SYSTEM-SPECIFIC SECURITY DOCUMENTATION CREATION for IRAP ASSESSMENT
Need to prepare for an IRAP assessment ?
The documentation of an information system is a communication, control and monitoring component of the project in phases such as development, operation and maintenance. Thus, it eases the tracking of a project and communication with the people associated with the project. Information security documents can also be defined as a liturgy set of an organisation’s cyber security policies, procedures, guidelines, and standards. These documents ensure the confidentiality, integrity, and availability of your client and customer data through effective security management practices and controls, which are critical to proactively protect data, while maintaining compliance with both regulatory and customer requirements. Effective information system documentation can enable an organisation to plan more effectively and make better security and operational decisions.
Unfortunately, with agile software/system development techniques, security documentation tends to be the last thing considered when creating a new system or product. A drift in process and workflow often results in the development of systems that contain security vulnerabilities and documentation that is incomplete, that fails to meet the standards of an IRAP assessor or the ability to issue an Authority to Operate (ATO) at the implementing organisation or is totally missing.
Due to today's threat landscape and geo-political environment, many organisations will no longer operate a system without the full suite of security artefacts and design documents. Therefore, it is important to incorporate the process of developing information system documentation at the design and development phase to achieve best results.
Good documentation makes information easily accessible, provides a limited number of user entry points, helps new users learn quickly, simplifies the product and helps cut support costs. The presence of documentation not only helps in tracking all phases of an application but brings in innovative ideas to improve the quality of a software product by analysing the documentation.
If you are an Australian government agency or want to supply systems or software to one, you must comply with the security controls outlined in the Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF). This includes the development and maintenance of security documentation, specifically a system security plan, incident response plan, continuous monitoring plan, security assessment report, and plan of action and milestones. These support the accurate and consistent application of policies, processes and procedures for systems.
Lets face it, developing good security documentation that is IRAP- or ATO-worthy, is a long and laborious process that not many people like doing. At Adapt Cybersecurity, we love doing this. Our staff have each done dozens of security documentation suites for federal government agencies so know exactly what they want and need to successfully obtain IRAP certification or an ATO.
Adapt Cybersecurity will:
- Assist with the creation of a System Accreditation Plan
- Review the detailed design documents to identify any potential security vulnerabilities in the system’s design.
- Complete a Australian Government Information Security Manual System Security Plan Annex (SSP Annex) using the current ISM.
- Create a System Security Plan (SSP), Security Risk Management Plan (SRMP) or Security Assessment Report and Plan of Action and Milestones (POAM), Incident Response Plan (IRP). Standard Operating Procedures (SOPs) and Continuous Monitoring Plan.
Your allocated Adapt Cybersecurity consultant will liaise with the organisation's ITSA, Project Manager, system developers and other stakeholders to elicit information about the system and provide a weekly update/progress report to the Project Manager detailing any blockages or issues. You will be made aware of any serious non-compliances as soon as they are uncovered.
If you do not have an IRAP assessor in place, we can help you locate one, ensuring the required level of independence.
