Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls?
A.
Information Assurance (IA)
B.
Information systems security engineering (ISSE)
Suggested Answer:implementation of an agreed-upon set of security controls. Answer: D is incorrect. Risk management is a set of processes that ensures a risk-based approach is🗳️
Certification and accreditation (C&A) is a set of processes that culminate in an agreement between key players that a system in its current configuration and operation provides adequate protection controls. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the information-related risks. It ensures that only the approved users have access to the approved information at the approved time. IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These objectives are and solutions used during all phases of a system's life cycle to meet the system's information protection needs.
Certification is typically the result of an audit or evaluation process and not an agreement. However, accreditation does involve an agreement between key players, such as the system owner, accrediting authority, and other stakeholders, about the level of risk that is acceptable for the system and the controls that are in place to manage that risk. The accreditation decision is based on a review of the system's certification report and other relevant information, and it represents an official endorsement that the system meets the established security requirements and can be operated in its current state.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
74gjd_37
5 months, 2 weeks ago4e3rv21rq3vq2q
1 year, 8 months ago