ICT System Security Plans

A system security plan describes an agency’s implementation and operation of system controls, alongside a planned approach to investment, testing, and control activities.

ICT System Security Plans

A system security plan describes an agency’s implementation and operation of system controls, alongside a planned approach to investment, testing, and control activities.

Why you need a System Security Plan (SecPlan)

 

The NZISM (New Zealand Information Security Manual) classifies an agency’s System Security Plan (SecPlan) as an essential control document for every system within the agency.

The SecPlan describes the implementation and operation of controls within the system derived from the NZISM and the Security Risk Management Plan (SRMP). The objective of a SecPlan is to specify the information security measures for systems.

Depending on the documentation framework chosen, some details common to multiple systems can be consolidated in a higher level SecPlan. There are guidelines within the NZISM on whether agencies either must or should include certain controls and processes within a SecPlan, including:

  • Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown.
  • Any authorisations, security clearances and briefings necessary for system access.
  • Types of system users for which access requirements will need to be documented include general users, privileged users, system administrators, contractors and visitors.

Agencies must select controls from the NZISM to be included in the SecPlan based on the scope of the system, with additional system specific controls being included as a result of their associated SRMP.

What does a System Security Plan (SecPlan) involve?

The NZISM provides a list of controls that are potentially applicable to a system based on its classification, its functionality and the technology it is implementing. Agencies will need to determine which controls are in scope of the system and translate those controls to the SecPlan. These controls will then be assessed on their implementation and effectiveness during an information security assessment as part of the accreditation process.

Doing so ensures agencies are taking the most recent threat environment into consideration. GCSB continually monitors the threat environment and conducts research into the security impact of emerging trends. Each release of the NZISM can contain new, rescinded, or modified controls depending on changes in the threat environment. It’s therefore important to engage an experienced team capable of successfully creating and maintaining your agency’s ongoing SecPlan.

According to the NZISM, there can be many stakeholders involved in defining a SecPlan, including representatives from the:

  • project, who MUST deliver the capability (including contractors);
  • owners of the information to be handled;
  • system users for whom the capability is being developed;
  • management audit authority;
  • CISO, ITSM and system owners;
  • system certifiers and accreditors;
  • information management planning areas; and
  • infrastructure management.

The expert team at CANDA can provide a complete ICT security service for your agency, ensuring all upskilling, assessments, and NZISM-specific requirements are followed through the Certification & Accreditation process.

Contact CANDA ICT Security Experts for assistance

 

Our experienced team at CANDA are experts in everything ICT security-related and can provide a range of services to ensure your agency meets NZISM requirements.

As New Zealand’s trusted and impartial experts on guiding agencies through the Certification & Accreditation process, we have extensive experience in resolving your security and risk concerns.

Contact CANDA today to speak to one of our team and learn more about how we can help.

CONTACT CANDA