Definitions
Certification and Accreditation
Certification and Accreditation (C&A) is the culminating step in the process of finding an appropriate balance between acceptable levels of risk and costs of operating an information system. This process is widely used in the federal government and international commercial industry. It is a systematic method for analyzing, testing and authorizing an information system to operate within a desirable security framework. C&A provides information to the system owner to determine whether the risks involved in running a system outweigh the benefits received from it.
Taranet evaluates the technical and non-technical security features of an IT system for compliance with security requirements and assesses operating risk. We test data protection levels, applications, networks, and facilities.
Confidentiality, Accessibility, and Integrity
Confidentiality is the assurance only authorized individuals and organizations can gain access to valued information. Breaches of confidentiality occur when data is handled improperly. This can happen intentionally, accidentally, by word of mouth, e-mail, or printer and copier misuse.
Availability is the assurance data is there for those who need it when they need it. Acceptable downtime levels are identified and parameters are set for compliance levels.
Integrity is the assurance data has not been altered without data owner’s knowledge or consent; the data, as entered, has not been tampered with, changed, or modified.
Taranet analyzes your information systems and networks to ascertain threats, vulnerabilities, and associated risks to data confidentiality, integrity, and availability. Once weak areas are identified, Taranet develops effective mitigation strategies or recommends system modifications.
Independent Verification and Validation (IV&V)
IV&V determines the capability of an information system to meet identified requirements and establishes the operational configuration’s compliance with minimum security standards. The objectivity provided by an independent evaluator increases confidence in the accuracy of the risk analysis.
During the design and development of an information system, Taranet verifies required security features are effectively incorporated into system design by periodic testing. Early identification of features not able to support compliance levels allows time for system modifications. When system development reaches initial operational capability, Taranet runs validation tests to determine the system is installed, configured, and implemented in accordance with baseline security requirements.
Information Systems Security Engineering (ISSE)
Information Systems Security Engineering (ISSE) is the incorporation of security controls for IT systems during the design, development, and integration stages. It is the safeguard to ensure that end design and operational system security features will protect the confidentiality, availability and integrity of data.
Taranet provides ISSE consulting during the design, development, and integration of applications and networks to confirm end design complies with identified security requirements.
Penetration Testing
Penetration testing is a controlled attack on an information system, so system vulnerabilities can be discovered and rectified before they are exploited. A tester will challenge the current system architecture by simulating an intrusion.
Taranet identifies weak aspects of your information system that may be used by an attacker to gain unauthorized access. We ask the “tough questions” of your information system. Where are your weaknesses? Where are your shields down? Where is the intruder most likely to sneak in? Will you even know he came?