Certification and Accreditation in the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
What is certification and accreditation and how does it relate to security engineering?
Certification and accreditation (CnA or C&A) is a procedure that can be used to implement any formal process. The process can be looked at as a systematic process of carrying out the evaluation, testing, and authorization of systems (or the activities of systems) after (or prior to) a system has become operational. The C&A procedure gets used abundantly around the world.
Attaining the CISSP certification separates an information security expert from their competition and awards them a badge of credibility. C&A is an integral part of the CISSP CBK and the aspirants need to be theoretically and practically well-versed with the subject to be able to ace the exam. In simple terms, certification in itself can be defined as the complete evaluation of a product, system, process, event, or a skill that’s normally measured against an existing benchmark, norm, or standard.
Most trade organizations and industries prepare carefully concocted certification models (and programs) that can then be used for testing and evaluating the skills of the people performing jobs falling under the specific interest area of the organization. However, testing laboratories can also pass certifications for products (that meet the pre-established norms and standards) and government bodies have also historically certified companies that are meeting the laid-out regulations (e.g., emission limits).
Accreditation, on the other hand, is a formal declaration by a third party (neutral) that the certification was carried out in a way that accords with the relevant standards and/or norms of the certification program (e.g., IEC 17024). In most countries around the world, there are specific bodies that operate nationwide and enforce these regulations. In the US, the United States Accreditation Service (UKAS) is the country’s accepted accreditation organization.
There are many ways of building and implementing a certification and accreditation program at the enterprise level. Predominantly, it’s composed of people, technologies, and processes of different types. All of the constituent entities are important, but there are some special program components that can be referred to as being absolutely essential to the program’s success. If these pertinent components don’t function as they should, the program’s implementation can be severely hampered and the repercussions won’t be desirable. Following are some of the most important elements that are critical to the success of a C&A program at an enterprise:
The C&A business case
An enterprise certification and accreditation program can only flourish if it has been based on a solid business case that lists the key benefits that the company will reap from it. Via the business case, the company is able to figure out exactly why the program is going to be beneficial to the company; the benefits can include:
- Diligence: A C&A program provides a way to exercise due diligence within an organization. Via such a program, management can ensure that adequate levels of security have been implemented throughout the organization.
- Accountability: Via this program, the organization gets provided with a way to make managers, executive and even employees accountable for the security and integrity of the systems that they are either in interaction with or possess the responsibility for.
- Transparency: The program also affords visibility and transparency to the IT security across the enterprise by addressing the different levels of security.
- Cost-Effectiveness: Because the C&A program ensures the sound running and management of different processes within an organization, researchers have shown that it has proved to be substantially cost-effective in the longer run.
The C&A goal setting
Once the formalized documents of the business plan have been laid out, an organization also has to set the goals that it expects to achieve via the implementation of the C&A program. The goals laid out should be (at the very least):
- Comprehensive: The program can’t leave any stone unturned; every system, service (and personnel) running in the organization should be affected by its implementation. The greatest advantage of the program is that it provides standardization of requirements, outcomes, and processes; if there is a failure in complying with the requirements of the program, this can result in the loss of the desired standardization.
- Integrated: The program must also incorporate integrations of the various components of the systems that are running across the enterprise.
- Timely: The set goals should have a rigorous timeline that would have to be abided by. Review and assessment cycles should be evenly divided across the timeline before the deadline.
- Achievable: Lastly, the goals set out need to be achievable. There is no benefit that an enterprise can reap from penning down extravagant goals that are unachievable. To set achievable goals, it’s necessary for the enterprise to be “self-aware” more than anything else.
Establishing tasks and milestones
A typical C&A program is huge and it can only be conceived if it gets divided into small tasks and milestones. This is a very important stage because it lays out the implementation plan that would then need to be carried out with care. Separation of duties should be enforced at this stage to ensure that everybody is aware of the duties that they are required to perform. Milestone setting always proves to be beneficial in the implementation of a certification and accreditation program because this allows top-level management to maintain the levels of efficiency and accountability that will lead to the successful implementation of the program.
Scrutinizing program execution
The success of the program depends most on its execution. It’s always recommended to hire an expert who knows how to carry out the C&A implementation at the enterprise level. The careful scrutinizing of the program’s execution should involve holding people accountable for the milestones and/or tasks they were assigned to complete within specific periods of time. Maintaining a watchful eye also ensures that all the standards and norms are complied with during the implementation.
Stages of a C&A program
Predominantly, C&A programs can be divided into four vast stages. Different activities are performed at these different stages.
1. Initiation and planning
At this stage, the administration initiates and plans the implementation of the program. A C&A implementation expert lays out the documentation (including the business case and requirement documents) and presents it to the administration in the form of a comprehensive C&A package.
At this stage, an external auditing team analyzes the C&A package and the information security systems of the organization. The audits will include running vulnerability scans, conducting interviews, and checking if everything complies with the accepted standards and norms.
In the accreditation stage, the certifying authority will review the compiled C&A package and will also go through the recommendations put forward by the auditing team. Before granting the accreditation, the authority will make its examination and see if there is a possibility of accepting non-remedied risks in the system.
4. Periodic monitoring
The system, the personnel, and the whole organization, in general, will be monitored periodically by a team whose sole responsibility is to ensure that the program stays operational as it should. Any risks, vulnerabilities, or threats that might arise during the monitoring stage will also have to be dealt with by the security enforcers of the organization.
Certification and accreditation programs provide a framework for enterprises to ensure security, accountability, and, at times, efficiency. An information security expert should be well aware of all the concepts, theories, and practices that make C&P programs what they are.
This article presented a brief overview of the fundamentals of the program and candidates looking to pass the CISSP exam should consider other resources while preparing as well.