System-specific cyber security documentation, such as a system security plan, cyber security incident response plan, change and configuration management plan, continuous monitoring plan, security assessment report, and plan of action and milestones, supports the accurate and consistent application of policies, processes and procedures for systems. As such, it is important that they are developed by personnel with a good understanding of business requirements, technologies being used and cyber security matters.
System-specific cyber security documentation may be presented in a number of formats, including in wikis or other forms of document repositories. Furthermore, depending on the documentation framework used, details common to multiple systems could be consolidated into higher level cyber security documentation.
To assist with the development of system-specific cyber security documentation, a system security plan annex template, and an equivalent cloud controls matrix template, are available from the Australian Signals Directorate’s Information security manual webpage.
6 controls