Authorization and Accreditation

Authorization and Accreditation The organization's risk management framework offers a structured information and process to help the company identify, assess, and take steps to reduce risks to a reasonable level. The E-Government Act requires organizations to protect their information technology and information systems that support their assets and operations (Jain & Zhang, 2012). This paper looks at how the organization will plan, implement, and manage its risk management steps. The risk management steps under the Risk Management Framework include the six steps as summarized in the following diagram.

Risk Management Steps Approach to Implementation To implement the first step, the organization will need to categorize the information systems, as well as the information being stored, processed, and transmitted by the system. This will be based on the possible effect to the company in case events take place to put the information and the system at risk. The organization will assign a security effect value (high, low, or moderate) for the security goals of integrity, availability or confidentiality (Bowden & Martin, 2011).

This will relate to the information systems and information the company requires for achieving its mission, fulfilling its legal responsibilities, maintaining its daily functions, and protecting its individuals and assets. The categorization of security standards for information systems and information will provide a common understanding and framework for documenting the possible effect to individuals or organizations. This is done in case of a security breach to information system or information. The organization's information system and information will help the company identify the security category of its information system.

The process of categorization will likewise promote consistent reporting and effective management of information systems (Jain & Zhang, 2012). In implementing the second step, the organization will identify an appropriate class of security controls for its information system after it has already determined its security categorizations. The E-Government Act specifies that companies meet the minimum requirements of security by choosing an appropriately tailored class of baseline security controls.

This will be based on assessing risks and local conditions such as the company's security requirements, cost benefit analysis, threat information, and special circumstances. In a move to overcome minimum security requirements, the company will select appropriate security controls (Jain & Zhang, 2012). This will help the company protect its information systems according to its business requirements and mission. It will determine an initial set of security controls based on the effect analysis conducted previously. The company will supplement and tailor the selection of baseline security controls.

This will be based on the company's assessment of risks. Security controls must be implemented within the information system. The organization will configure security checklists and present information about its benefits. Further, the management will give information on how to use the checklist and locate and retrieve checklists. Security setting checklists will be useful devices, which will be developed to guide the IT department and security personnel in the selection of effective security settings (Bowden & Martin, 2011). This will diminish the risks while protecting the information systems from attacks.

Sometimes, a checklist is also known as a lockdown guide or a benchmark as it entails a set of instructions to configure an IT product to a company's operational environment. A checklist will be effective in minimizing vulnerabilities to the information system, particularly for the company as it has limited resources. Next, the company will assess its security controls by using proper procedures and methods to establish the level, which the controls have been correctly implemented.

This will also seek to establish whether controls are operating as intended and generating the desired outcomes in accordance to achieving security pre-requisites for the system. This step demands useful information regarding security controls in organizations. The company will cover all the necessary continuous control and monitoring of its information system. This will be achieved through building and effective security assessment plan and managing assessment results (Gantz & Philpott, 2013).

This will give the organization the desired flexibility in supplementing and tailoring the principal assessment process to be consistent with the characteristics of the information system under assessment. While serving flexibility in developing security assessment plans, it will also help the company attain consistency in assessments by applying uniform assessment procedures and a formal assessment framework. The fifth step is authorization.

This step will be implemented based on the determination of the risks to the company's assets, operations and persons stemming from the operation of the information system and establishing that the risks is acceptable. The management will discuss decisions leading to the authorization of operations of the information system, company assets, and acceptance of the risks to the company operations based on implementation of a.