Enterprise Security Management Practices ◾ 51
© 2011 by Taylor & Francis Group, LLC
Information System Security Cycles
Before moving on to discussing the organization’s roles and responsibilities, the
ISSMP must understand the overall concept of establishing, testing, approving,
and monitoring the information system’s security, so the roles and responsibilities
can be put into perspective.
Once again, in the publications and practice there are various methods, but
basically all have the same components. e following is a generic approach to
system certication and accreditation (C&A). See the accompanying graphic for a
visual representation of the phases.
Initiation Phase: Basically all the actions described
thus far in this chapter are done during this phase.
ese actions include identifying the organization’s
mission, goals, and objectives; describing the system
components, boundaries, functions, and connec-
tions; determining and implementing the security
controls that are necessary; and conducting an ini-
tial risk assessment. en, identify the responsible
individuals and document all of these ndings in a
security plan.
Verication Phase: A comprehensive assessment of the management, opera-
tional, and technical security controls in an information system in support
of system accreditation. is includes verifying that the controls identied
in the security plan are implemented correctly, operating as intended, and
producing the desired outcomes, and documenting the results in a formal
document, i.e., a Security Assessment Report.
Approval Phase: e actions taken to review the System Security Plan, Security
Assessment Report, and Corrective Action Plan or Plan of Actions and
Milestones (POA&M, see sidebar) are completed prior to a senior manage-
ment ocial’s approval of an information system for operation or for contin-
ued operation. is ocial is responsible for the information system’s business
function and supporting resources and is knowledgeable of the security sta-
tus, including the security controls and risks, and for formally accepting the
risk to the individuals and organization (including mission, assets, functions,
image, and reputation).
Maintenance Phase: Taking actions to ensure that the authorized conguration,
security controls, and level of risk are maintained. e actions will include
an active conguration management program, ensuring that all updates are
implemented, risk assessments are continuously conducted, senior manage-
ment is kept up to date on all changes to the security status, contingency and
Initiation
Verification
Approval
Maintenance
Disposal