The difference between the Orange Book and the DITSCAP is that the Orange book depends on the information that comes from the computer software that are within the computer information systems for them to perform their tasks and to achieve their intended objectives. (Lee, 1999). On the other hand, DITSCAP gives a ground for assessing the security of the information systems that are within the organizations, business firms, individuals and other private firms that give support to the firm.
However, DITSCAP is diminished in its efficiency due to lack of a combined certification and accreditation framework tool. When used alone, DITSCAPN can be a very tiring process to the user as it has numerous cross checks of the policies and the requirements. The complex and multiple information that exist between these diverse types of information hinder a person’s ability to understand, generate, and assemble and to give protection to the systems. (Lee, 1999).
In other words, DISCAP gives the process that is to be used, the activities that are going to be undertaken, description of the activities to be undertaken as well as the type and method of the management structure that is going to be followed during the process of certification and accreditation of the information technology systems that help to give the necessary security to the computers. This process aims at ensuring that the security process that is used gives the best security to the computers throughout the lifecycle.
The certification levels of the DITSCAP comprises of four phases where the first phase involves the definition of the process. This involves understanding the organization, the environment in which the organization is in and the architecture of the organization that helps to identify the type of the security that is required and the efforts that the organization is doing in order to achieve the accreditation. (Lee, 1999).
The second phase, verification phase, involves an analysis of how the security systems have evolved or have been modified for them to comply with the System Security Authority Agreement. The organization uses SSAA to come up with a modified and binding agreement before there is any development on the system development or before making any change to the system. After the system accreditation, SSAA becomes the basis for the security configuration document. The third phase, validation phase ensures that there is a fully integrated information system as was earlier agreed on the SSAA.
The fourth phase, post accreditation phase, gives the activities that are necessary for the continuity of the accredited information system to continue working in its computing environment and to face the challenges that the system may face in its entire life cycle. (Lee, 1999). The certification Levels relate to the graduations defined within the Orange Book in that the certification and accreditation process which are interrelated and which give feedback to the other earlier phases when it is necessary.
(Wong and Yeung, 2009). Each of these phases has some of the activities that require to be undertaken. In addition each of the activity has a series of tasks that need to be undertaken depending on the requirements. Each of these tasks gives out the input which represents the type of information needed to complete a given task as well as the outputs which gives the product of the task or the information which may also serve as an input in other subsequent tasks.
The certification and accreditation process has to be expanded in order to give more information about each of the stage and to ensure that the staff understand their role in the certification team. The value of the “Minimal Checklist” contained in Appendix 2 of the DITSCAP applications manual is that it establishes criteria to be used for certification and accreditation by giving a guide on the required efforts and other factors that are related to this system. Assurance is referred to as the confidence which the features of security, characteristics and the functions of these features give to enforce the security policy.
The assurance can be established for the business, the components and systems of the security. Therefore, certification leads to the assurance of a certain system in relation to its environment whereas accreditation shows whether the impacts linked with the system are either weak, tolerable or if they cannot be accepted at all. (Wong and Yeung, 2009). References Lee, S. E. (1999). Essays About Computer Security. Cambridge. Wong, A. and Yeung, A. (2009). Network Infrastructure Security. Springer.