ASD's Blueprint for Secure Cloud

System Security Plan

This page provides a template and guidance to assist organisations in preparing an introduction to an SSP describing the organisational policies and processes, and technical controls implemented within system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Instruction

This System Security Plan (SSP) template provides a guide and resource to assist organisations in preparing a SSP describing organisational policies and processes relating to, and technical controls implemented within, system(s) built on ASD’s Blueprint for Secure Cloud. It provides guidance to facilitate decision-making, rather than prescriptive statements or measures, allowing organisations to tailor this document according to the controls implemented and the organisation’s context.

When using this template, organisations should insert and update the required information to ensure it accurately represents all relevant organisational policies, processes and technical controls. This may include organisational controls or policies that are outside of the scope of the Blueprint, but are still relevant to the system — placeholders are included where relevant throughout this template.

Text included in the guidance boxes throughout this template should be deleted from an organisation’s final SSP.

About this System Security Plan

This System Security Plan (SSP) describes the organisational policies and processes relevant to, and technical controls implemented within the core <SYSTEM-NAME> or network that includes <ORGANISATION-NAME>’s Microsoft Workloads (Cloud and Software as a Service), endpoints and <OTHER SYSTEM COMPONENTS IN SCOPE>.


ISM Version used:	March 2024

Purpose of this System Security Plan

The purpose of this SSP is to describe the organisational policies and processes relevant to, and technical controls implemented within <ORGANISATION-NAME>’s <SYSTEM-NAME>, including the underlying components leveraged in the system’s deployment. This document has been developed to comply with the Australian Signals Directorate’s (ASD’s) Information Security Manual’s (ISM’s) requirements in relation to documentation for system authorisation.

This document is written using descriptive and explanatory language to assist readers in understanding how <SYSTEM-NAME> operates securely, the controls implemented, and the residual controls that are addressed elsewhere by <ORGANISATION-NAME>.

For detailed information on how <SYSTEM-NAME> addresses specific controls in ASD’s ISM, please refer to the System Security Plan Annex.

Overview

This page provides a template and guidance to assist organisations in preparing an Overview for their SSP describing system(s) built on ASD's Blueprint for Secure Cloud.

Cyber Security Roles

This page provides a template and guidance to assist organisations in documenting the cyber security roles associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Cyber Security Incidents

This page provides a template and guidance to assist organisations in documenting their approach to managing and responding to cyber security incidents associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Procurement and Outsourcing

This page provides a template and guidance to assist organisations in documenting their approach to procurement and outsourcing associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Security Documentation

This page provides a template and guidance to assist organisations in documenting their approach to security documentation associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Physical Security

This page provides a template and guidance to assist organisations in documenting their approach to physical security associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Personnel Security

This page provides a template and guidance to assist organisations in documenting their approach to personnel security associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Communication Infrastructure

This page provides a template and guidance to assist organisations in documenting their approach to managing communications infrastructure associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Communications Systems

This page provides a template and guidance to assist organisations in documenting their approach to managing communications systems associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Enterprise Mobility

This page provides a template and guidance to assist organisations in documenting their approach to enterprise mobility associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Evaluated Products

This page provides a template and guidance to assist organisations in documenting their approach to evaluation of products used in association with their system(s) built on ASD's Blueprint for Secure Cloud.

ICT Equipment

This page provides a template and guidance to assist organisations in documenting their approach to management of ICT equipment associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Media

This page provides a template and guidance to assist organisations in documenting their approach to management of media usage, sanitisation, destruction and disposal associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Operating System Hardening

This page provides a template and guidance to assist organisations in documenting their approach to operating system hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

User Application Hardening

This page provides a template and guidance to assist organisations in documenting their approach to user application hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Server Application Hardening

This page provides a template and guidance to assist organisations in documenting their approach to server application hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Authentication Hardening

This page provides a template and guidance to assist organisations in documenting their approach to authentication hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Virtualisation Hardening

This page provides a template and guidance to assist organisations in documenting their approach to virtualisation hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

System Management

This page provides a template and guidance to assist organisations in documenting their approach to system administration, patching and backups and restoration associated with their system(s) built on ASD's Blueprint for Secure Cloud.

System Monitoring

This page provides a template and guidance to assist organisations in documenting their approach to system monitoring, including event logging and monitoring, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Software Development

This page provides a template and guidance to assist organisations in documenting their approach to software development associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Database Systems

This page provides a template and guidance to assist organisations in documenting their approach to databases and database servers associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Email

This page provides a template and guidance to assist organisations in documenting their approach to email gateways and servers and email use associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Networking

This page provides a template and guidance to assist organisations in documenting their approach to networking design and configuration, wireless networks and service continuity for online services associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Cryptography

This page provides a template and guidance to assist organisations in documenting their approach to cryptography, TLS, SSH, S/MiME and IPSec associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Gateways

This page provides a template and guidance to assist organisations in documenting their approach to gateways, cross-domain solutions, firewalls, web proxies, content filtering and peripheral switches associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Data Transfers

This page provides a template and guidance to assist organisations in documenting their approach to data transfers associated with their system(s) built on ASD's Blueprint for Secure Cloud.