4 Certification and Accreditation Process

4 Certification and Accreditation Process

4-1 Phase 1 — Initiate and Plan

4-1.1 Objectives

4-1.2 Deliverables

4-1.3 Roles and Responsibilities

4-1.4 Activities

4-1.4.1 Register Information Resource in Enterprise Information Repository

4-1.4.2 Hold Certification and Accreditation Meeting

4-1.4.3 Assign Information Systems Security Representative

4-2 Phase 2 — Requirements

4-2.1 Objectives

4-2.2 Deliverables

4-2.3 Roles and Responsibilities

4-2.4 Activities

4-2.4.1 Review Documentation

4-2.4.2 Document Application Characteristics

4-2.4.3 Conduct Business Impact Assessment

4-2.4.4 Update Plan of Action and Milestones and Enterprise Information Repository

4-3 Phase 3 — Design

4-3.1 Objectives

4-3.2 Deliverables

4-3.3 Roles and Responsibilities

4-3.4 Activities

4-3.4.1 Analyze Requirements

4-3.4.2 Develop Network Architecture Diagrams

4-3.4.3 Document Security Specifications

4-3.4.4 Identify Potential Security Controls

4-3.4.5 Select/Design Security Controls

4-3.4.6 Develop Security Plan

4-3.4.7 Conduct Site Security Review

4-4 Phase 4 — Build

4-4.1 Objectives

4-4.2 Deliverables

4-4.3 Roles and Responsibilities

4-4.4 Activities

4-4.4.1 Develop, Acquire, and Integrate Information Security Controls

4-4.4.2 Harden Information Resources

4-4.4.3 Develop Standard Operating Procedures

4-4.4.4 Develop Operational Security Training Materials

4-4.4.5 Incorporate Security Requirements in Service Level Agreements and Trading Partner Agreements

4-4.4.6 Register Information Resources in eAccess

4-4.4.7 Initiate Contingency Planning

4-4.4.8 Identify Connectivity Requirements

4-5 Phase 5 – System Integration Testing

4-5.1 Objectives

4-5.2 Deliverables

4-5.3 Roles and Responsibilities

4-5.4 Activities

4-5.4.1 Develop Security Test and Evaluation Plan

4-5.4.2 Conduct Operational Security Training

4-5.4.3 Complete Contingency Planning

4-6 Phase 6 – Customer Acceptance Testing

4-6.1 Objectives

4-6.2 Deliverables

4-6.3 Roles and Responsibilities

4-6.4 Activities

4-6.4.1 Conduct Security Code Review

4-6.4.2 Conduct the Security Test and Evaluation

4-6.4.3 Conduct Vulnerability Scans

4-6.4.4 Conduct Penetration Test

4-6.4.5 Conduct Independent Reviews

4-6.4.6 Assess Risks

4-6.4.7 Conduct Risk Assessment and Develop Risk Mitigation Plan

4-6.4.8 ISSO Evaluates C&A Documentation

4-6.4.9 ISSO Prepares C&A Evaluation Report

4-6.4.10 ISSO Escalates Security Concerns or Forwards C&A Package

4-6.4.11 Certifier Escalates Security Concerns or Certifies Information Resource

4-6.4.12 Accreditor Escalates Security Concerns or Accredits Information Resource

4-6.4.13 VP IT and VP Functional Business Area Prepare and Sign Risk Acceptance Letter (if Required)

4-7 Phase 7 — Governance Compliance

4-8 Phase 8 — Release and Production

4-8.1 Objectives

4-8.2 Deliverables

4-8.3 Roles and Responsibilities

4-8.4 Activities

4-8.4.1 Data Conversion

4-8.4.2 Deploy Information Resource

4-8.4.3 Operate Information Resource

4-8.4.4 Test Information Resource Contingency Plans

4-8.4.5 Maintain Information Resource

4-8.4.6 Reassess Risks and Upgrade Security Controls

4-8.4.7 Monitor Operations and Enhance Security Posture

4-8.4.8 Periodically Test Security Controls

4-8.4.9 Update Certification and Accreditation Documentation Package

4-8.4.10 Re-initiate C&A as Required

4-9 Phase 9 — Retire

4-9.1 Objectives

4-9.2 Deliverables

4-9.3 Roles and Responsibilities

4-9.4 Activities

4-9.4.1 Dispose of Sensitive-Enhanced or Sensitive Data

4-9.4.2 Dispose of Equipment and Associated Electronic Storage

4-9.4.3 Retire Information Resource