What do verification and validation (V&V) and certification and accreditation (C&A) mean? They are indeed jargons, aren’t they?
Take software development project as an example; the software must be verified against solution requirements to confirm if they are implemented correctly, while validated against stakeholder and business requirements to ensure the effectiveness.
Once the software solution is developed, tested, and delivered, it becomes part of the information system as a whole. The information system must be verified (or certified) to ensure it meets the security requirements. The verification report is the objective evidence for the management to accept the residual risks and authorize (accredit) it into operation.
The traditional Certification and Accreditation (C&A) process is transformed into the six-step Risk Management Framework (RMF). Please refer to the latest revision of NIST SP 800-37 for details.
Added on 2020/07/21:
C&A can be applied to IT products (CC), management systems (ISO 27001, ISO 22301, or ISO 9001), engineering/procurement/service capabilities (CMMI), or people competency (CISSP).
Certification is typically conducted by independent or 3rd party through evaluation against agreed standards. The evaluation result is accredited by trusted authorities. C&A is the core element of assurance.
In the private sector, C&A is not quite fit for in-house information systems in most companies. I prefer using V&V. Verifying if the system is implemented correctly by internal team members, and validating if it is implemented effectively to solve users’ problems or meet their requirements and accepted by external users. The system is then authorized (some may use the term, accredited) to operate.
I’d summarize the key concept as follows: C&A is about the product’s trustworthiness, customer’s confidence, and authority’s assurance. V&V is about doing things right (correctness) and doing the right things (effectiveness).
Added on 2020/07/30:
There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.
The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.
I would conclude,
Verification and Validation (V&V) are engineering processes.
Certification and Accreditation (C&A) are formal assurance processes.
Every system should go through V&V, but not every organization requires C&A.
Which of the following provides the most flexible access control?
A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role
Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
The recommended answer is A, A subject asserting unmarried.
This question is designed to help you understand the characteristics of the common access control mechanisms as follows:
A subject asserting unmarried ⇒ Attribute-based access control (ABAC)
A subject with the Top Secret clearance ⇒ Mandatory access control (MAC)
A subject with need-to-know ⇒ Discretionary access control (DAC)
A subject assigned to the Admin role ⇒ Role-based access control (RBAC)
Access control mechanism comprises 3 parts: authentication, authorization, and accounting. A subject implies a user or principal completes the identification process and its identity has been authenticated.
A subject’s access to objects must be authorized. ABAC, MAC, DAC, and RBAC can enforce the authorization process.
Attribute-based access control (ABAC)
An entity comes with attributes. For example, a user is an entity with attributes, such as Full Name, Marriage Status, Gender, and Aage, to name a few.
Privileges can be granted by attributes. e.g. Access to the Corporate Bonus Mileage Program, a web page, is granted to those members who are female (gender), married (marriage) and come from Taiwan (nationality).
A subject’s attributes, shaping claims or assertions, are dynamic in nature. It’s the most flexible way among the four mechanisms to implement authorization.
Mandatory access control (MAC)
MAC is based on the subject’s security clearance and the object’s classification level, or label. A security clearance is determined through a formal process. Both security clearance and object label are hard to change.
Discretionary access control (DAC)
DAC is based on the Access Control Matrix, a two-dimension matrix of subjects on the row by objects on the column. A row is a subject’s capability; a column is an object’s access control list.
The granularity of DAC is at the entity level (subject or object). ABAC is at the attribute level.
Role-based access control (RBAC)
As the name suggests, RBAS is based on roles. A role is a named collection of predefined permissions and rights; it usually maps to the organizational structure.
A user assigned a role is automatically granted the predefined permissions and rights. It reduces the administrative burden, unlike that of DAC. As the permissions and rights are predefined, or sometimes hard-coded, it’s not convenient to change them.
The concept of flexibility is not rigidly defined in the question, as the question is designed to help you understand the characteristics of the common access control mechanisms. You can evaluate flexibility in terms of granularity of criteria, convenience to change, and administrative or implementation burden.
Security Governance is highly simplified (almost cut off)
Cyber Warfare and Cyberthreat Information Sharing are introduced
Headings of topic 1.4 (Understand legal and regulatory issues that pertain to information security in a global context) are not adequately organized
Privacy is well explained
Policy is well explained
Business Continuity is well organized and addressed
The explicit official definition of risk from ISC2 is given
Risk Management Concepts are highly simplified in Domain 1, while the primary parts are addressed in Domain 8
Supply Chain is well addressed
Data Governance is introduced
Data Classification and Data Categorization (based on FIPS 199) are distinguished
Asset Classification is addressed
Asset Management Lifecycle based on NIST SP 1800-5a is introduced
Privacy contents are up-to-date
Data Remanence issues are highly simplified
The engineering process is not covered
The engineering architecture is not covered
Security engineering principles and ISO/IEC 19249
Physical Security is simplified, and CPTED is cut off
Emerging authentication technologies are introduced.
Identity Assurance Levels are introduced.
Identity lifecycle is mentioned.
Provisioning is defined.
Contents are well organized and addressed.
Assessment standards and PenTest approach are addressed.
CSA and STAR for security assurance in the cloud are introduced.
KPI and KRI are introduced.
ISO Standards for audits and audit programs are introduced.
Need to Know is clarified.
Information lifecycle based on ISO 27002
Physical Security is highly simplified
Agile is adequately introduced
Application security standards are introduced
Microsoft security development lifecycle is introduced
Trending topics are introduced, such as Microservices and AI
Maturity models are emphasized
Pros and Cons
Matching the CISSP exam outline to the first level of topics in each domain
Smaller in size
No review questions
No appendix for supplement materials or document templates
The Official Risk Definition from ISC2
We finally have the explicit official definition of risk from ISC2. It reads as follows:
“The possibility of damage or harm and the likelihood that damage or harm will be realized.”
But I am not sure if the definition of risk from ISC2 has typos or not, I would revise it as follows:
The possibility of damage or harm and the “magnitude” that damage or harm will be realized.
As a certified professional in ISACA-CRISC and PMI-RMP, I developed my risk management concepts based on the definition from ISO and Dr. David Hillson’s approach, and treat information security as a subdiscipline of risk management.
If you are interested in risk management, please refer to and google the Risk Doctor, Dr. David Hillson for details.
Security is the state or outcome of protecting assets from danger through controls (also called safeguards or countermeasures). Assets are anything of value. Value is anything of importance, significance, or use.
Information Security is a discipline to protect information and information systems from threats through security controls to achieve the objectives of confidentiality, integrity, and availability, or CIA for short.Information is useful data; an information system is a system that converts data into information; a system is a collection of related elements that work together to achieve a common goal. A typical information system comprises such elements as data, computers, operating systems, software, networks, data centers, people, business processes, and so forth. Kindly be reminded that a CISSP is a Certified Information Systems Security Professional.
Risk is the effect of uncertainty on objectives. Risks with positive effects are opportunities, while negative effects are threats. Information Security, which not uncommonly emphasizes addressing threats more than opportunities, is a subdiscipline of risk management.
Strategic Management is one of the most important issues of information security governance which can be divided into strategy formulation and strategy execution.
As a CISO, you have to think strategically to develop the information security strategy and align the InfoSec strategy to the business goals and objectives and the upper-level corporate or business strategy.
Reviewing the mission/vision statement, BCG Matrix, SWOT analysis, Porter’s value chain, and five forces model are useful tools for you to develop the strategy.
After the strategy is crafted, the PMI OPM (Organizational project management) strategy execution framework is an ideal one to implement your strategy. Other frameworks, such as COBIT or ITIL, are alternatives in terms of strategy execution.