Security Documentation
This page provides a template and guidance to assist organisations in documenting their approach to security documentation associated with their system(s) built on ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Instruction
The security documentation section of a System Security Plan (SSP) should document an organisation’s approach to development of organisational and system-specific security documentation associated with systems built using the Blueprint. As with other sections of the SSP, information in the security documentation section should be documented according to the relevant controls outlined in ASD’s ISM and the SSP Annex.
All template text refers to a typical implementation of a system built using the Blueprint, and includes reference to organisational policies, processes and technical configurations to be implemented in addition to the technical controls that may be configured using guidance in the Blueprint. Any implementation implied by the below should not be considered as prescriptive as to how organisations must scope, build, document, or assess a system.
When completing the below template, organisations should insert and update information where relevant to ensure it accurately represents the approach to security documentation within their organisation. When complete, remove any instructional boxes throughout.
As <ORGANISATION-NAME>’s approach to implementing controls related to security documentation is consistent across all controls addressed within this section, it does not delve into subsections but rather addresses the controls as a group.
Applicability
ISM controls relating to security documentation are applicable to ensuring <SYSTEM-NAME>receives appropriate overarching governance of cyber security matters within <ORGANISATION-NAME> and are covered by this section of the SSP.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Organisational policies and processes implemented
<ORGANISATION-NAME>’s CISO is responsible for approving all organisational level security documentation, ensuring this documentation is reviewed at least annually and ensuring all relevant stakeholders are aware of this documentation and subsequent updates.
As <SYSTEM-NAME>’s authorising officer, <ORGANISATION-NAME>’s ITSA is responsible for approving all system-specific security documentation, ensuring that the documentation is reviewed at least annually and ensuring all relevant stakeholders are aware of this documentation and subsequent updates.
Links to relevant <ORGANISATION-NAME> and <SYSTEM-NAME> security documentation are provided below.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Technical controls implemented
No technical controls are implemented in <SYSTEM-NAME> relating to security documentation.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Related information
Security & Governance
<ORGANISATION-NAME>’s Cyber Security Strategy<SYSTEM-NAME>’s Continuous Monitoring Plan<SYSTEM-NAME>’s System Security Plan (this document)- System Security Plan Annex
<SYSTEM-NAME>’s Incident Response Plan<SYSTEM-NAME>’s Security Assessment Report<SYSTEM-NAME>’s Plan of Actions and Milestones
Design
Configuration
- None identified