SSAA vs. ISP
I've done a few System Security Authorization Agreements (SSAA's) but I admit I'm doing Information Support Plans, ISPs (formerly C4ISPs) for the first time.
I used to think that the SSAA was a little bit too much information. Overtime I've learned that it make total sense. It forces the designers to answer important questions. Many times the questions it answers aren't important until much later (such as life cycle issues).
The ISP's puts the SSAA to shame in its sheer volume of information that needs to be gathered. This is because it includes the netcentric aspects of the system, the actual schedule and money involved, acquisitions issues and a bunch of other things that I, as a security guy, don't care about.
The ISP is a birds eye view of the target system where the SSAA is a microscope into all levels of security over the life of the system from cradle to the grave.
I used to think that the SSAA was a little bit too much information. Overtime I've learned that it make total sense. It forces the designers to answer important questions. Many times the questions it answers aren't important until much later (such as life cycle issues).
The ISP's puts the SSAA to shame in its sheer volume of information that needs to be gathered. This is because it includes the netcentric aspects of the system, the actual schedule and money involved, acquisitions issues and a bunch of other things that I, as a security guy, don't care about.
The ISP is a birds eye view of the target system where the SSAA is a microscope into all levels of security over the life of the system from cradle to the grave.
posted by elamb at 9:53 PM Permalink 
0 Comments:
Post a Comment
<< Home