For public sector organisations or suppliers required to achieve formal accreditation for their ICT systems, early engagement is key. The Accreditor role is crucial to ensure business risks are determined and the requirements for security controls to manage these risks are agreed as soon as possible.
For those organisations new to the mysterious world of accreditation, their relationship with the Accreditor can be confusing at first.
Is the Accreditor an all-knowing demi-god of security information sitting in an ivory-clad tower whose word is final and beyond reproach? Or, is he part of the team charged with ensuring that risks to government ICT systems are adequately managed?
Of course, the latter is true, but the Accreditor’s role is not always easy to understand as it covers so many different aspects of information security.
To make more sense of the role, I think a football referee analogy comes in useful . Like a referee, an Accreditor plays an impartial role to ensure the rules of the game are met without bias. A referee does not determine the rules and neither does an Accreditor set policy. They are both responsible for understanding the rules and making balanced decisions based on the evidence presented to them. For example, a referee can only take appropriate action if a foul is actually witnessed. Equally, an Accreditor can only make an accreditation decision if all the evidence is presented.
Here are a few more similarities.
Why Accreditors are like referees:
- A referee enforces the rules of the game. An Accreditor ensures that security solutions are in compliance with security policy.
- A referee is responsible from start to end. An Accreditor is responsible from the very beginning of a design, through implementation and operations and through to final disposal.
- A referee issues verbal and formal warnings. An Accreditor provides warnings where designs are not in compliance with policy.
- A referee has assistants to enforce compliance. An Accreditor can call on the assistance of others – example would be a Security Assurance Co-ordinator or CHECK team.
- A referee cannot make a decision based on hearsay no matter how convincing the argument if a foul is not seen, then it cannot be given. An Accreditor can only make a decision based on the evidence presented.
- A referee has some scope to interpret the rules of the game and are issued guidelines to help. An Accreditor may have some leeway to interpret policy requirements based on business benefits.
- A referee keeps time. An Accreditor ensures that security requirements are produced and implemented.
- A referee does not pick the teams. An Accreditor does not select security controls.
- A referee does not decide the team formation. An Accreditor does not design security solutions.
- A referee does not buy new players. An Accreditor does not fund security solutions or testing.
- A referee does not determine the rules of the game. An Accreditor does not set policy.
- A referee does not carry out investigations. An Accreditor does not conduct audits or compliance testing.
- A referee does not select the substitutes. An Accreditor does not offer alternative solutions.
If you want to get the most from the process it’s good to set your expectations of the accreditation process correctly and have a clear understanding of exactly what the role involves – where the Accreditor’s responsibilities lie and where they don’t. Let me know if the analogy helps.