ABSTRACT
We discussed the authorization process in Chapter 7 and it should be remembered that the end result of that process is the issuance of a formally documented approval to operate an information system that has undergone a formal controls assessment process. The approval to operate documents an independent authorization decision on the part of an approval authority and is a form of contract between
the approval authority and the stakeholders of the target system. By standard, the authorization decision document contains the following information [National Institute of Standards and Technology (NIST), 2011]:
1. The authorization decision 2. The terms and conditions for the authorization 3. The authorization termination date 4. Whether the system is or is not authorized to operate 5. Any specific limitations or restrictions on the operation of the information
system or inherited controls
The initial system authorization is based on evidence that is gathered at the time of the initial controls assessment; however, as was stated previously, systems and environments change over time. Thus, there is always a need to ensure that a suitable security response continues to be maintained for the specific threat environment. Therefore, a formal control-monitoring process is needed and must be capable of continuous assurance of the appropriateness and sufficiency of the control response within the known threat environment and in accordance with any documented risk acceptance decisions.
