variable: Covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

  • [variable: internal documents (with links, if available)]
  • [variable: external documents (with links, if available)]

Policy Support Contact

  • [variable: title (not personal name) of role responsible for overseeing this procedure]
  • [variable: Contact information of office responsible for overseeing this procedure]

Resources

Related Templates

Policy Model(s)

Federal Agency Security Practices, National Institute of Standards and Technology (NIST)]
 
Hide comment form

Antispam Refresh image Case sensitive

T2P RECOMMENDS:

AuditNet logo
AuditNet is an online portal for auditors. Created and run by the venerable Jim Kaplan, the organization's mission is to develop a complete "utility" for audit-related information, products, and services.

T2P RECOMMENDS:

The BeyeNETWORK provides resources and professional community support for business intelligence, performance management, data warehousing, data integration and data quality.

T2P RECOMMENDS:

IIA Logo

The Institute of Internal Auditors (IIA) is a powerful research and guidance organization focusing on audit principles and processes for business and IT functions. IIA guidance related to information control includes the Global Technology Audit Guide (GTAG) series and the Guide to the Assessment of IT Risk (GAIT) series.