Development and maintenance of security documentation
Security documentation supports the accurate and consistent application of security policies and procedures. It is important that security documentation is developed by personnel with a good understanding of security matters, the technologies being used and the business requirements of the organisation and system owners.
The System Security Plan (SSP), Standard Operating Procedures (SOPs) and Incident Response Plan (IRP) form a documentation suite for a system, it is essential that they are logically connected and consistent. Furthermore, it is important that security documentation for systems are logically connected to organisational-level security documentation such as a cyber security strategy.
Security documentation may be presented in a number of formats including dynamic content such as wikis, intranets or other forms of document repositories.
Security Control: 0039; Revision: 4; Updated: May-19; Applicability: O, P, S, TS; Priority: Must
A cyber security strategy is developed and implemented for the organisation.
Approval of security documentation
If security documentation is not approved, personnel will have difficulty ensuring appropriate security policies and procedures are in place. Having approval not only assists in the implementation of security policies and procedures, it also ensures personnel are aware of cyber security issues and security risks. As such, it is important that once security documentation has been approved it is published and communicated to all personnel.
Security Control: 0047; Revision: 4; Updated: May-19; Applicability: O, P, S, TS; Priority: Should
Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.
Maintenance of security documentation
Threat environments are dynamic. If security documentation is not kept up-to-date to reflect the current threat environment, security controls and processes may cease to be effective. In such a situation, resources could be devoted to areas that have reduced effectiveness or are no longer relevant.
Security Control: 0888; Revision: 5; Updated: May-19; Applicability: O, P, S, TS; Priority: Should
Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.