Security Documentation
This page provides a template and guidance to assist organisations in documenting their approach to cybersecurity documentation associated with their system(s) built on ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Instruction
The cybersecurity documentation section of a System Security Plan (SSP) should document an organisation’s approach to development of organisational and system-specific cybersecurity documentation associated with systems built using the Blueprint. As with other sections of the SSP, information in the cybersecurity documentation section should be documented according to the relevant controls outlined in ASD’s ISM and the SSP Annex.
All template text refers to a typical implementation of a system built using the Blueprint, and includes reference to organisational policies, processes and technical configurations to be implemented in addition to the technical controls that may be configured using guidance in the Blueprint. Any implementation implied by the below should not be considered as prescriptive as to how organisations must scope, build, document, or assess a system.
When completing the below template, organisations should insert and update information where relevant to ensure it accurately represents the approach to cybersecurity documentation within their organisation. When complete, remove any instructional boxes throughout.
As <ORGANISATION-NAME>’s approach to implementing controls related to cybersecurity documentation is consistent across all controls addressed within this section, it does not delve into subsections but rather addresses the controls as a group.
Applicability
ISM controls relating to cybersecurity documentation are applicable to ensuring <SYSTEM-NAME>receives appropriate overarching governance of cybersecurity matters within <ORGANISATION-NAME> and are covered by this section of the SSP.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Organisational policies and processes implemented
<ORGANISATION-NAME>’s CISO is responsible for approving all organisational level cybersecurity documentation, ensuring this documentation is reviewed at least annually and ensuring all relevant stakeholders are aware of this documentation and subsequent updates.
As <SYSTEM-NAME>’s authorising officer, <ORGANISATION-NAME>’s ITSA is responsible for approving all system-specific cybersecurity documentation, ensuring that the documentation is reviewed at least annually and ensuring all relevant stakeholders are aware of this documentation and subsequent updates.
Links to relevant <ORGANISATION-NAME> and <SYSTEM-NAME> cybersecurity documentation are provided below.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Technical controls implemented
No technical controls are implemented in <SYSTEM-NAME> relating to cybersecurity documentation.
<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>
Related information
Security & Governance
<ORGANISATION-NAME>’s Cyber Security Strategy<SYSTEM-NAME>’s Continuous Monitoring Plan<SYSTEM-NAME>’s System Security Plan (this document)- System Security Plan Annex
<SYSTEM-NAME>’s Incident Response Plan<SYSTEM-NAME>’s Security Assessment Report<SYSTEM-NAME>’s Plan of Actions and Milestones
Design
Configuration
- None identified