SSCP Study Guide and DVD Training System

Security is like most industries with regard to the specific terms used every day to describe both activities and characteristics of processes, solutions, and procedures. Although some of the terms seem to be common sense, there are still small differences between the most common uses of a word and the use of the word in relation to network or computer security. Some of the most common terms that a security engineer encounters are:

• Acceptance   Acceptance designates that a system has met all security and performance requirements that were set for the project. Performance standards have been met and technical guidelines were followed correctly. The term acceptance means the system has met all of these criteria and can be adopted into an operational environment.

• Accreditation   Accreditation refers to the designation of a system as safe to use based on a set of security guidelines. This is based on knowledge that the system uses certain measures and safeguards to protect the information in the system. All risks associated with the system is said to be understood and accepted. Accreditation is most often the result of a certification process.

• Certification   The certification process is an in-depth evaluation of the computer system to determine if the system operates securely. Certification includes both technical and non-technical assessments of the system and is used to determine if the system meet predetermined regulations, standards, or guidelines. Results of a certification process include the extent to which a computer system meets or fails to meet these guidelines.

• Assurance   Assurance is a term used to define the level of confidence in a system. System controls, security characteristics, and the actual architecture and design of the system are all pieces of assurance. Systems that have a high level of assurance are said to address security concerns in an adequate fashion. Systems with a low level of assurance are considered less trustworthy because some security concerns are not adequately addressed with the implemented security controls.

Acceptance designates that a system has met all security and performance requirements that were set for the project. Performance standards have been met and technical guidelines were followed correctly. We use the term acceptance to mean the system has met all these criteria and can be adopted into an operational environment.

As an example, the DoD requires a stringent certification process that leads to the accreditation and acceptance of any new operational information system based on the assurance that the system is safe to use. When the development process begins for the new system, security and functional requirements are laid out by all individuals and groups involved in the development and eventual use of the system. Once the system is built, the certification process begins to test the system for all security and functional requirements. If the new system meets all the requirements, it becomes accredited. Accredited systems are then accepted into the operational environment because they are proven to meet the required security and functional guidelines. This acceptance is because the owners and users of the system now have a reasonable level of assurance that the system will perform as intended, both functionally and from a security perspective.