Introduction to Accreditation

This one day 'Introduction to Accreditation' course is intended to provide delegates with the knowledge needed to understand the principles of accreditation and how an effective accreditation process can be implemented within an organisation. The course concentrates on generic accreditation requirements needed to deliver effective risk management and is not aimed at specific accreditation methodologies in any one government organization.

The course is related to the 'Foundations of Information Assurance for HMG' course and the 'Information Assurance Risk Management for HMG' course also provided by QA. This courses contributes to the attainment of the CESG Certified Professional Scheme (CCPS) and the following specific CCP roles at the Practitioner level.

The course is not designed to teach the foundations of Information Assurance or how to accredit specific systems or scenarios, although there are some real life examples provided with the opportunity to discuss other situations.

Target Audience

This is a one day course aimed at those wishing to gain an understanding of accreditation as part of an effective risk management function. The course will be useful for newly appointed Accreditors, for project managers delivering capabilities involving sensitive HMG data and risk managers seeking to gain further insights into the process.

Support for CESG Certified Professional

This course contribute to the attainment of the CESG Certified Professional Scheme (CCPS) and the following specific CCP roles at the Practitioner level:

Security and Information Risk Advisor, IA Auditor, Accreditor, IT Security Officer, Security Architect and Penetration Tester.

The course supports CCP Level 1: Awareness (understands the skill and its application). It provides skills against the following competencies used in the CCP assessment process:

A1: Governance,

A2: Policy and Standards,

B1: Risk Assessment,

B2: Risk Management,

D1: IA Methodologies,

G1: Audit and Review.

IISP Skills Alignment

This course is aligned to the following Institute of Information Security Professionals (IISP) Skills. More details on the IISP skills framework can be found here.

A1, A2, A6, B1, B2, D1

Continuous Professional Development (CPD)

CPD points can be claimed for GCT accredited courses at the rate of 1 point per hour of training for GCHQ accredited courses (up to a maximum of 15 points).

Prerequisites

This course is suitable for recently appointed accreditors who have limited experience in the role. Delegates should have attended the ''Foundations of Information Assurance for HMG' or have an equivalent level of knowledge. Ideally they should also have completed 'Information Assurance Risk Management for HMG', although an overview of this is provided in the Accreditation course.

Students should also have familiarity with HMG security policy.
Recommended pre-reading: The latest version of the Security Policy     Framework.

Delegates will learn how to

At the end of this course you will be able to:

Understand what accreditation is.
Understand what risk is, its components and how it can be managed.
Understand how accreditation is an integral part of risk management and how it can be delivered.
Use techniques and tips to be an effective Accreditor.

Outline

Module 1 - Understanding Accreditation

The objective is to provide the delegates with an understanding of what accreditation is and what it is not. It will cover what is expected from the accreditation process and why it can be a crucial element of risk management within an organisation.

The course will explain the benefits of accreditation covering areas of strength and weakness and the building blocks that an organisation needs to put in place to assist the accreditation process.

Delegates will also learn about the role of an Accreditor and how this is linked to the risk management process.

Module 2 - Understanding Risk

The objective of this session is to ensure that the delegates have a common understanding of the risk management process covered in detail on the Information Assurance Risk Management course.

The course will cover the risk management principles and terminology so that delegates understand how accreditation is a vital part of risk management.

The risk management approach - including the role of the Board in setting risk levels that match the business requirements.
The key components of risk (threat, vulnerability, impact, likelihood & asset value).
Choosing a risk assessment approach that meets the organisation's needs.
Defining security requirements.
Treating and communicating residual risk.

Module 3 - Delivering Accreditation

The objective of this session is to provide delegates with an understanding of how the accreditation process can align with the project delivering process and the benefits of introducing assurance checks during the project lifecycle.

The need for early engagement with the Accreditor to ensure that requirements are understood.
Understanding the balance between business benefit and risk.
The reasons for defining security requirements clearly.
The importance of defining assurance mechanisms early in the system lifecycle to avoid greater costs.
Documenting and communicating decisions.
The reasons to maintain accreditation.

Module 4 - Accreditation Tips

The objective of this session is to introduce different techniques that have proved useful in delivering accreditation. Delegates will learn about setting accreditation boundaries and defining data flows to help determine vulnerable points in an architecture. The session also includes tips on making the most of internal processes and procedures and how to be an effective accreditor.

The role of security models & data flow diagrams.
How to make use of organisational internal processes and roles that can support the accreditation process.
The different types of accreditation decisions and how they are arrived at. To include the role of the Security Case.
What skills and attributes the Accreditor needs.
What the requirements of the CCP Accreditor role are.
Common mistakes in accreditation and how to avoid them.