ABSTRACT
Certification would be a much simpler process if there were no interconnections between systems to worry about. In the days of centralized mainframe processing it was an easy task to determine certification scope and the boundaries of the security perimeter. Since those days, however, the definition of what is to be certified has become clouded by the increasing interconnectivity between an increasing number of systems. Because these systems share sensitive information, system owners have to be concerned about them and about how security controls are implemented to protect their data. It is nearly always impractical to draw the scope large enough to include these interconnected systems into a single certification. Therefore, an alternative approach must be identified.
