ASD's Blueprint for Secure Cloud

Personnel Security

This page provides a template and guidance to assist organisations in documenting their approach to personnel security associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Cyber security awareness training


ISM controls relating to cyber security awareness training are applicable to ensuring <SYSTEM-NAME>receives appropriate overarching governance of decisions and activities that might affect the cyber security within <ORGANISATION-NAME> and are covered by this section of the SSP.


Organisational policies and processes implemented

<ORGANISATION-NAME> is responsible for conducting regular cyber security awareness training for all staff and contractors. As such, cyber security awareness training is undertaken annually by all <ORGANISATION-NAME> staff and contractors covering:

  • the purpose of cyber security awareness training
  • cyber security roles and key contacts
  • authorised use of systems and resources
  • protection of systems and resources
  • reporting of cyber security incidents and suspected compromises.

Tailored privileged user training is also undertaken annually by all privileged users of <SYSTEM-NAME>.

<ORGANISATION-NAME>’s cyber security awareness training material can be found here.


Technical controls implemented

No technical controls are implemented in <SYSTEM-NAME> relating to cyber security awareness training.


Access to systems and resources


ISM controls relating to access control are directly applicable to <SYSTEM-NAME> and are covered by this section of the SSP.


Organisational policies and processes implemented

Use of <SYSTEM-NAME> by <ORGANISATION-NAME> staff and contractors is in accordance with the <SYSTEM-NAME> System Usage Policy.

Staff are only granted access to <SYSTEM-NAME> after:

  • undergoing employment screening and obtaining a <REQUIRED-CLEARANCE> security clearance from the Australian Government Security Vetting Agency (AGSVA)
  • agreeing to the <SYSTEM-NAME> Acceptable Usage Policy
  • receiving a <REQUIRED-BRIEFING> briefing
  • the request for system access and completion of the above requirements by the user has been validated via <VALIDATION-PROCESS>.

All <SYSTEM-NAME> users are granted uniquely identifiable accounts for their general system use, with privileged users granted additional uniquely identifiable privileged accounts to be used for these duties. In accordance with the <PRIVILEGED-ACCESS-PROCESS>, the validity of the business case for each privileged account will be assessed on request and revalidated on an annual basis.

Temporary access

Temporary access to <SYSTEM-NAME> is only granted in the following circumstances:


Accounts used for temporary access are specifically restricted using Role Based Access Control (RBAC) to the minimum required access for these users to undertake their duties.

Shared and emergency access

Shared accounts for <SYSTEM-NAME> will only be used in the following extenuating circumstances:

  • Break Glass Accounts


Use of Break Glass Accounts is documented in <SYSTEM-NAME>’s Incident Response Plan, which has been tested on <TEST-DATE> as part of its initial implementation and deployment. This testing is also to be completed after any fundamental system change, with the last test completed on <TEST-DATE>.

Technical controls implemented

Technical controls for implementation of user access to <SYSTEM-NAME> and its resources are configured with reference to ASD’s Blueprint for Secure Cloud. In particular, the following technical configurations have been implemented:

  • all unprivileged access attempts are logged within Microsoft Entra Sign-ins
  • Microsoft Entra logs are forwarded to a log analytics workspace for long-term secure retention
  • an AppLocker blocklist is configured on workstations via Intune to prevent administrators from launching web browsers and email clients
  • Microsoft Privileged Identity Management (MPIM) has been configured to provide Just-in-Time (JIT) administration
  • changes to privileged accounts and groups are logged in the Microsoft Entra Audit Log
  • Microsoft Entra accounts are automatically disabled after 45-days of inactivity
  • privileged users access to systems, applications and data repositories is automatically disabled after 12-months unless revalidated
  • Microsoft Defender for Cloud Apps policy monitoring is implemented to monitor the activity of Break Glass Accounts
  • the use of Break Glass Accounts is logged in Microsoft Entra Sign-ins.


Security & Governance



External documentation

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra