Generally Accepted System Security Principles

P-10 Certification and Accreditation Principle

P-10 Certification and Accreditation Principle

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


Information systems and information security professionals should be certified to be technically competent and management should approve them for operations.


For information systems, certification is a determination by the technical community that the integrity of a system is preserved; all laws, regulations, and directives have been met; and that all safeguards are in place and functioning correctly. Since these conditions are never completely met, certification is accompanied by a list of deficiencies for which the risk is acceptable and a set of plans for resolving unacceptable risk. Certifiers should attempt to accumulate a body of knowledge concerning nondevelopmental software.* An objective of certification is to give management confidence that the system can be accredited for use. Note that this confidence may need to be re-established following a security breach, or prior to the use of an alternate site during disaster recovery.

Another objective of certifying a system is to ensure that the system provides accurate logical representations of the physical or logical objects it models. In some cases, such as when the object is a person, the responsibility may be legislated, as it is for privacy. For other objects, it may be good software engineering practice or engineering needs that motivates the requirement. The degree to which measures should be taken to create, preserve, monitor, and recover an accurate representation should be in accordance with the proportionality principle (P-5).

For information security professionals, job specific certification (not to be confused with a professional certification like CISSP) is a determination by Information Technology management that the individual has appropriate expertise, training, or background to perform the assigned information security tasks. This could range from Certified Information System Security Professional (CISSP) certification with a background investigation for information security managers to a prescription of required training for a standalone workstation system administrator. The degree of certification required should vary with the potential for loss of the applicable system.

Accreditation acknowledges that management ultimately decides whether the risk of certification deficiencies is at an acceptable level to permit the individual to begin work or the information system to begin operation.

*Nondevelopmental software is software that was not developed by the current development organization. It includes Commercial-Off-The-Shelf software, reuse software, adapted software, previously developed software, shareware, public domain software, etc.