| Certification and accreditation has become a major topic of discussion in the information security arena over the past two to three years, at least in U.S. government circles. Many government organizations are currently engaged in employing certification and accreditation processes in response to the requirements of the Federal Information Security Management Act (FISMA). FISMA, with its emphasis on measuring progress in the implementation of information security within the federal government, has elevated certification and accreditation into the preeminent position of being the government’s primary risk management approach in the field of information technology security. Although certification and accreditation is not new, its preeminence is, and its newfound acceptance promises to solidify its position for many years to come. Certification and accreditation has been employed in government for over 20 years, and it is becoming recognized outside government for the promise it holds as a practical approach for identifying and documenting business requirements for security, for ensuring that cost-effective controls are functioning appropriately, and for ensuring that weaknesses in protective controls are managed effectively. This book demonstrates the practicality, comprehensiveness, and effectiveness of certification and accreditation as a risk management methodology for information technology systems in both public and private organizations. |