Cyber Authorisation
Jump to navigation
Jump to search
Authorisation Package is an information pack to assist CISO to approve Authority to Operate (ATO) for a system. Usually includes:
- System security plan (SSP)
- Incident response plan (IRP)
- Continuous monitoring plan
- Security assessment report
- Plan of action and milestones
- Statement of Applicability (SoA)
- System Security Plan (SSP)
- System Overview Document (SOD)
- Incident Response Plan (IRP)
- Security Risk Management Plan (SRMP)
- Detailed Design Document
- Risk Register
- Business Impact Analysis (BIA)
- Standard Operating Procedures (SOP) as required
The authorising officer could be more demanding and ask for more before they are convinced. Or they may see the business need for the system to be so high that they’re willing to authorise on less information. Again, this is why we can’t have universal declarations of a system being good for a particular classification.
Interim or provisional authorisation doesn’t exist anymore. You either have a system that’s authorised, or it’s not. The authorisation could be constrained, and come with promises to implement changes in the future.