INFORMATION SECURITY MANAGEMENT BEYOND CERTIFICATION AND ACCREDITATION

Traditional information security approaches rely too heavily on system certification and accreditation (C&A) to ensure that a system is sufficiently secure. Such approaches inadequately address security during acquisition and/or development, which increases the risk of the system containing inherent computer vulnerabilities and exposures that may lead to inappropriate issuance of an Authority to Operate (ATO) as a result of unintentional oversight of problems or pressure to deploy despite recognized residual risks. In certain instances, testing by an independent authority may mitigate some of the risks; however, such testing is often undertaken near the end of the development/acquisition cycle.This paper describes proven elements of a more comprehensive methodology that addresses information security throughout the acquisition and system life cycle from both a system and enterprise perspective. The paper applies the authors’ research on Roadmap for Information Security Guidance for Enterprise Transformation to information security management in development and acquisition. The content and references can be used for organizations striving to improve their acquisition, system development and security management processes.Information Security, Enterprise Architecture, Certification, Accreditation, Security Management.