Systems Certification and Accreditation

Terms in this set (26)

Chief Information Officer
• The Chief Information Officer (CIO) has the following responsibilities related to information security measurement:
• Using information security measures to assist in monitoring compliance with applicable information security requirements;
• Using information security measures in annually reporting on effectiveness of the agency information security program to the agency head;
• Demonstrating management's commitment to information security measures development and implementation through formal leadership;
• Formally communicating the importance of using information security measures to monitor the overall health of the information security program and to comply with applicable regulations;
• Ensuring information security measurement program development and implementation;
• Allocating adequate financial and human resources to the information security measurement program;
• Reviewing information security measures regularly and using information security measures data to support policy, resource allocation, budget decisions, and assessment of the information security program posture and operational risks to agency information systems;
• Ensuring that a process is in place to address issues discovered through measures analysis and taking corrective actions such as revising information security procedures and providing additional information security training to staff; and
• Issuing policy, procedures, and guidelines to officially develop, implement, and institute measures.


Senior Agency Information Security Officer
• Integrating information security measurement into the process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency;
• Obtaining adequate financial and human resources to support information security measurement program development and implementation;
• Leading the development of any internal guidelines or policy related to information security measures;
• Using information security measures in support of the agency CIO's annual reporting to the agency head on the effectiveness of the agency's information security program, including progress of remedial actions;
• Conducting information security measures development and implementation;
• Ensuring that a standard process is used throughout the agency for information security measures development, creation, analysis, and reporting; and,
• Using information security measures for policy, resource allocation, and budget decisions.
Program Manager/Information System Owner
• Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories;
• Educating staff on the development, collection, analysis, and reporting of information security measures and how it will affect information security policy, requirements, resource allocation, and budget decisions;
• Ensuring that measurement data is collected consistently and accurately and is provided to designated staff who are analyzing and reporting the data;
• Directing full participation and cooperation of staff, when required;
• Reviewing information security measures data regularly and using it for policy, resource allocation, and budget decisions; and
• Supporting implementation of corrective actions, identified through measuring information security performance.
Information System Security Officer
• Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories; and
• Collecting data or providing measurement data to designated staff that are collecting, analyzing, and reporting the data
;