• The legacy NIST SDLC introduced in NIST SP 800-64 R2 has been withdrawn on May 31, 2019.
• NIST SP 800-160 V1 is the current information about the system life cycle (SLC) processes (aligned with ISO 15288) and systems security engineering.
• NIST SP 800-37 R2 relates risk management (at the information systems level) to system development life cycle (SDLC) processes and stages.

Continue reading →

AICPA SSAE 18

Statement on Standards for Attestation Engagements 18

In addition to complying with this section, a practitioner is required to comply with section 105, Concepts Common to All Attestation Engagements, and section 205, Examination Engagements.

• 100 Common Concepts
  • 105 Concepts Common to All Attestation Engagements
• 200 Level of Service
  • 205 Examination Engagements
  • 210 Review Engagements
  • 215 Agreed-Upon Procedures Engagements
• 300 Subject Matter
  • 305 Prospective Financial Information
  • 310 Reporting on Pro Forma Financial Information
  • 315 Compliance Attestation
  • 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
  • 395 [Designated for AT Section 701, Management’s Discussion and Analysis
    (AICPA, Professional Standards)]

Continue reading →

The diagram demonstrates the ISO assurance system in terms of management systems. The following are common management systems:

• Quality Management System (QMS, ISO 9001)
• Environmental management systems (EMS, ISO 14001)
• Food Safety Management System (FSMS, ISO 22001)
• Business Continuity Management System (BCMS, ISO 22301)
• Information Security Management System (ISMS, ISO 27001)
• Occupational health and safety management systems (OHSMS, ISO 45001)

Continue reading →

Really pleased to know my book, The Effective CISSP: Security and Risk Management, is ranked as the No. 1 of the 15 Best New Security Certifications eBooks To Read In 2020 by BookAuthority.

Farewell, Mr. Democracy!
Deeply sorry to lose you! RIP!

Source: Yahoo News

I added more information about the confusing C&A process into the post, Jargons: V&V and C&A. The newly added materials are included as follows.

Added on 2020/07/30:

There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.

• CISSP PRACTICE QUESTIONS – 20200623 has detail.

The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.

References

• CISSP PRACTICE QUESTIONS – 20200623
• Jargons: V&V and C&A