What Are the C A Levels

by Waine G. Fluen.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on branding and certification  

You are here: Categories » Business » Branding and certification

There are four different levels for which information systems can be certified and accredited.The four levels are known simply as Level 1, Level 2, Level 3, or Level 4.The information system owner is supposed to decide at what level to certify the information system, and then obtain buy-in on that level from the authorizing official.The ISSO and C&A prearation team should assist the information system owner in determining the proper level at which to certify and accredit the information system.

Level 1 is for information systems that are not sensitive, and have few security requirements.
Level 2 is for information systems that are somewhat sensitive, and have some Confidentiality, Integrity, or Availability requirements.
Level 3 is for systems with sensitive information that have significant Confidentiality, Integrity, and Availability requirements.
Level 4 is for extremely sensitive information systems that have the highest requirements for Confidentiality, Integrity, and Availability.

Most information systems will fall into the category of Level 2 or 3. Deciding at which level to certify and accredit your information systems—2 or 3—can be somewhat thoughtprovoking.

Level 1

A Level 1 C&A requires a minimal security review. A Level 1 Certification Package requires only a Security Plan, an Asset Inventory, and a completed

Security Self-Assessment. Additionaly, security policies must be clearly defined. A sample self-assessment can be found in Appendix D. Some agencies may have different requirements for a Level 1 and you should of course always follow the existing agency guidelines.

Information systems that typically may require a Level 1 C&A are systems that:

■ Publish general public information
■ Deliver courseware and training programs
■ Publish information on product information
■ Publish information on workplace policies
■ Publish forms, maps, or charts that are nonsensitive

Level 2

A Level 2 C&A requires a basic review and analysis of the security of the information system. A Level 2 C&A requires everything included in a Level 1, plus a full set of C&A documents, and a Security Test & Evaluation (ST&E), (but not test results). Security policies must be clearly defined and implemented. If an agency requires something different than what I recommend here, you should defer to the agency recommendations.

Information systems that typically may require a Level 2 C&A are information systems that:

■ Are used for contracts, proposals, and legal proceedings
■ Are used for Capital budget applications
■ Serve office applications
■ Operate benefits management applications
■ Manage supply chain management transactions

Level 3

A Level 3 C&A requires a detailed review and analysis of the security of the information system. A Level 3 C&A requires everything that is required in a Level 1 and 2 C&A, plus a network vulnerability scan, as well as tests that show that have been correctly implemented security policies. Some agencies may have different requirements for a Level 3 and you should always use the agency guidelines and follow the recommendations in their handbook.
Information systems that typically may require a Level 3 C&A are information systems that:

■ Monitor information or physical security
■ Manage operations of financial transactions
■ Operate payroll management applications
■ Transmit intelligence information
■ Communicate information about dangerous substances

Level 4

A Level 4 C&A requires an extensive review and analysis of the security of the information system. All items required for Levels 1, 2, and 3 are required for a Level 4, plus a penetration test, and confirmation that all security tests were passed. Some agencies may have different requirements for a Level 4 and just as with a Level 1, 2, or 3, you should always defer to the agency guidance.

Information systems that typically may require a Level 4 C&A are information systems that:

■ Operate and monitor nuclear power plants
■ Make decisions on where to drop a bomb
■ Monitor a patient during surgery
■ Operate and monitor a large dam
■ Manage and operate mass transportation facilities
■ Monitor water quality and safety of public drinking water
■ Manage top secret Department of Defense projects
■ Prevent terrorist attacks
■ Perform large monetary transactions

Determining the level of the Certification Package up front is one of the most often-overlooked parts of C&A.There are numerous organizations that don’t perform this step until the entire Certification Package has been developed, which is the absolute wrong way to go about this. One of the reasons for determining the level up front is because the level determines what types of information need to be included in the Certification Package.The Certification Package is evidence that security risks have been understood and mitigated properly.The higher level of Certification that one seeks, the more evidence is required. For example, network vulnerability scanning is required for Level 3 Certification, but not for Level 2. If you are seeking Level 3 Certification, you need to complete a network vulnerability scan and address the resulting risks identified and include this information as part of the Certification Package.

Share
Leave a comment or ask a question
Total comments: 0

Branding and certification Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Better Branding with Social Media - One of the most important things to remember when promoting your company is consistency. Maintaining a steady image in your audience's mind yields a better chance of them remembering it. Wh (more...)
What Does Your Logo Say About You - If there was one thing, one icon that represents your business, what would it be? Hopefully, you said your logo. Your logo is what identifies you to the world. It should be able to stand on its own (more...)
Logo Benefits - Every company is needed to have a corporate identity which it acquires through logo design. Be it a Chinese food restaurant or electronic goods store, some educational institute or bakery, you have (more...)
Why Use A Full Service Digital Agency - With the abundance of new businesses starting up, everyone is looking to get the most for their money and make sure the money they invest initially will work for them. Building a good brand right (more...)
Is only a brand name enough for you to trust the quality - Is only a "brand name" enough for you to trust the quality? Well, after using so many 'Branded' gadgets, garments, accessories, etc, I found that the quality that they claim actually beats the func (more...)
Tips and techniques to get through the CISA certification test - Acquiring a worldwide recognition CISA (certified information systems auditor) certification has become a preference for Information S (more...)
Textile Pattern designing - Patterns are creative styles which brings feature of success in designing. We all know that designing is not only specific to any particular domain. It is spread all around at least in the fashion (more...)
Branding: How to succeed - Brand Management Overview The application of marketing methods in respect of a particular product, range of pr (more...)
Buying and selling Rolex watches - Today, millions of people are buying and selling Rolex watches and other fine timepieces over the internet. It is said that Rolex produces around 650,000 to 800,000 watches annually. Sadly enough (more...)
Building Your Brand - Branding is an advertising and promoting pursuit. As such, it occupies some of the most creative professionals in business. Each branding guru has his or her own idea about the definition of bran (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.