Security authorisation decisions
When authorising the ongoing development and use or operation of the capability, Senior Responsible Owners (SRO’s), or suitable equivalent, must be sure that security risks are within the stated risk appetite.
Information should be available so your SRO can make an informed decision about the capability’s risk.
A report is generated through the CAAT which can be used to help inform your SRO. This report provides an overview of the capability's security posture.
Once the SRO is satisfied with the capability's security posture, a final Statement of Assurance can be shared with stakeholders. This provides a record of the acceptance of the security status at each stage of the lifecycle.
Information should be available so your SRO can make an informed decision about the capability’s risk.
A report is generated through the CAAT which can be used to help inform your SRO. This report provides an overview of the capability's security posture.
Once the SRO is satisfied with the capability's security posture, a final Statement of Assurance can be shared with stakeholders. This provides a record of the acceptance of the security status at each stage of the lifecycle.
Benefits
Benefits of security authorisation decisions:
- fosters transparency and trust between the capability team and SRO
- informed decision making
- fulfils SRO's accountability
- provide stakeholders with a clear picture of risk exposure
Outcomes
Outcomes of security authorisation decisions:
- support the SRO to make a risk-based decision on the capability in line with capability delivery milestones
- Security Authorisation Record
- Statement of Assurance
Responsibility
The delivery team lead is responsible for security authorisation decisions.
When to authorise decisions
At relevant capability delivery milestones, and during changes to the capability design, mission, or threat.