Assessments & Authorizations
Federal agencies are required by law to undergo a detailed and systematic security assessment process to demonstrate compliance with security standards. This process is known as the assessment and authorization, which gives government agencies and commercial vendors greater assurance that their shared data are stored and processed on a secure and reliable system. Similarly, the assessment and authorization process can be implemented on universities’ systems to give students and scholars greater assurance that their sensitive personal and research data are processed securely.
Prior to exchanging data between federal agencies, Chief Information Security Officers (CISOs) generally ask for the accreditation letter that declares the security categorization of the system. CISOs then determine if the system is safe to store or process data at specific security levels. Likewise, universities should adhere to this security categorization policy prior to exchanging information with other universities.
Assessment and authorization is a two-step process that ensures security of information systems. Assessment is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system.
The evaluation process, compares the current system’s security posture with specific standards. The assessment process ensures that security weaknesses are identified and plans for mitigation strategies are in place. Authorization, is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period of time.
Our process for Assessment and Authorization (A&A) places the initial focus on boundary definitions, definition of roles and responsibilities, and security categorization based upon data types and sensitivity.
After conducting a comprehensive risk assessment, our team is able to develop system security plans that explain who, what, how, and how often for each security control (leveraging common or inherited controls where possible).
Ongoing assessment and authorization is often referred to as continuous monitoring is part of the overall risk management approach for information security. A key part of the process determines whether the set of deployed security controls in an information system remain effective in light of planned and unplanned changes that occur in the system and its environment over time. Security-related information collected through continuous monitoring is used to make recurring updates to your company’s overall security suite.