Cyber Authorisation

From Glitchdata
Jump to navigation Jump to search

Authorisation Package is an information pack to assist CISO to approve Authority to Operate (ATO) for a system. Usually includes:

  • Statement of Applicability (SoA)
  • System Security Plan (SSP)
  • System Overview Document (SOD)
  • Incident Response Plan (IRP)
  • Security Risk Management Plan (SRMP)
  • Detailed Design Document
  • Risk Register
  • Business Impact Analysis (BIA)
  • Standard Operating Procedures (SOP) as required

The authorising officer could be more demanding and ask for more before they are convinced. Or they may see the business need for the system to be so high that they’re willing to authorise on less information. Again, this is why we can’t have universal declarations of a system being good for a particular classification. Interim or provisional authorisation doesn’t exist anymore. You either have a system that’s authorised, or it’s not. The authorisation could be constrained, and come with promises to implement changes in the future.