Todd is a new manager at a medical equipment company. He is told that new applications are going to be purchased and that he will be responsible for their functionality and security. Which of the following best describes what Todd should make sure his team carries out?
A.
Technical review and certification
B.
Certification and accreditation
C.
Accreditation and technical review
D.
Certification and risk assessment
Explanation:
Accreditation should occur between the implementation and the beginning of operational use of the system or application. This process follows the certification process, which formally or informally tests all the security features to determine if they accomplish the required security needs. Certification is the process of reviewing and evaluating security controls and functionality. It is usually a task assigned to an outside, independent reviewer. The accreditation is the formal acceptance of the system by management and an explicit acceptance of risk. The technical staff understands operational and mechanical issues, and the management staff understands mission, financial, and liability issues.