System Security Plans (SSPs) specify the information security measures for systems.

]]> This section relates to the development of SSPs. Information relating to other mandatory documentation can be found in Section 5.1 - Documentation Fundamentals.

]]> Further information to be included in SSPs relating to specific functionality or technologies that could be implemented for a system can be found in the applicable areas of this manual.

]]> There can be many stakeholders involved in defining a SSP including representatives from the:

  • project, who MUST deliver the capability (including contractors);
  • owners of the information to be handled;
  • system users for whom the capability is being developed;
  • management audit authority;
  • CISO, ITSM and system owners;
  • system certifiers and accreditors;
  • information management planning areas; and
  • infrastructure management.
]]> The NZISM provides a list of controls that are potentially applicable to a system based on its classification, its functionality and the technology it is implementing. Agencies will need to determine which controls are in scope of the system and translate those controls to the SSP. These controls will then be assessed on their implementation and effectiveness during an information security assessment as part of the accreditation process.

]]> In performing accreditations against the latest baseline of this manual, agencies are ensuring that they are taking the most recent threat environment into consideration. GCSB continually monitors the threat environment and conducts research into the security impact of emerging trends. With each release of this manual, controls can be added, rescinded or modified depending on changes in the threat environment.

]]> Agencies MUST select controls from this manual to be included in the SSP based on the scope of the system with additional system specific controls being included as a result of the associated SRMP. Encryption Key Management requires specific consideration; refer to Chapter 17 – Cryptography.

]]> Agencies SHOULD use the latest baseline of this manual when developing, and updating, their SSPs as part of the certification, accreditation and reaccreditation of their systems.

]]> Agencies SHOULD include a Key Management Plan in the SSP.

]]>