Description of the function and boundaries of the about theHospital, Inc. InfoSec Training Program system.
Instructions
The objective of a Risk Analysis (aka Certification and Accreditation -C&A) of an Information System is o demonstrate to the accrediting authority that everything possible has been accomplished to reduce risk to the IT system to an acceptable level. To do this, an information security specialist (or team) would conduct a complete risk analysis of the system to include vulnerabilities, threats, controls for mitigation, measurements, and any regulatory or policy requirements (governance) for the system.For this assignment, you are to conduct a risk assessment and document it in a certification package to be presented to the accreditation authority (AA) that the system is acceptable to operate in theOrganization network. Using the information from projects that you have done in this class create C&A packages normally include:
1. Cover Page
2. Executive summary describing the system
3. Description of the function and boundaries of the system
4. An extensive review of the vulnerabilities, threats, and threat sources
5. Annual Loss Expectancy (ALE) for each item in 4
6. Identification of mediating controls for each item in 4
7. Description of appropriate effectiveness measurements for each item in 6
8. Plan of Action and Milestones (POAMs) for any unmediated threat
9. A summary statement making a recommendation to the AA to authorize the system tooperate (or not).
10. A power point presentation you would use to brief the AA about the informationsecurity posture of the system.
In the end, your C&A package will provide proof that your organization exercised due diligence towardprotecting its information assets. You must demonstrate that the system security meets are regulatoryand policy requirements and that any controls in place have mitigated the risk of operating the systemhas been reduced to an acceptable level (or not).
Note: NIST SP 800-37, Rev 1 provides an outline of the entire C&A process. Also use NIST 800-53R3.