Database Systems
This page provides a template and guidance to assist organisations in documenting their approach to databases and database servers associated with their system(s) built on ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Instruction
The database systems section of a System Security Plan (SSP) should document an organisation’s approach to databases and database servers. As with other sections of the SSP, information in this section should be documented according to the relevant controls outlined in ASD’s ISM and the SSP Annex.
All template text refers to a typical implementation of a system built using the Blueprint, and includes reference to organisational policies, processes and technical configurations to be implemented in addition to the technical controls that may be configured using guidance from the Blueprint. Any implementation implied by the below text should not be considered as prescriptive of how organisations must scope, build, document, or assess its system.
When completing the below template, organisations should insert and update information where relevant to ensure it accurately represents their approach to databases and database servers. When complete, remove any instructional boxes throughout.
This section does not include specific subsections as <ORGANISATION-NAME>’s overall approach to implementing security controls in relation to in Guidelines for Database Systems for <SYSTEM-NAME> is consistent for all subsections.
As <ORGANISATION-NAME>’s approach to implementing controls related to database systems is consistent across all controls addressed within this section, it does not delve into subsections but rather addresses the controls as a group. This approach is consistent with ASD’s Guidelines for Database Systems.
Applicability
This section of the SSP is not applicable as <SYSTEM-NAME> does not include any databases, nor does it leverage the use of databases within <ORGANISATION-NAME>. If and when databases are considered for future use within the system boundary of <SYSTEM-NAME>, <ORGANISATION-NAME> will assess and implement appropriate security controls in relation to their use at that time.
However, <SYSTEM-NAME> does use databases as implemented by Microsoft as part of its Microsoft 365 services. <ORGANISATION-NAME> has assessed the implementation of these as documented in Microsoft’s IRAP assessments, and available in Microsoft’s Service Trust Portal and is satisfied with their implementation as they relate to <SYSTEM-NAME>.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Organisational policies and processes implemented
No organisational policies or processes have been implemented in <SYSTEM-NAME> relating to databases.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Technical Controls Implemented
No technical controls are implemented in <SYSTEM-NAME> relating to databases.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Related information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified
External links
- ASD’s Guidelines for Database Systems
- Microsoft’s Service Trust Portal