SAS (Security Accreditation Scheme )


SAS, which stands for Security Accreditation Scheme, is a framework or process used to assess and accredit the security posture of an information system. It is commonly employed in government, military, and other high-security environments to ensure that systems meet the necessary security standards and are authorized for use.

The purpose of the SAS is to evaluate and manage risks associated with the operation of information systems and to provide an assurance that adequate security controls are in place to protect sensitive data and prevent unauthorized access. The accreditation process involves several steps, which I will explain in detail:

  1. System Definition: The first step is to define the information system that requires accreditation. This includes identifying the system's boundaries, its purpose, the data it processes, and the security requirements it must meet.
  2. Security Categorization: In this step, the system is categorized based on the level of impact that a security breach would have on the organization or the information it handles. This categorization is typically done using a risk management framework, such as the NIST (National Institute of Standards and Technology) Special Publication 800-60.
  3. Security Control Selection: Once the system is categorized, appropriate security controls are selected. These controls are measures and safeguards that are implemented to protect the system and its data. The selection of security controls is based on the system's categorization and the specific security requirements.
  4. Security Control Implementation: The selected security controls are then implemented within the information system. This involves configuring hardware and software components, establishing security policies and procedures, and deploying various technical and administrative controls.
  5. Security Control Assessment: After the implementation of security controls, an assessment is conducted to determine whether the controls are functioning effectively and meeting the desired security objectives. This assessment typically includes security testing, vulnerability scanning, and penetration testing.
  6. Risk Determination: Based on the results of the security control assessment, the risks associated with the information system are determined. This involves identifying vulnerabilities, assessing the likelihood and impact of potential security incidents, and evaluating the overall risk posture.
  7. Accreditation Decision: The accreditation decision is made based on the risk determination and the organization's risk tolerance. The decision is typically made by an accrediting authority, which could be an individual or a committee responsible for authorizing the use of the information system.
  8. Continuous Monitoring: Once the system is accredited, it is important to continuously monitor the system's security posture to ensure that the implemented controls remain effective and that any new vulnerabilities or risks are promptly addressed. This involves regular security assessments, audits, and ongoing security management activities.

The SAS provides a structured and systematic approach to security accreditation, helping organizations ensure that their information systems meet the necessary security requirements. It helps establish a level of trust in the system's security and ensures that sensitive information is protected from unauthorized access or disclosure.