Why you need a System Security Plan (SecPlan)
The NZISM (New Zealand Information Security Manual) classifies an agency’s System Security Plan (SecPlan) as an essential control document for every system within the agency.
The SecPlan describes the implementation and operation of controls within the system derived from the NZISM and the Security Risk Management Plan (SRMP). The objective of a SecPlan is to specify the information security measures for systems.
Depending on the documentation framework chosen, some details common to multiple systems can be consolidated in a higher level SecPlan. There are guidelines within the NZISM on whether agencies either must or should include certain controls and processes within a SecPlan, including:
- Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown.
- Any authorisations, security clearances and briefings necessary for system access.
- Types of system users for which access requirements will need to be documented include general users, privileged users, system administrators, contractors and visitors.
Agencies must select controls from the NZISM to be included in the SecPlan based on the scope of the system, with additional system specific controls being included as a result of their associated SRMP.