Creditation and Acreditation Handbook Development

by Hemant Baidwan.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on branding and certification  

You are here: Categories » Business » Branding and certification

In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the evaluators to find the information. If the packages have different types of information in them, it is going to be very hard for the evaluators to review the packages according to the same standards.

Writing the handbook is a big job.A good handbook is likely to be around 200 pages long.The handbook has to include very specific information on what your agency evaluators need to see in every Certification Package. It should instruct the folks preparing the Certification Packages on what documents they will be required to submit, and what should be included in each document.The best way to ensure that each document includes the right kind of information is to create templates.

What to Include in Your Handbook

Each agency’s handbook will be somewhat different and take on slightly different organizational formats. However, it is highly advisable that all handbooks include sections in the following areas:

Background, purpose, scope

Regulatory citations

Reference to associated internal security policies

System lifecycle information

An overview of the process

Roles and responsibilities

Definition and explanation of Certification Levels

Information on the required Certification Package documents

How to define security requirements

How to understand accreditation boundaries

Threat and risk assessment guidelines

Security controls

Required security tests

Evaluation checklists

Plan of Action & Milestones

Acronyms

Glossary

References and related publications

An Appendix for each template

Who Should Write the Handbook?

There are no restrictions on who can write a C&A Handbook. An agency can use its own staff, or outside consultants. However, the development of the handbook should probably be done under the authority of the department that will oversee the evaluators. It makes sense that the Certifying Agent should designate the appropriate staff to write the handbook since he or she will need to live by its guidelines and accredit packages according to its stipulations. There is nothing that says the Certifying Agent cannot author the handbook. However, given the daily day-to-day responsibilities of the Certifying Agent, the time it takes to development the handbook may require that it be done by an appointed staff, or outside consultants.

Template Development

Certification Packages consist of a set of documents that all go together and complement one another.A Certification Package is voluminous, and without standardization, it takes an inordinate amount of time to evaluate it to make sure all the right information is included.Therefore, agencies should have templates for all the documents that they require in their Certification Packages. Agencies without templates should work on creating them. If an agency does not have the resources in-house to develop these templates, they should consider outsourcing this initiative to outside consultants. A template should be developed using the word processing application that is the standard within the agency. All of the relevant sections that the evaluation team will be looking for within each document should be included.Text that will remain constant for a particular document type also should be included. An efficient and effective C&A program will have templates for the following types of C&A documents:

Categorization and Certification Level Recommendation

Hardware and Software Inventory

Self-Assessment

Security Awareness and Training Plan

End-User Rules of Behavior

Incident Response Plan

Security Test and Evaluation Plan

Privacy Impact Assessment

Business Risk Assessment

Business Impact Assessment

Contingency Plan

Configuration Management Plan

System Risk Assessment

System Security Plan

Security Assessment Report

Templates should include guidelines for what type of content should be included, and also should have built-in formatting.The templates should be as complete as possible, and any text that should remain consistent and exactly the same in like document types should be included.Though it may seem redundant to have the exact same verbatim text at the beginning of, say, each Business Risk Assessment from a particular agency, each document needs to be able to stand alone and make sense if it is pulled out of the Certification Package for review. Having similar wording in like documents also shows that the packages were developed consistently using the same methodology and criteria.

With established templates in hand, it makes it much easier for the C&A review team to understand what it is that they need to document. Even expert C&A consultants need and appreciate document templates. Finding the right information to include the C&A documents can by itself by extremely difficult without first having to figure out what it is that you are supposed to find—which is why the templates are so very important. It’s often the case that a large complex application is distributed and managed throughout multiple departments or divisions and it can take a long time to figure out not just what questions to ask, but who the right people are who will know the answers.

Provide Package Delivery Instructions

Your C&A program should include information on how specifically the ISSO should submit the final Certification Package to the evaluation team.The evaluation team needs to understand whether to expect the package by email, CD, or to look on a protected network share. It’s a good idea for agencies to require that both hardcopy and software documents be submitted to the evaluation team. Hardcopy documents should be bound together. I recommend using a three-ring binder because it is easy to update a single piece of the package and insert it easily after removing the outdated pages.

Most of these documents will contain sensitive information, and for that reason, they should not be e-mailed to anyone over the Internet unless they are protected by 128 bit encryption—either by file encryption or through a Virtual Private Network (VPN). Before e-mailing C&A documents out of the agency over any external public networks, you should really check the security policies of your particular agency to find out what the requirements are for protecting sensitive information. If outside consultants are being used to prepare a Certification Package, it may very well be that the only safe way to exchange documents with them is for them to come on site. Most agencies will not set up a VPN to outside consultants, and getting approvals to use file encryption or certificates can take more time than the time it takes to create the entire Certification Package.Though it may seem trailing-edge, sometimes exchanging documents in person using a CD or a USB flash drive is the easiest way to exchange C&A documents.

Create an Evaluation Process

The evaluation of a Certification Package should be a standardized procedure. Before going through the Certification Package, the evaluation team should know up front exactly what it is that they are looking for. Agencies that do not have a standardized methodology for evaluating Certification Packages will not score well on the annual Federal Computer Security Report Card. The standardized process should be different depending on the security category (level) of the Certification Package.There are four possible security levels that Certification Packages can be prepared in accordance with, and these different levels have slightly different requirements.The level is determined using guidance from the U.S. Federal Information Processing Standard (FIPS) 199.

Authority and Endorsement

It is important that a C&A program be developed and endorsed at a high level within the agency.The purpose of the program will be completely defeated if individual departments each try to create their own C&A program. The idea is to create a standard, and a standard means one process.The program should be spearheaded by the CIO or authorizing official, even if all the work is delegated to the certifying agent.That doesn’t mean that the technical staff within various departments can’t contribute to the program’s development. Some of the best ideas often come from the technical staff that takes the most interest in a project.The development of the program, however, needs to be organized and endorsed at the level of the CIO, authorizing offi- cial, and certifying agent.

Share
Leave a comment or ask a question
Total comments: 0

Branding and certification Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Branding: How to succeed - Brand Management Overview The application of marketing methods in respect of a particular product, range of pr (more...)
Buying and selling Rolex watches - Today, millions of people are buying and selling Rolex watches and other fine timepieces over the internet. It is said that Rolex produces around 650,000 to 800,000 watches annually. Sadly enough (more...)
Building Your Brand - Branding is an advertising and promoting pursuit. As such, it occupies some of the most creative professionals in business. Each branding guru has his or her own idea about the definition of bran (more...)
Getting the Most Out of Workshops - There are four levels by which workshops are evaluated: Level 1 — Did participants enjoy the experience? Level 2 — Did participants learn? Lev (more...)
What Is a Brand - A brand is not a name or a logo or a color scheme or a design layout or a tag line or an advertising theme. A brand lives in the customer’s perception. A brand is not what the markete (more...)
The Nature of Brands - To ensure a sojourn at the branding altar free from sin, it's vital to understand what a brand is. First, it is not, nor can it ever be, a product or service. This is a concept difficult for (more...)
The Sins of Branding - Even those who have learned that a brand is a symbol, often fall into error by failing to understand that a brand can only arise from two sources. The first is as a result of product success. M (more...)
A LOGO Means Your Brand Identity - A graphic logo design is your company's first and last impression on customers, potential consumers and partners alike. It establishes your brand's identity and serves as brand recall. In short, (more...)
Corporate Brand - A Corporate Brand by any measure is very important to contemporary organisations. Corporate brand has become a valuable asset for a company, which sometimes have value beyond the book value. To ans (more...)
Avoiding Costly Mistakes When Printing Stickers - In these times, every penny counts. Anything from food to clothes, business perks and business expenses must be managed and controlled so that our finances will last until the eventual recovery of (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.