Security Certifications
High Level ViewMedium Level ViewDetailed View Strategic Initiatives Business Processes Information Flows Systems and Services Technology Infrastructure Security Solutions
 
KHA System Security Assessment and Certification/Accreditation Process
 
KHA’s security certificate program encompasses procedures for Security assessment and certification of information systems. It acts as a key activity to validate that the existing security controls in place are sufficient. It also acts as a key input the risk management process at KHA and is an integral part of KHA’s security policy.
 
Security Control Assessment and Certification
Security assessment and certification is a comprehensive assessment of KHA’s information systems, in terms of the management, operational and technical security controls that are in place.  Security assessment is performed to validate whether the existing security controls that are in place at KHA are sufficient and functioning as designed and delivering value as intended.

Certification phase details the specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system.
 
Steps
  1. Identify the security controls that are already in place that needs to be assessed
  2. Develop procedures/methods for assessment of security controls
  3. Determine the effectiveness of each security control by the procedure defined in the previous step
  4. Prepare a summary assessment report containing the details of the assessment and any recommendations
  5. Publish the findings and recommendations to the information system owner
  6. Prepare plan of action for the recommendations that are decided to be remedied
  7. Make appropriate amendments to the security plan/policy
All KHA front-office systems need to be certified using the Defense Dept. DITSCAP procedure.  All IT systems used in work for the federal government need to be certified using the NIST SP-800-53 procedures.
 
Security Accreditation
The purpose of this phase is to identify whether the information system is ready to be operational, keeping in mind all the existing security vulnerabilities that have not been addressed with the current set of security controls in place. All KHA front-office systems are accredited using the Defense Dept. DITSCAP procedure.
 
Monitoring
KHA will perform an on going review and monitoring of the existing security controls necessitated by the changes in the information system. This is to make sure that all of the security controls that are in place at KHA’s information security systems are up to date and reflects the current contractual legal and federal obligations.
 
Steps
  • Configuration management of information system components - Any changes to Hardware, software or the environment in which the IT system operates in, will be recorded and documented which will help identify if it impacts any existing system controls or if any new controls have to be put in place
  • Security control monitoring - Critical system control that needs to be monitored on a regular basis will be selected as well as the frequency at which the monitoring needs to be done. The effectiveness of a given system control will be assessed to see if tit meets the security requirements that it was implemented for.
  • Status Reporting - A Report of the overall security status of the information system being monitored will be provided to the Information Security Office every 6months or as deemed appropriate based on changes in technology or regulatory requirements or security breaches/violations. Updates will be done to the security plan with the latest changes in the system and corresponding security controls that needs to be implemented.
Related Documents
     KHA Application Inventory (.xls)
     DITSCAP - Security Certification and Accreditation (.doc)
     NIST - Risk Management Framework (.doc) 
 
 

© 2009 CMU/Boeing Class - all rights reserved