EA3 artifact SP-3: Certification & Accreditation Documentation
The System Accreditation Document uses a standard format for evaluating the security status of information systems throughout the enterprise. There are a number of parts to a system security accreditation as are illustrated in the example.
- System Security Plan. This opening section of the System Accreditation Document provides an overview of the business context that the information system operates in, states the current security status of the system (last accreditation), and summarizes the contents and finding of the other accreditation documents.
- System Risk Assessment. This section of the document uses a standardized format for showing areas of risk to the information system in the four primary areas security threat areas that are covered in artifact SP-2; physical, data, operational, and personnel. Assigns a level of risk based on the business context for system operations and the type of system data to be protected. Provides security risk remediation strategies (how to avoid a security risk, or deal with it if a problem occurs) for each area of risk that is identified.
- System Test and Evaluation. Also called a system ‘penetration test.’ The System Test and Evaluation (ST&E) section of the document provides the results of a live test that attempts to enter the system through other-than-normal log-in procedures, as well as attempts to overwhelm the system (denial of service attack), or infect the system with an active virus, worm, or other type of problematic element that reduces or eliminates information system functionality.
- Remediation Plan. This section of the document provides the status of corrective actions taken to fix all of the security risks found during the risk assessment/ST&E.
- Approval to Operate. This section of the document is the formal (signed) approval to operate the information system that is provided by the designated person in the enterprise (usually the Chief Information Officer or the IT Security Manager).