# Table of Contents ## Top Level * Home * Source Basis and Maintenance ### Security Operating Model * Security Mission and Principles * Roles, Accountabilities and RACI * Security Governance and Working Groups * Security Risk Appetite and Risk Acceptance * Security Evidence Model ### Secure by Design and Defence Alignment * Secure by Design Overview * MOD Secure by Design Responsibilities * JSP 453 Alignment Approach * MOD Cyber Security Model v4, DEFCON 658 and Def Stan 05-138 * Defence Cyber Certification Readiness ### Personnel Security and Vetting * Personnel Security Overview * Baseline Personnel Security Standard * National Security Vetting Levels * Clearance, Role and Access Mapping * Joiners, Movers and Leavers * Insider Risk and Ongoing Personnel Security * Supplier Personnel Security ### Classification, Data and Privacy * Government Security Classifications * Data Classification and Handling * OFFICIAL and OFFICIAL-SENSITIVE Controls * SECRET and TOP SECRET Handling * Need to Know and Need to Share * Privacy, Personal Data and DPIA * Records, Retention and Secure Disposal ### Identity, Access and Zero Trust * IAM Overview * RBAC Model * ABAC Model * Hybrid RBAC and ABAC * Privileged Access Management * MFA, SSO and Conditional Access * Machine Identities and Secrets * Access Reviews and Recertification * Identity Audit Logging * Zero Trust Architecture ### Cyber Resilience * Cyber Resilience Overview * NCSC CAF Mapping * NCSC 10 Steps Operating Model * Asset Management and CMDB * Vulnerability and Patch Management * Logging, Monitoring and SOC * Incident Response and Crisis Management * Backup, Disaster Recovery and Business Continuity * Threat Intelligence and Threat Modelling * Ransomware Resilience * Exercising, Lessons and Continuous Improvement ### Technical Secure by Design Standards * Architecture Security Standards * Secure SDLC * Threat Modelling * Secure Coding and Code Review * Repository and Branch Protection * CI CD and Build Pipeline Security * Dependency, SBOM and Software Supply Chain * API Security * Cloud Security * Infrastructure as Code Security * Container and Kubernetes Security * Network Security and Segmentation * Cryptography and Key Management * Secure Configuration and Hardening * Testing, Assurance and Penetration Testing ### Accreditation, Certification and Assurance * Accreditation Strategy * Cyber Essentials and Cyber Essentials Plus * ISO 27001 ISMS * Defence Cyber Certification Readiness * CAF and GovAssure Readiness * ISO 22301 Business Continuity * SOC 2, ISO 9001 and ISO 20000 * Evidence Library and Control Mapping ### Supply Chain and Subcontractor Security * Supplier Security Model * Contracting Securely and Security Schedules * Supplier Onboarding and Due Diligence * Flow Down and Subcontractor Controls * Supplier Monitoring and Offboarding ### Security Operations and Reporting * Security Operating Rhythm * Security Metrics, KPIs and KRIs * Security Exceptions and Risk Acceptance * Audit Plan and Evidence Retention ### Templates and Checklists * Security Initiation Checklist * Security Requirements Catalogue * Vetting and Access Request Template * RBAC ABAC Access Matrix Template * Threat Model Template * Security Architecture Decision Record Template * Security Risk Register Template * Incident Response Plan Template * Supplier Security Due Diligence Template * Accreditation Evidence Matrix * Control Mapping Template * JSP 453 Alignment Register Template ### Glossary * Glossary --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://framework.aic.io/security-vetting-and-technical-assurance-playbook/table-of-contents.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.