Certification and Accreditation in Information Security
Certification and accreditation in information security can be defined as the process where an information system is checked to see whether it meets the relevant security requirements before it is being used in an organization. This means it is a process by which different aspects of the information system of an organization are checked for errors in relation to the security requirements before the organization commences to use it. On the other hand, security assessment control can be defined as the evaluation through testing of the information system, by checking the different points in which the information system security controls can be implemented and whether the information system meets the expected results in relation to the security requirements (Whitman & Mattord, 2011). The certification and accreditation in information security has been replaced by the security control system in many organizations.
An example would be in a medical institution such as a hospital planning to introduce a new system where the patient’s information will be kept. In accordance to law, the patient’s information is protected and it should be between the doctor and the patient. This means that the information to be protected should be very private. When using the certification and accreditation in information security, the only thing that the institution will be checking is whether the information system is safe and secure to store data. On the other hand, when using the security assessment control, the institution will actually test the information system to check whether it can be implemented, in case there is a problem. In addition, this process will help to check whether the information system will be able to meet the required results in relation to security of information (Anderson, 2008).
In an AIDS organization, the security assessment control process will be very helpful to the organization than the certification and accreditation in information security because it will be able to perform more functions. Since the AIDS organization is very vital because it holds very private information about different patients who may not want to be known, it requires an information system that will be able to protect the information from going into the wrong hands. The security assessment control will change the organization very much in that it will improve security of the storage of the information. This is because the process helps to check where there are errors and tries to implement them as compared to the certification and accreditation in information security that cannot identify where there are errors.
The security assessment control is more superior to the certification and accreditation in information security because in its process it contains more informative measures and checks. Additionally, the new approach of security assessment control also provides the users to identify why there is a problem in the security system of the information system as compared to the certification and accreditation in information security where it does not help the uses to identify the problems. Lastly, the new approach provides the users with the opportunity to see the information system working since the security assessment control approach requires that the information system have to be actually tested (Whitman & Mattord, 2011). On the other hand, the certification and accreditation in information security does not require the information system to be tested. Therefore, the security assessment control approach is more superior that the certification and accreditation in information security approach.
In conclusion, the different information that is used in an information system needs to be protected. This means that information system has to be checked whether it is secure before any data is uploaded in it. This can be done by the use of ether certification and accreditation in information security or the security assessment control. This two approaches check whether the system is safe for storing data in it. However, the security assessment control is more credible than certification and accreditation in information security because it has more checks and it involves the testing of the system.
Anderson, R. J., (2008). A security policy model for clinical information systems. University of Cambridge Press. Retrieved From: http://www.cl.cam.ac.uk/~rja14/Papers/oakpolicy.pdf
Whitman, M. E., & Mattord, H. J., (2011). Principles of Information Security. Clifton Park, NY: Cengage learning