Lockheed Martin UK - Integrated Systems & Solutions

Security Policy Documentation

Key words and phrases: security policy documentation, protectively marked information, accreditation document set, system security policy, risk assessment

The purpose of Security Policy Documentation (SPD) is to mandate the security requirements of an IT system, whether it handles Protectively Marked Information for Her Majesty’s Government, or commercially sensitive data in the private sector. It should be developed in parallel with the system it describes, and the procurement process should not proceed without some sort of official endorsement, such as accreditation.

In UK government applications, the SPD is called an Accreditation Document Set (ADS), although an extant System Security Policy (SSP) may be maintained for legacy systems. However, SPD is equally relevant to commercial concerns: it identifies areas of risk to the IT system, and can help to mitigate the business disruption that may arise because of system vulnerabilities.

For any system a risk assessment should be undertaken to consider issues such as the capabilities of potential attackers, its degree of exposure, and the attractiveness of the information that it handles.

SPD may consist of a number of documents, each produced for a specific purpose. It should cover the following areas:

  • Introduction. Basic details of the system, its environment and the responsibilities for its security.
  • System Description. Its purpose, configuration, interfaces and gateways to other systems; the number of operators, and the level of the protectively marked or commercially sensitive data.
  • Security Requirement. Specific threats to its confidentiality, integrity or availability, and the minimum standards to which countermeasures should conform.
  • Security Design. Measures to counter the identified threats, showing how they satisfy the security requirement.
  • Management Plan. The administrative arrangements for managing a system throughout its life cycle, and for operating it safely. Security Operating Procedures mandate the procedural measures on those responsible for carrying them out.

SPD produced by Lockheed Martin UK - Integrated Systems & Solutions has included:

  • An ADS for the JTIDS Air Platform Network Management System.
  • A Community Security Policy (CSP) on behalf of the UK MOD MIDS/JTIDS Security Working Group.
  • SSPs for land, sea and air systems.

Further information is available from:

Email:
Tel: +44 (0)1252 732555