Re: System Certification

["Ivan Coric" <ivan.coric () workcoverqld com au>]

Hi Andy,

Define Certification as it pertains to IT/IS

Certification is the process of performing a comprehensive analysis of the security features and safeguards of a system 
to establish the extent to which the security requirements are satisfied.

The certification process considers the system in its operational environment. This means the security mode of 
operation, specific users, what training the users will receive, the applications and their data sensitivity, system 
and facility configuration and location, and its intercommunication with other systems are all considered during the 
certification process.

Define Accreditation as it pertains to IT/IS

Accreditation is the official management decision to operate a system. Certificate proves it is capable, while 
accreditation means that we will run it. The accreditation specifies the

Security mode it will work in

Prescribed set of countermeasures

Defined threats, and stated vulnerabilities

Given operational concept and environment

Stated interconnection to other systems

The risk of operation is formally accepted

And the accreditation is for a stated period.

cheers
Ivan



Ivan Coric
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au

> > > "Andy Rose" <andymrose () hotmail com> 10/09/03 06:21pm >>>
Just a quick question - I'm trying to clarify the difference between 'system 
certification' and 'system accreditation'.  I've reading conflicting 
definitions in different CISSP book - can anyone give me a definitive 
answer?

Thanks

_________________________________________________________________
Use MSN Messenger to send music and pics to your friends 
http://www.msn.co.uk/messenger 


---------------------------------------------------------------------------
----------------------------------------------------------------------------



***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used 
for the intended purpose only and are to be kept confidential at all times.
This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this 
information should be deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------