ABSTRACT
One’s view of the certification and accreditation program will be driven by perspective and needs. The program from the perspective of the approving authority may appear to be a means of ensuring that the operation of the system poses no significant risk to the organization. To the system owner, the program may be viewed as a management process that provides assurance that his system is safe from intruders, viruses, and other adverse events. To the security officer, the program may be considered as an approach for facilitating the implementation of essential security controls. And to the system administrator, the certification and accreditation program will appear to be a vehicle for defining security requirements and measuring the security posture of the system. The utility of the certification and accreditation program can then be said to be in the eye of the beholder. However, for the program to be effective, the roles and responsibilities for these individuals and others need to be set down in writing to prevent overlap while ensuring that all are addressed comprehensively.
