ASD's Blueprint for Secure Cloud

System Management

This page provides a template and guidance to assist organisations in documenting their approach to system administration, patching and backups and restoration associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

System administration

Applicability

ISM controls relating to the system administration of <SYSTEM-NAME>’s are applicable to and covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

Administration of Microsoft services within <SYSTEM-NAME> is performed as per <SYSTEM-NAME>’s System Administration Process via a number of Microsoft portals as listed below:

PortalPurposeURL
Microsoft Entra admin centreAccess and administer Microsoft Entrahttps://entra.microsoft.com
Microsoft 365 admin centreConfiguration for Microsoft 365 services, including role and licence management, and Microsoft 365 service updateshttps://admin.microsoft.com
Microsoft Purview compliance portalAccess eDiscovery and management of data handling policieshttps://compliance.microsoft.com
Microsoft Defender portalMonitor and respond to threat activity, and apply protection and response configuration across the environmenthttps://security.microsoft.com
Microsoft Endpoint Manager admin centreManage and secure organisational deviceshttps://endpoint.microsoft.com
Microsoft 365 Apps admin centreCreate, modify and export Office applications deployment configurationshttps://config.office.com
Exchange admin centreExchange Online management centre to manage organisation email settingshttps://admin.exchange.microsoft.com
Teams Admin centreManage and monitor the organisation Teams environment including features, licences, policies, and issueshttps://admin.teams.microsoft.com
Power Platform Admin centreThe unified portal to administer Power Apps, Power Automate, Power Pages, and Power Virtual Agentshttps://admin.powerplatform.microsoft.com
SharePoint Admin centreInform, configure, and govern management of all aspects of SharePoint Online across the tenanthttps://admin.microsoft.com/sharepoint
Defender for Cloud Apps portalConfigure and manage threat detection, session controls, data protections, and Shadow IT detectionhttps://portal.cloudappsecurity.com
Azure PortalView and manage all aspects of an organisation’s Azure environmenthttps://portal.azure.com
Network Connectivity Test ToolEnables measurement of the connectivity between a device and Microsoft’s network for troubleshooting and tuninghttps://connectivity.office.com/
Microsoft Teams Call Quality DashboardShows organisation wide information for call and meeting quality with relation to Microsoft Teamshttps://cqd.teams.microsoft.com

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for system administration of <SYSTEM-NAME> are configured with reference to ASD’s Blueprint for Secure Cloud including the following technical configuration.

Administrative access to the above portals is restricted via conditional access to be performed solely from dedicated Secure Administrative Workstations (SAWs), and with appropriate role and attribute based access control applied.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

System patching

Applicability

ISM controls relating to the system patching within <SYSTEM-NAME> are applicable to and covered by this section of the SSP.

<SYSTEM-NAME> also uses system components as implemented by Microsoft as part of its Microsoft 365 services, and inherits implementation of patching for those systems. <ORGANISATION-NAME> has assessed the implementation of these systems as documented in Microsoft’s IRAP assessments, and available in Microsoft’s Service Trust Portal, and is satisfied with their implementation as they relate to <SYSTEM-NAME>.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

System Patching for <SYSTEM-NAME> is performed in accordance with the <SYSTEM-NAME> Patch Management Process.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for <SYSTEM-NAME>’s implementation of system patching were configured with reference to ASD’s Blueprint for Secure Cloud, and includes the following technical configurations for <SYSTEM-NAME> endpoints and mobile devices via Intune:

  • Intune is configured to provide a centralised approach to patching Windows endpoints, and automatically installs updates within 48-hours on all Windows devices
  • Windows Update verifies the integrity of patches before installing them
  • Microsoft Defender for Endpoint provides a level of continuous vulnerability management capability for all Windows devices.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Data backup and restoration

Applicability

ISM controls relating to the backups and restoration, to the extent that they relate to <SYSTEM-NAME>, are applicable to and covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

Backups and restoration, including for information within the system boundary of <SYSTEM-NAME>, are performed in accordance with <ORGANISATION-NAME>’s Digital Preservation Policy and associated SOPs:

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical Controls Implemented

Technical controls backups and restoration are configured with reference to <RELEVANT-GUIDANCE> and includes the following technical configurations:

  • <TECHNICAL-CONFIGURATION-1>
  • <TECHNICAL-CONFIGURATION-2>
  • <TECHNICAL-CONFIGURATION-3>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

  • None Identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra