A Certification and Accreditation Plan for Information Systems Security Programs (Evaluating the Eff

by Brenda Dinges
Sept. 1, 2017 0 comments SANS Institute accreditation, c&a, rmf

In order to ensure the confidentiality, integrity and availability of corporate information systems, each organization must implement a comprehensive Information Systems Security Program (ISSP). Determining the effectiveness of the ISSP requires evaluating each module individually, as well as its relationship to other components. Unilateral analysis, while often necessary due to time and resource constraints, results in a fragmented snapshot of the defenses of the enterprise. Often the non-security community does not fully comprehend the scope, breadth and impact of the ISSP which can result in either a false comfort level or undue concern over the degree to which their corporate resources are protected. To aid in the management of the plan, an annual calendar of major activities, including due dates, dependencies and responsibilities should be compiled, maintained and communicated to all parties with accountability for, or participation in a component of the plan.