RSS Alerts

Share

More services

Related Links

Related Stories

Top 5 Stories

News

(ISC)² amends CAP credential

08 June 2010

Updated federal information security guidelines, currently in their draft form, are being proposed by the National Institute of Standards and Technology. In response to the proposed revisions, (ISC)² has revamped its CAP credential in alignment with the guidelines, including an increased emphasis on continuous monitoring.

The NIST Computer Security Division issued a draft proposal revision of its guide for Applying the Risk Management Framework to Federal Information Security Systems back in February 2010 and opened up the revised document for comment by the industry. The non-profit information security certification body (ISC)² has therefore updated its Certification and Accreditation Professional (CAP) credential to reflect the new NIST guidelines.

The body has changed the name of this credential, effective immediately, to “Certified Authorization Professional”, and has expanded core areas of concentration from four to seven. According to (ISC)²: “In an effort to map to the new NIST approach...the new CAP remains the same at its core but places stronger emphasis on the underlying methodologies and processes associated with the harmonized security authorization process, including continuous monitoring.”

“(ISC)² routinely reviews all of its credentials to ensure that they adhere fully to the current regulatory environment and security culture", explained W. Hord Tipton, executive director of (ISC)² and former CIO of the Department of Interior. “We felt it critical to update the name and domains of CAP to align with current requirements, technology and thinking.”

For existing CAP-holders, nothing will change, Tipton stressed. “The CAP designation will continue to validate that the credential holder can see the bigger picture and assure that all components of system security are in place in order to achieve the fundamental goal of security compliance with sufficient controls and monitoring.”

“Someone must be accountable throughout the lifecycle of the system”, he added.

Tipton noted that the new NIST guidance outlines the integral role that continuous monitoring plays in the risk framework but also stresses that monitoring security controls is only one piece of a larger, integrated process. “The new NIST guidance reemphasizes the reality that all other critical system requirements must be in place in order to achieve complete security compliance.”

For this reason, Tipton said: “A CAP-holder fully understands the entirety of the systems security authorization lifecycle – not just one technical piece of it.”

(ISC)² is also providing a FAQ page for further information on the CAP changes.

This article is featured in:
Public Sector  • Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012