BCP in A Box

Business Continuity
in a Box
Overview Document
Content Complexity
ADVANCED
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Why use Business Continuity in a Box? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Is Business Continuity in a Box right for your organisation?. . . . . . . . . . 5
How does Business Continuity in a Box fit into a cyber incident

response?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Continuity of Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Continuity of Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Disclaimer
The information herein is being provided “as is” for information purposes only. The authors
do not endorse or favour any commercial entity, product, company, or service, including any
entities, products, or services linked or otherwise referenced within this document.
2 ASD’s ACSC | Business Continuity in a Box - Overview

Overview
Business Continuity in a Box – developed by the Business Continuity in a Box consists
Australian Signals Directorate’s Australian Cyber of two components:
Security Centre (ASD’s ACSC), with contributions from
• Continuity of Communications – focuses on
the United States Cybersecurity and Infrastructure
keeping communications flowing during a
Security Agency (CISA) – assists organisations with
cyber incident by assisting organisations to
swiftly and securely standing up critical business
establish basic communications functionality.
functions during or following a cyber incident. By
using Business Continuity in a Box, organisations • Continuity of Applications – focuses on establishing
can maintain or re-establish the basic functions interim business-critical applications during a cyber
needed to operate a business while responding incident by assisting organisations to deploy an
to the issues affecting their existing systems. interim cloud solution for hosting core applications.
Business Continuity in a Box is an interim solution to Importantly, individual organisations will need to
be deployed by either the organisation or its Managed independently assess whether Business Continuity in
Service Provider (MSP). These guidance materials a Box is the right tool for their unique circumstances,
provide step-by-step instructions on how to determine considering their needs and capacity to implement.
and then set up the required interim solution.
NOTE: If you are an existing Microsoft 365 or Google Workspace customer, we do not
i recommend use of Business Continuity in a Box. In these instances, we suggest contacting
the relevant hosting provider for support.
Why use Business

Continuity in a Box?
Business Continuity in a Box is designed for situations To assist organisations who do not have
where the availability or integrity of an organisation’s access to a relevant or recent BCP, Business
data and/or systems has been compromised. Continuity in a Box provides an immediate,
interim solution for establishing business-
When organisations experience a cyber
critical functions in a timely and secure manner.
incident, they often do not have the capacity
Business Continuity in a Box focuses on:
or resources to continue to undertake minimal
business operations securely while incident • Email Communications (Continuity
investigation and remediation takes place. of Communications)
Whilst a Business Continuity Plan (BCP) remains • Business-Critical Applications

the most effective way for organisations to (Continuity of Applications)
achieve business continuity, BCPs are not always
For organisations looking to better prepare for a
developed, updated or regularly tested.
potential cyber incident, Business Continuity in a
cyber.gov.au 3
Box can be integrated into an existing BCP. However, • ASD’s ACSC Cyber Incident Response Plan
due to its targeted focus on email communications at cyber.gov.au/resources-business-and-
and critical applications, Business Continuity in a government/essential-cyber-security/
Box cannot replace a BCP in its entirety. We strongly publications/cyber-incident-response-plan
encourage organisations to invest in a comprehensive
• CISA Federal Government Cybersecurity
BCP tailored to their unique business needs. For
Incident and Vulnerability Response Playbooks -
more guidance on how to prepare your organisation
Although tailored to U.S. federal civilian branch
for a cyber incident, see the following resources:
agencies, these playbooks provide operational
• ASD’s ACSC Preparing for and Responding procedures for planning and conducting
to Cyber Security Incidents at cyber.gov.au/ cybersecurity incident response activities and
resources-business-and-government/governance- detail each step for incident response.
and-user-education/governance/preparing-
and-responding-cyber-security-incidents
Is Business Continuity
in a Box right for your
organisation?
In the event of a cyber incident, Business Continuity in • the Continuity of Communications package requires
a Box assists small to medium-sized organisations (10- a basic level of computing knowledge; and
300 people) who require an interim Information and
• the Continuity of Applications package requires an
Communication Technology (ICT) solution to deliver
intermediate level of knowledge of cloud services.
minimal services. Larger enterprises and government
departments can also use this guidance. However, Business Continuity in a Box includes some
they may need to apply additional configuration technical implementation details (where
steps. It is recommended that larger organisations appropriate). However, due to the unique
consult with an MSP and carry out appropriate needs of individual organisations, it is not
independent risk and business impact assessments. possible to provide specific technical details
for all types of technologies and software that
Whilst Business Continuity in a Box has been designed
consumers of this guidance may require.
to maximise ease of use, implementation of:

How does Business
Continuity in a Box fit
into a cyber incident
response?
Business Continuity in a Box is designed to complement a broader cyber incident response timeline:
Incident
Incident Recover
Incident containment Operate Learn &
investigation data &
realised & evidence normally improve
& analysis systems
collection
Keep communication flowing
Establish interim core applications
Business Continuity in a Box
Continuity of • Written guidance on provisioning a

Microsoft 365 Business Standard tenant.
Communications
• A tool for automated configuration of the
It is critical that organisations have effective means Microsoft 365 Business Standard tenant.
of internal and external communication, especially
when responding to a cyber incident. As an interim This package has been developed using
solution, Business Continuity in a Box provides Microsoft 365 as the core technology stack
organisations with the ability to re-establish basic due to its prevalent usage across business and
communications functionality quickly and securely. government organisations. The package has
This includes guidance on how to set up a catch- been designed to accommodate interoperability,
all mailbox so that critical communications sent functionality, compatibility, and security.
to the organisation are not lost during the period
The Continuity of Communications package has
when usual email systems are unavailable.
been designed based on the Microsoft 365 Business
The Continuity of Communications Standard subscription, which offers comprehensive
package includes the following: security and management features within the
Microsoft 365 ecosystem. The configuration is based
cyber.gov.au 5
on better practice security configuration advice The Continuity of Applications
from ASD’s ACSC, as well as recent guidance from package includes guidance on:
CISA and the Center for Internet Security (CIS).
• Determining critical functions and requirements
Further guidance on better practice security to ensure continued business operations.
configuration is detailed below:
• Determining an appropriate platform for
• ASD’s ACSC Cloud Computing Security each required interim application.
Considerations at cyber.gov.au/resources-
• Deploying a secure cloud-hosted Infrastructure-
business-and-government/maintaining-
as-a-Service (IaaS) solution for each major cloud
devices-and-systems/cloud-security-guidance/
hosting provider, enabling organisations to
cloud-computing-security-considerations
take advantage of existing software licenses as
• ASD’s ACSC Guidelines for System Hardening at well as organisational knowledge and skills.
cyber.gov.au/resources-business-and-government/
essential-cyber-security/ism/cyber-security-
guidelines/guidelines-system-hardening
Contact
For any enquiries concerning this guidance or
• CISA Secure Cloud Business Applications (SCuBA) to provide feedback, please navigate to cyber.
Project at cisa.gov/resources-tools/services/secure- gov.au/about-us/about-asd-acsc/contact-us.
cloud-business-applications-scuba-project Select ‘General enquiry or feedback’, and choose
• CISA Microsoft 365 Secure Configuration Baseline ‘Business Continuity in a Box’ from the drop-down
Assessment (SCuBAGear) Tool at cisecurity.org/ menu under ‘Your enquiry/feedback type’.
benchmark/microsoft_windows_desktop If you or your organisation are victim of a data breach
• CIS Secure Configuration Guidelines at cisecurity. or cyber incident, follow relevant cyber incident
org/benchmark/microsoft_windows_desktop response and communication plans, as appropriate.
• CIS Microsoft 365 Benchmark at cisecurity. • Australian organisations impacted by, or

org/benchmark/microsoft_365 requiring assistance relating to, a cyber incident
can contact ASD’s ACSC via 1300 CYBER1
• Microsoft Entra Verified ID – Manage Emergency (1300 292 371), or by using ReportCyber at
Access Accounts at learn.microsoft.com/ cyber.gov.au/report-and-recover/report.
en-us/entra/identity/role-based-access-
control/security-emergency-access • United States organisations may report cyber
incidents to CISA’s 24/7 Operations Center at
report@cisa.dhs.gov, cisa.gov/report, or (888)
Continuity of Applications 282-0870. When available, please include
Communications flow, while important, is not information regarding the incident: date, time and
the only functionality that an organisation location of the incident; type of activity; number of
needs in order to continue basic operations. people affected; type of equipment used for the
Other critical functionalities may include activity; the name of the submitting company or
office productivity suites, accounting, human organisation; and a designated point of contact.
resource management and payroll systems.

Disclaimer
The material in this guide is of a general nature and should not be regarded
as legal advice or relied on for assistance in any particular circumstance or
emergency situation. In any important matter, you should seek appropriate
independent professional advice in relation to your own circumstances.
The Commonwealth accepts no responsibility or liability for any damage, loss or

expense incurred as a result of the reliance on information contained in this guide.
Copyright.
© Commonwealth of Australia 2023.
With the exception of the Coat of Arms and where otherwise stated, all material
presented in this publication is provided under a Creative Commons Attribution
4.0 International licence (www.creativecommons.org/licenses).
For the avoidance of doubt, this means this licence only applies to material
as set out in this document.
The details of the relevant licence conditions are available on the Creative
Commons website as is the full legal code for the CC BY 4.0 licence
(www.creativecommons.org/licenses).
Use of the Coat of Arms.

The terms under which the Coat of Arms can be used are detailed
on the Department of the Prime Minister and Cabinet website
(www.pmc.gov.au/government/commonwealth-coat-arms).
For more information, or to report a cyber security incident, contact us:

cyber.gov.au | 1300 CYBER1 (1300 292 371).
cyber.gov.au 7
Business Continuity
in a Box
Guidance:
Continuity of Communications
Content Complexity
SIMPLE
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How to use this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Stage 1: Review Pack and Verify Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Stage 2: Provision Microsoft 365 Business Standard Tenant . . . . . . . . . . . . . . . . . . . . . 7
Stage 3: Configure Organisation Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Stage 4: Run Automated Configuration of Environment. . . . . . . . . . . . . . . . . . . . . . . 19
Stage 5: Validate Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Appendix A: acronyms, abbreviations and definitions . . . . . . . . . . . . . 23
Disclaimer
2 ASD’s ACSC | Business Continuity in a Box - Communications

Introduction
Purpose
In modern organisations, email is the most common function for internal and external communications. In the
case of a systems outage during a cyber incident, email (and other communications) functionality is often lost.
To ensure business continuity and coordinate an effective response to the incident, organisations must rapidly
re-establish basic internal and external communications.
Continuity of Communications focuses on keeping communications flowing during a cyber incident by assisting
organisations to establish basic communications functions quickly and securely. It provides guidance to
organisations on how to deploy a Microsoft 365 tenant and Exchange Online configuration when core systems,
such as user directory and email, become unusable or unavailable.
Overview
Business Continuity in a Box – developed by the Australian Signals Directorate’s Australian Cyber Security Centre
(ASD’s ACSC) with contributions from the United States Cybersecurity and Infrastructure Security Agency (CISA) –
is an interim solution to be deployed by either the organisation or its Managed Service Provider (MSP). Successful
implementation of Continuity of Communications entails provisioning and configuring of a Microsoft 365
Business Standard tenant and requires a basic level of computing knowledge.
The implementation steps within this guidance will enable an organisation to provision a trial Microsoft 365
Business Standard tenant which includes Microsoft Entra ID (formerly Azure Active Directory), Exchange Online,
and associated security services. The guidance also steps through the establishment of a ‘catch-all’ email inbox,
established as a priority to ensure critical communications sent to an organisation can continue to be received
while other communications systems are unavailable.
Once the Microsoft 365 tenant has been provisioned, the guidance steps through how to deploy the
accompanying automation tool – preconfigured security settings and system configurations via PowerShell
scripts.
The tool provides a mechanism to automatically configure the Microsoft 365 tenant so that it is secure and
functional. This reduces the workload on system administrators, allowing them to better focus on other recovery
efforts for the organisation.
The tool automates the configuration of the Microsoft 365 tenant by:
• Applying settings to the Microsoft 365 tenant to secure the organisation and its users.
• Securely configuring Exchange Online and Microsoft Defender to protect the organisation from malicious and spam
emails and attachments.
• Creating a temporary ‘catch-all’ mailbox to ensure all emails sent to the organisation’s email address are captured.
cyber.gov.au 3
Creating an emergency account which should be used in situations where existing administrators are unable
to log into their accounts. The configuration provides a secure foundation for organisations to expand on
as needed. This may include enabling additional Microsoft 365 services or provisioning additional cloud
capabilities to enable restoration of other business services such as financial management or human resource
management (see: Business Continuity in a Box - Guidance: Continuity of Applications).
What is Microsoft 365?

Microsoft 365 is a suite of cloud-based productivity tools and services. It includes several online services and
capabilities required for business activities. Access to these services and capabilities is dependent on the licence
type. This guidance focuses on the Microsoft 365 Business Standard plan. Microsoft offers a range of other plans
depending on an organisation’s requirements, size and type. For a comprehensive comparison of all Microsoft
365 plans see:
• Microsoft 365 and Office 365 Plan Options at learn.microsoft.com/en-au/office365/

servicedescriptions/office-365-platform-service-description/office-365-plan-options
The Continuity of Communications package uses the following Microsoft 365 services:
• Microsoft Entra ID provides centralised Identity and Access Management

capabilities for an organisation to secure systems, identities, and data.
• Exchange Online provides an organisation with enterprise email and calendar capabilities. Access to Exchange
Online can be via a traditional desktop email client or via Outlook Web Access through the user’s internet browser.
• Microsoft Defender is an integrated security solution across the Microsoft 365 suite, which
offers protection against phishing emails, malware and other threats across Office 365
applications, Exchange Online, SharePoint Online and managed devices.
The following Microsoft 365 services are out of scope of the Continuity of Communications package:
• Office Applications are the online versions of the equivalent desktop

applications. These include Word, Excel, PowerPoint and OneNote.
• SharePoint Online and OneDrive for Business offer document management and collaboration capabilities.
• Teams provides a platform for unified communications and collaboration.
How to use this document

This document is divided into five consecutive stages. It is recommended that the reader reviews the document
in its entirety before commencing Stage 1.
This document uses the below callout boxes to highlight various information.
NOTE: Information to assist the reader in understanding the document, including

i
justification for a particular decision, key considerations, and other important details.
WARNING: Highlights information that requires careful attention, such as implementation

! of a change or configuration that may impact users or the organisation’s information
technology operations.

Guidance
Stage 1: Review Pack and Verify Prerequisites
This document forms one component of the Continuity of Communications implementation guidance. An
additional repository containing the automation tool and associated configuration files is also required to make
full use of the guidance. Before continuing with this guidance, review all the content in this document, ensuring
to prepare and verify additional prerequisites for each stage.
This document is divided into five consecutive stages. The term ‘operator’ refers to the person responsible
for implementation of the Business Continuity in a Box solution within their organisation. The below diagram
represents the staged process and the prerequisites for each stage.
STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5
Review pack Provision Configure Run automated Validate

and verify Microsoft organisation configuation of environment
prerequisites 365 Business settings environment
Standard Tenant
Computer
This guidance assumes the operator will use a Microsoft Windows-based personal computer (PC) running
Windows 10 or Windows 11 using the Microsoft Edge browser to perform the steps. Instructions within this
guidance can be completed using alternative solutions. However, the operator will need to interpret the steps for
the specific operating system and browser.
Business Continuity in a Box is designed for use during a cyber incident that has affected access to or trust of an
organisation’s systems. The selected PC must therefore be independent from the organisation’s IT environment,
including network and Internet connection.
The automation tool within this guidance uses the command-line shell scripting language and configuration
management framework called PowerShell. Configuration of the automation tool is done via supplied
configuration files which have the ‘.config’ file extension.
Phone
During the setup process, Microsoft will either text or call a verification code to a phone. Voice over internet
protocol (VOIP) systems generally do not allow the receiving of the verification phone call. Microsoft
recommends not using a VOIP phone number for the verification process.
Email
During the setup process, Microsoft will email an account confirmation to the email address provided during the
setup process. To receive the confirmation email, the operator must have access to the email account.
cyber.gov.au 5
NOTE: Whilst ordinarily it would be preferred to avoid use of a personal email account, the
nature of the cyber incident may restrict alternatives. If the operator does not have access
i
to an appropriate email account, the operator could choose to sign up for a new email
account using providers such as Microsoft Outlook or Google Mail.
! WARNING: Do not use an email address associated with the affected organisation.
Organisation Information
Continuity of Communications will provision and configure Exchange Online to enable an organisation to
capture all incoming emails to their existing domain name. To redirect emails to Exchange Online, the operator
will require access to the organisation’s public Domain Name Service (DNS) hosting provider in order to modify
the text (TXT) and mail exchange (MX) records.
NOTE: Given the scenario in which Business Continuity in a Box should be used, we do
not recommend creating new domain records. To receive email messages sent to the
i
organisation’s existing email addresses, only the relevant domain(s) for those email
addresses should be modified to update the TXT and MX records.
WARNING: Incorrectly configuring, adding or removing an organisation’s DNS records can

!
result in further impacts to the availability of a system.
Configuration steps for modifying DNS records vary depending on the hosting provider. The organisation
will be required to supply the operator with the appropriate credentials to access the hosting platform. If
the organisation cannot provide the necessary credentials, they must contact their hosting provider prior to
proceeding further. If the hosting provider cannot be located, a DNS lookup using a free service such as www.
mxtoolbox.com depicted in the image below may assist.

Financial Delegation
The Microsoft 365 Business Standard plan is valid as a free trial for 30 days. Registration requires an
organisation to provide valid credit card credentials. Microsoft will automatically bill the credit card after the
trial period if the organisation does not cancel the subscription beforehand. For full terms and conditions
regarding Microsoft billing, please refer to:
• Microsoft Business Subscriptions and Billing Documentation at learn.microsoft.com/en-au/microsoft-365/commerce
Stage 2: Provision Microsoft 365 Business Standard Tenant

Overview
This stage walks through the process for setting up a trial Microsoft 365 Business Standard tenant and
redirecting emails to the new tenant.
NOTE:
This stage of the guidance provisions a trial Microsoft 365 Business Standard tenant.
The trial provides up to 25 user licences for 30 days.
Microsoft allows a one-time extension of the trial period for an additional 30 days within 15
days of the trial expiry date.
i
A paid Microsoft 365 Business Standard plan allows for the provision of up to 300 user
licences.
If the 25-user license limit offered by the trial plan is insufficient for an organisation’s needs,
the organisation can, at any time, convert the trial to a paid subscription to gain access to
the full user license allowance.
Stage Prerequisites
The operator completing this stage will require:
1. PC with a connection to the Internet
2. Up-to-date web browser
3. Valid email address to use during the registration process (must not be
associated with or hosted on the network experiencing disruption)
4. Phone that can receive a phone call or a SMS verification code (non-VOIP)
5. Valid credit card
cyber.gov.au 7
Process
1. Navigate to the Microsoft 365 Business Standard Sales Portal at microsoft.com/en-au/microsoft-365/business/
microsoft-365-business-standard
2. Select ‘Try free for one month’.
3. In the next screen, ensure that only one person is selected and click ‘Next’.
NOTE: Selecting one user at this stage does not restrict the number of users that an
organisation can add to the tenant. The trial allows for an additional 24 users. Selecting one
i
user at this stage will simplify the setup and configuration process until the organisation has
configured the remainder of the Microsoft 365 tenant.

4. In the next screen, enter an email address to use for account verification and click ‘Next’.
5. Click ‘Set up account’.
cyber.gov.au 9
6. Enter the required information and click ‘Next’.
NOTE: The country or region selected on this screen will determine the data centre region
i for data storage. Set this entry to the appropriate country or region to meet your data
storage requirements.
7. Enter a phone number that can receive a phone call or SMS verification code and click ‘Send verification code’.

8. Enter the code received into the text box and click ‘Verify’.
9. Enter a username, domain name and password, and then click ‘Next’. This will create a ‘Global Administrator’
account with the chosen username and password required in later stages of this guidance.
NOTE: Username: The username on this screen will be the primary administrator account to
gain access to the Microsoft 365 administration portal.
i
Domain Name: Microsoft requires initial use of ‘.onmicrosoft.com’. After setup, the
organisation’s own domain name can replace this.
cyber.gov.au 11
WARNING:
Ensure to record the username, domain name and password in a secure location (location
! must not be associated with or hosted on the network experiencing disruption). Until
additional users are added to the tenant with appropriate access permissions, loss of the
credentials will result in an inability to access the Microsoft 365 environment.
10. Microsoft requires a valid credit card to register a Business Standard subscription, click
‘Add Payment method’, complete the payment information, and click ‘Save’.
NOTE: Microsoft will not bill the credit card within the trial period. However, Microsoft will
verify the validity of the card and create a billing account. The billing account is used to
manage account settings, invoices, update payment methods and purchases. For more
information about billing accounts, see:
• Understand Billing Accounts at learn.microsoft.com/en-us/

i microsoft-365/commerce/manage-billing-accounts
At the end of the free trial period, the trial subscription will automatically convert to a paid
subscription, defaulting to the same plan selected for the trial period. Charges to the credit
card will not be incurred if the trial subscription is cancelled prior to the end of the free trial
period. The trial will automatically expire at the end of the 30-day period and the credit card
will not be charged.

11. Review the information and click ‘Start trial’.
12. After a short period, the screen will update to show a confirmation that the Microsoft 365 Business
Standard subscription process is active. Ensure the information is saved to a location where it
can be accessed in the future (location must not be associated with or hosted on the network
experiencing disruption), and then click ‘Start using Microsoft 365 Business Standard’.
13. The Microsoft 365 Business Standard trial is now active.
cyber.gov.au 13
Stage 3: Configure Organisation Settings
Overview
This step configures the organisation’s existing DNS information to point to the new Microsoft 365 Business
Standard tenant, enabling email routing.
Stage Prerequisites
3. Access to and ability to edit the organisation’s DNS settings in the provider portal
Process
1. Continuing from Stage 2, the operator will have the opportunity to install Microsoft 365 desktop applications.
Installation and operation of the desktop applications are not in scope for this guidance, so click ‘Continue’.

2. To enable creation of the catch-all mailbox, the organisation’s existing DNS records need to be
updated to point to the new Microsoft 365 Exchange Online endpoints for the organisation. In
the available text box enter the organisation’s domain name and click ‘Use this domain’.
3. To verify ownership of the domain, Microsoft requires the addition of a TXT record or an MX record to
the DNS settings. This guidance uses the first option, ‘Add a TXT record to the domain’s DNS records’, but
the processes for adding an MX record is similar. Click ‘Continue’ after selecting the desired option.
NOTE: Microsoft allows for the upload of a text file to the organisation’s website.
i
However, this guidance assumes that the website is not available.
cyber.gov.au 15
4. Microsoft will attempt to identify the DNS hosting provider. If known, they will provide the steps to edit the DNS
records or a link to the DNS provider’s guidance documentation. To continue with this step, in a separate internet
browser window or tab, go to the organisation’s DNS hosting provider portal and add the identified TXT record
information. After editing the DNS record information on the hosting provider portal, return to the Microsoft 365
page and click ‘Verify’.
WARNING: It is important not to edit existing records at this stage. The DNS record entry is
to be added to existing entries only.
! Changes to DNS record information can take some time for Microsoft to find. If Microsoft
cannot find the new DNS record after clicking ‘Verify’, keep retrying. Depending on the DNS
hosting provider, changes can generally take anywhere from a few minutes to 48 hours.

5. Once Microsoft successfully verifies the domain, the page will automatically update to enable
the adding of users and assigning of licenses. By default, the initial account created during Stage
2 will have all relevant licences assigned and will be assigned the role of Global Administrator,
see learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles. It is not
necessary to create any additional users at this stage of the setup. Click ‘Do this later’.
6. To connect Microsoft 365 to the organisation’s domain, the DNS records require modification in the
DNS hosting provider portal. Click the default option ‘Add your own DNS records’. Click ‘Continue’.
cyber.gov.au 17
7. The next screen provides the DNS record information to implement in the DNS hosting provider portal. Follow
the guidance provided on this page and within the organisation DNS hosting provider guidance to add the DNS
records. Once complete click ‘Continue’.
WARNING: The changes made at this stage will cause all emails sent to the
organisation domain to be re-routed to the new Microsoft 365 tenant. Ensure a
backup of the DNS information in the hosting provider portal is made to enable the
organisation to switch back to the enterprise email solution when possible.
If the organisation can receive emails during the cyber security incident, it is
!
recommended not to proceed with this step until the catch-all mailbox is configured
within Exchange Online to minimise the risk of lost email messages during the change.
As with Step 4, changes to DNS record information can take some time for Microsoft
to verify. If Microsoft cannot find the new DNS record, keep retrying. Depending on the
DNS hosting provider, changes can take anywhere from a few minutes to 48 hours.
8. Once the DNS record information is configured and Microsoft can verify the updates, the setup will finish. The DNS
record information is now pointing to the new Microsoft 365 Business Standard tenant.

Stage 4: Run Automated Configuration of Environment
Overview
This stage applies configuration settings to the newly provisioned Microsoft 365 tenant via the automation tool,
which comprises a collection of PowerShell scripts that apply a secure baseline.
The automation tool will perform the following actions:
1. Install required Microsoft modules from the PowerShell gallery
2. Create a connection to the Microsoft 365 tenant
3. Apply the specified settings to the Microsoft 365 tenant and associated Exchange Online instance
4. Create a ‘catch-all’ mailbox, associated group, and mail transport rules
5. Create an emergency ‘break glass’ administration account
6. Close the connection to the Microsoft 365 tenant
WARNING: The ‘catch-all’ mailbox created by the automation tool is not supported by
Microsoft due to its lesser filtering capability and resultant increased risk of spam and
undetected phishing attempts.
Access to the catch-all mailbox should therefore be restricted and closely monitored to
reduce the likelihood of an unskilled operator accessing a potentially malicious email
message.
Where practical, the catch-all mailbox should be provisioned for as short a period as possible.
Once all users have been created within the new Microsoft 365 tenant, or business operations
are restored, the mailbox should be removed.
!
To minimise the impact to the Microsoft 365 tenant in the event of accessing a malicious
email message held within the catch-all mailbox, a separate user account should be created
with minimal access permissions to the remainder of the Microsoft 365 tenant. Ideally, this
user should be the only user to access the catch-all mailbox. However, given the limited
availability of user licenses within the trial tenant and the cost of an additional user licence,
this is something organisations will need to individually determine based on their own risk
assessment.
Additionally, the Microsoft 365 Business Standard subscription only allows each user up to 50
GB of mailbox storage per user. Given the nature of the catch-all mailbox, once this size limit is
reached, additional mail may be rejected.
Stage Prerequisites

3. The Business Continuity in a Box PowerShell module available from: cyber.gov.au/resources-
business-and-government/essential-cyber-security/smallbusiness/business-continuity-box
4. Username and password of an account with the Global Administrator role
NOTE: If continuing from previous stages within this guidance, the account created
i
in Stage 2 of the document has the necessary Global Administrator permissions.
cyber.gov.au 19
Process
Step 1: Preparation
1. Navigate to cyber.gov.au/resources-business-and-government/essential-cyber-security/
smallbusiness/business-continuity-box and download the automation tool compressed
folder, then open File Explorer and navigate to the download location of the folder.
a. Press the Windows Key on the keyboard or click the Windows button on the Taskbar.
b. In the “Search for apps, settings and documents” textbox, type “File Explorer” and click ‘Open’.
c. Navigate to the folder where the automation tool folder was extracted (e.g., Downloads).
2. Extract the contents of the package to a nominated location.
WARNING: Before performing the following steps, ensure the downloaded automation tool
! folder is from cyber.gov.au/resources-business-and-government/essential-cyber-security/
smallbusiness/business-continuity-box.
a. Right click on the file and select ‘Properties’.

b. In the pop-up window that appears locate the ‘Unblock’ checkbox in the bottom
right corner and place a tick in the checkbox to select the item.
c. Click ‘OK’ to return to Windows Explorer.

d. Right click on the file again and select ‘Extract All...’.
e. In the pop-up window that appears select the desired location to extract the files.
f. Click ‘Extract’.
NOTE: Access to the Microsoft 365 tenant is dependent on the account that is used to
sign in. As such, there is no configuration required for the script to apply the default
configuration settings.
i
More specific configuration of the Microsoft 365 tenant is possible by editing the
configuration settings within the associated configuration files. This guidance does not
cover customised tenant configuration.

Step 2: Run the Automation Tool
1. The automation tool can be run using either a Windows Normal User or Windows Administrator account.
2. To run the automation tool with the currently logged-in user, open the extracted package in File Explorer.
a. Press the Windows Key on the keyboard or click the Windows button on the Taskbar.
b. In the ‘Search for apps, settings, and documents’ textbox, type ‘File Explorer’ and then click ‘Open’.
c. Navigate to the folder where the automation tool folder was extracted and open the folder.
3. Locate the file BCiaB.bat and double click the file to begin implementation.
4. A window will appear.
5. Early in the implementation, the operator will be presented with a prompt to enter the username and password for
a Microsoft 365 Global Administrator account. This is the username and password created within Stage 2 of the
setup process. Enter the username and password details of the user created during Stage 2 and click ‘Sign In’.
6. The automation tool will provide feedback to the operator on the process currently running. Do
not exit the open applications or shutdown the computer until the tool has finished.
7. Once the automation tool has finished, the user will be presented with a completion screen with a report
summarising the process and the changes, which can be used to troubleshoot any unexpected issues.
8. The new Microsoft 365 Business Standard trial tenant is now configured.
NOTE: Some settings may take time to be activated by background Microsoft processes.
i Microsoft advises that configuration can take up to 24 hours for certain features
and capabilities.
cyber.gov.au 21
Stage 5: Validate Environment
Overview
This stage walks through the process of verifying that the previous stages have been implemented correctly.
The operator will log into the new Microsoft 365 tenant, send an email from an external email service to the new
tenant, and then send an email from the new tenant to an external email address.
Process
1. Open an internet browser and navigate to Microsoft Outlook https://outlook.com.
2. Click ‘Sign in’, using the username and password of the Global Administrator account created in Stage 2.
3. Microsoft Outlook will open to the user mailbox.
4. Add the catch-all mailbox to the available folders:

a. Right click ‘Folders’ in the left-hand navigation pane.
b. Click ‘Add shared folder or mailbox’.
c. Type the email address of the catch-all mailbox in the dialog box and select ‘Add’.
The catch-all mailbox email address will be ‘catch-all@<domain>’ where <domain>
is the organisation domain not the initial ‘onmicrosoft.com’ domain.
5. Open a new internet browser tab and navigate to the email account used for account verification
in Stage 1 or another email account not associated with the new Microsoft 365 tenant.
6. Send an email to the Global Administrator email address.
7. Send an email to ‘info@<domain>’ where <domain> is the organisation domain not the ‘onmicrosoft.com’ domain.
NOTE: It is recommended you do not setup any email addresses before this stage,
as doing so may potentially create a new mailbox within Exchange Online. If the
i Microsoft 365 tenant already has an ‘info’ mailbox, replace ‘info@<domain>’ with
an alternative email address that does not exist to test that all email messages
sent to the organisation are captured within the catch-all mailbox.
8. Return to the tab opened in step 1 of this Stage.
9. Verify receipt of the email from step 6 within the Global Administrator mailbox.
10. Verify receipt of the email sent to ‘info@<domain>’ from step 7 by

selecting the catch-all mailbox in the available folders.
11. Create a new email within Outlook and send to the email account used in step 5 of this Stage.
12. Return to the email account in step 5 and verify receipt of the email from the Global Administrator.

Contact
For any enquiries concerning this guidance or to ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by using
provide feedback, please navigate to cyber.gov.au/ ReportCyber at cyber.gov.au/report-and-recover/
about-us/about-asd-acsc/contact-us. Select ‘General report.
enquiry or feedback’, and choose ‘Business Continuity
United States organisations may report cyber
in a Box’ from the drop-down menu under ‘Your
incidents to CISA’s 24/7 Operations Center at report@
enquiry/feedback type’.
cisa.dhs.gov, cisa.gov/report, or (888) 282-0870.
If you or your organisation are victim of a data breach When available, please include information regarding
or cyber incident, follow relevant cyber incident the incident: date, time and location of the incident;
response and communication plans, as appropriate. type of activity; number of people affected; type
of equipment used for the activity; the name of
Australian organisations impacted by, or requiring
the submitting company or organisation; and a
assistance relating to, a cyber incident can contact
designated point of contact.
Appendix A: acronyms,
abbreviations and
definitions
This document uses the following acronyms and abbreviations:
Acronym or Abbreviation Definition
DNS Domain Name Service
Microsoft Entra ID Formerly Azure Active Directory
MX Mail Exchange DNS record
The person responsible for implementation of the Business

Operator
Continuity in a Box solution for an organisation.
PC Personal Computer
TXT Text DNS record
VOIP Voice over Internet Protocol
cyber.gov.au 23
Disclaimer

Copyright.



Business Continuity
in a Box
Guidance:
Continuity of Applications
Content Complexity
MODERATE
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How to use this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Stage 1: Determine your critical applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Stage 2: Determine your continuity path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Stage 3: Deploying an IaaS application environment. . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Appendix A: acronyms, abbreviations and definitions . . . . . . . . . . . . . . 14
Disclaimer
2 ASD’s ACSC | Business Continuity in a Box - Applications

Introduction
Purpose The concepts and examples in this document
use relevant cloud hosting providers’
Application continuity is critical to any organisation ‘rehosting’ guidance – also known as ‘lift and
in maintaining service availability and integrity. shift’ – for interim system deployment.
To reduce downtime, costs and business impact
of incidents, organisations should quickly stand
up interim solutions if their normal operating
How to use this document
environment is lost, unavailable or compromised. This document provides guidance for deploying
Depending on an organisation’s business an interim cloud-based business continuity
requirements, this may include internal services solution that leverages the benefits of a cloud-
such as payroll or file sharing, or more expansive hosted system or applications. Implementation
requirements such as engagements with of this guidance requires an intermediate level of
external providers, customers or the public. knowledge of cloud services. This guidance is not
for systems and services currently undergoing
Continuity of Applications focuses on establishing
redevelopment or redesign to leverage the benefits
interim business-critical applications during a cyber
of cloud hosting, nor new systems and services
incident. The package assists organisations to
provisioned directly to a cloud environment.
quickly and securely design and deploy an interim
cloud solution for hosting core applications. This document is divided into three consecutive
stages. It is recommended the reader review the
Before deploying the interim cloud solution,
document in its entirety before commencing
organisations must assess any risks associated
Stage 1. It is possible some organisations will not need
with organisational data being stored on an
to implement all three stages of this guidance. This
interim cloud solution, including any additional
will depend on an individual organisation’s needs
security controls that may be required.
and requirements established in Stages 1 and 2.
For guidance on how to assess and manage risk, see:
• Assess and Manage Risk at business.gov.au/risk-

management/risk-assessment-and-planning/
assess-and-manage-risk
Overview
Options for Software-as-a-Service (SaaS),
Platform-as-a-Service (PaaS) and Infrastructure-
as-a-Service (IaaS) are discussed within this
guidance, with a primary focus on IaaS.
This guidance – developed by the Australian Signals

Directorate’s Australian Cyber Security Centre (ASD’s
ACSC) with contributions from the United States
Cybersecurity and Infrastructure Security Agency
(CISA) – does not provide prescriptive or long-term
architectures. Instead, it provides an interim solution
for the deployment and operation of critical business
applications where an organisation’s systems
may have been affected by a cyber incident.
cyber.gov.au 3
Guidance
Stage 1: Determine your Software as a service
critical applications To ensure ease of deployment across many

corporate applications, one of the most common
Identifying critical business functions and their cloud services is SaaS – it offers both consumers
associated applications is integral to resuming and businesses cloud-based tools and applications
operations. Critical business functions are those for everyday use. Common examples include
activities that are vital to an organisation’s survival the Microsoft 365 suite of productivity software,
and to the resumption of business operations and MYOB or Xero for financial management.
Typically, critical business functions are those that: SaaS services are readily available as an off-
1. Are most impacted by downtime or unavailability the-shelf solution for most users. In many cases
companies offer a trial period followed by a
2. Play a key role in maintaining business monthly pay-as-you-go service, though they
operations and deliverables tend to create a lock in effect that means it
can be difficult to export data. Organisations
3. Fulfill legislative and/or regulatory obligations
should generally consider the use of SaaS when
4. Safeguard an irreplaceable asset looking for a more permanent cloud solution.
Identification and classification of functions: Platform as a service
1. Identify the critical business functions PaaS allows developers to host, build and deploy
of your organisation. their consumer-facing apps on a platform. Generally,
PaaS management and ownership stays with
2. Classify these critical business functions the developers, affording little to no control to
into the following categories: organisations regarding patching and updates of
iii. High (most critical) the underlying host infrastructure. PaaS can also
iv. Medium be slower to deploy than IaaS and SaaS, due to the
development time.
v. Low (least critical)
Based on the above factors, decide Infrastructure as a service
which functions are to be prioritised and IaaS platforms allow an organisation to manage their
included in the following stages. business resources such as their network, servers and
data storage on the cloud. IaaS is a pay-as-you-go
Stage 2: Determine service, which allows for cancellation any time after
the initial 30-day trial period. This makes it beneficial
your continuity path as a short-term business continuity solution.
When deciding on the best interim solution for an
organisation, key factors may include cost, and ease As an interim solution, an IaaS platform will most
of deployment and operation. SaaS, PaaS and IaaS closely mimic the existing computing infrastructure
are the three main cloud computing services with that would normally be hosted locally on an
each providing different features, functionalities and organisation’s premises. As IaaS can offer the ability
benefits. The most appropriate offering is dependent to replicate and recover core services in a rapid
on an organisation’s requirements for hosting, storing, and straightforward manner, the remainder of this
managing and processing information and data. guidance concentrates on the deployment of an IaaS
cloud solution.

Stage 3: Deploying an IaaS guidance each have key considerations, which
often in themselves can be broken into architecture
application environment principles. For simplicity, only the high-level principles
This section provides a high-level implementation are defined, with additional information in the
framework for deploying IaaS as a solution. This details of each principle. An overview of the three (3)
guidance includes a list of steps to follow, along with principles is provided.
a set of assumptions and constraints that should be Maintain security boundaries
considered before starting the deployment.
The principle of maintaining security boundaries
Assumptions emphasises the need to preserve the existing
This guidance assumes personnel implementing the security boundaries established in the on-
interim IaaS solution have: premises hosted system during the migration to
a cloud IaaS platform. For example, databases
• An understanding of cloud computing concepts residing on a server for the on-premises hosted
and architectures, including IaaS solution will remain on an equivalent IaaS host
• Access to the necessary cloud hosting provider rather than being migrated to an SQL PaaS.
services and tools to deploy the solution By maintaining existing security boundaries, the
• A good understanding of any organisation-specific organisation can retain the same level of control
configuration settings that need to be applied to the and visibility over its critical business systems,
IaaS solution ensuring a consistent security posture. This principle
allows for a smoother migration process, as it
Constraints minimises the need for significant architectural
The following constraints should be considered before changes whilst still taking advantage of the
deploying the interim IaaS architecture: benefits provided by cloud IaaS platforms.
• The IaaS solution must adhere to the security and Enhance security controls
compliance requirements of the organisation The principle of enhancing security controls
• The IaaS solution must meet any performance and highlights the importance of leveraging additional
availability requirements set by the organisation security capabilities available within cloud IaaS
platforms to strengthen the overall security posture
• The IaaS solution must be scalable for the of the migrated system. Cloud platforms offer
organisation’s requirements and easily maintainable various security features, such as network security
groups, security services, and identity and access
Architecture principles
management tools.
Cloud-based IaaS and PaaS deployments are
subject to several additional threats not commonly During the migration process, it is essential to identify
addressed in an on-premises architecture. This gaps with the on-premises hosted system and design
is typically due to the presence of compensating appropriate controls or compensating controls using
features for on-premises systems, which include single the available cloud platform features. By taking
network entry points, trusted user base, and limited advantage of these enhanced security controls, the
physical server access. As such, directly migrating an organisation can address the additional threats
on-premises system to a cloud-based IaaS solution introduced by cloud deployments and mitigate the
could immediately expose the rehosted system and associated risks effectively.
potentially the organisation to unaddressed risks. Ensure compliance and governance
To minimise these risks, this guidance introduces This principle emphasises the need to maintain
several architecture principles to allow the rapid regulatory compliance and adhere to the
migration of a system, effecting minimal changes organisation’s governance requirements. Moving to a
to the system and increasing security by leveraging cloud IaaS platform introduces additional compliance
additional security capabilities available within considerations such as data sovereignty, data
various cloud platforms. The principles within this protection, and other industry-specific regulations.
cyber.gov.au 5
To ensure appropriate compliance and governance Review and optimisation
arrangements, it is crucial to fully understand
12. Particularly in the initial stages of deployment,
the applicable regulations and requirements of
perform regular reviews of the migrated systems to
the organisation before migrating the system
determine where resources can be optimised, and
to the cloud. This assessment should inform the
costs reduced
design and implementation of security controls
and processes that align with organisation and 13. Document the new architecture and additional
regulatory compliance needs. Additionally, changes made to accommodate for the change to
organisations should establish proper monitoring a cloud hosting provider
and auditing mechanisms to maintain
compliance in a cloud-hosted environment. Components
IaaS implementations, regardless of selected CSP
Process
are comprised of several components or resources.
Planning When migrating on-premises systems to IaaS
platforms, it is essential to understand the differences
1. Select the cloud service provider (CSP) based on
in components and their corresponding security
your organisation’s operational requirements
controls to ensure secure operation of the system.
2. Define the target architecture for the system
By understanding and addressing the unique
3. Develop a plan for preparation, migration, security security considerations for each component
and compliance, and review and optimisation and the system, organisations can implement
effective security controls and measures
Infrastructure deployment
to protect their cloud IaaS solutions.
4. Procure a subscription from the selected CSP
Virtual infrastructure
5. Set up and configure necessary resources to meet
Virtual machines (VM) are the primary compute
operational needs
resources in a cloud IaaS environment. They host
6. Implement additional security features to address operating systems, applications, and services
any new threats resulting from the interim cloud required for system functionality. When migrating on-
implementation premises hosted systems, equivalent VMs should be
provisioned to maintain system architecture.
Data migration
Implement security controls for VMs, such as:
7. If possible, restore data from available backups
• Hardened Images: Utilise hardened VM images or
8. If necessary, ensure systems are connected to a templates that follow security best practices for the
centralised user directory specific operating system and application stack.
Security and compliance • Patch Management: Consistently apply
security patches and updates to VMs
9. Implement security controls suggested within the
to address known vulnerabilities.
examples and patterns, including encryption,
privileged administration workstations, gateway, • Anti-Malware/Antivirus: Install and configure
and federated identity security patterns anti-malware or antivirus software on VMs
to detect and prevent malicious activities.
10. Validate the security controls through testing and
auditing from within the cloud service provider • Least Privilege: Assign appropriate permissions
portals and tools and access controls to VMs to restrict access
to only approved administrators and users.
11. Implement additional compliance measures, such Storage
as implementing applicable security controls,
logging and monitoring, and reporting Cloud platforms offer several types of storage services
to store and manage data, such as:

• Object Storage: Object storage services, control and monitor privileged account usage.
such as Amazon S3, Azure Blob Storage, Utilise just-in-time access and session recording to
or Google Cloud Storage, allow storage limit the exposure of administrative privileges.
and retrieval of unstructured data, such as
• Privileged Access Reviews: Regularly review and
documents, images and multimedia files.
recertify privileged accounts and permissions
• Block Storage: Block storage is suitable for VMs to maintain appropriate access controls.
requiring persistent storage. This provides low-
Security
latency access and is suitable for hosting data,
such as operating system disks and databases. Implementing robust security measures is crucial to
protect the cloud environment and the hosted system
• File Storage: Leverage file storage services,
from potential threats and vulnerabilities.
such as Amazon EFS, Azure Files, or Google
Cloud File store to provide shared file Network Security
systems accessible by multiple VMs.
• Virtual Private Cloud (VPC): Utilise VPCs to quickly
• Backup and Recovery: Implement regular backup isolate the cloud environment and establish
and recovery mechanisms for critical data network segmentations. Configure subnets,
and configurations. Leverage snapshotting, network access control lists (ACLs), and security
replication, or cloud-native backup solutions groups to control inbound and outbound traffic.
provided by the CSP and if possible, copy
the backups to a separate location. • Firewalls: Implement virtual firewalls to filter
internet traffic and network and server firewalls
• Encryption: Enable encryption for data at to filter and control traffic flow between network
rest in storage services to protect sensitive components. If the on-premises environment
information from unauthorised access. separated the network into zones, ensure the
architecture is maintained through use of subnets
Identity and access management
and additional virtual firewalls if needed.
Identity and access management (IAM) is a critical
• Intrusion Detection and Prevention Systems (IDS/
component for controlling user access and managing
IPS): Deploy IDS/IPS solutions to detect and prevent
authentication and authorisation in a cloud
network-based attacks, anomalous traffic, and
environment.
known attack signatures. Unless an IDS/IPS solution
User and Access Management existed for the on-premises system, implementation
of this capability should at minimum, be deployed
• User Provisioning: Implement a centralised
between the internet and hosted network.
user management system or integrate with an
existing identity provider to enable user account Data Protection
management, authentication, and authorisation.
• Encryption: Utilise encryption mechanisms, such
• Multi-Factor Authentication (MFA): Enforce the as transport layer security (TLS) to protect data
use of MFA for user and administrator accounts to in transit between components and applications.
add an extra layer of security beyond passwords. Implement encryption for data at rest for sensitive
data stored in storage services or databases.
• Role-Based Access Control (RBAC): Define
roles with granular permissions and assign • Data Loss Prevention (DLP): Deploy DLP controls
to users based on job responsibilities. to detect and prevent the unauthorised
transmission or storage of sensitive data.
• Access Reviews: Conduct regular access reviews
Use predefined policies or custom rules to
to ensure user permissions are up to date
identify and mitigate data leakage risks.
and aligned with business requirements.
• Data Backup and Recovery: Establish a
• Privileged Access Management
regular backup and recovery strategy for
• Privileged Account Management: Implement critical data to ensure business continuity in
a privileged access management solution to the event of data loss or system failure.
cyber.gov.au 7
Endpoints Presented after this high-level guidance, are examples
of deployments for an n-tier architecture within Azure,
Endpoints refer to the devices or client systems
Amazon Web Services (AWS), and Google Cloud to
used to access the cloud-hosted system.
demonstrate the additional services that should be
• Endpoint Security: Implement endpoint protection considered to secure the system.
measures, including antivirus software, host-
Single-tier architecture
based firewalls, and secure configurations, on
devices used to access the cloud environment. A single-tier architecture is a simple, standalone
setup where the client, server and data storage
• Secure Remote Access: Utilise secure remote access
components are all combined in a single server. This
technologies, such as virtual private networks (VPNs)
model is typically implemented for small applications.
or bastion hosts, to establish secure connections
between client systems and the cloud environment. Advantages
IaaS architectural patterns • Easy to set up and manage due to its simplicity.
The following guidance provides three high-level • Cost-effective for small-scale applications.
architectural patterns that can be utilised in planning
the organisation’s interim IaaS cloud solution. The Disadvantages
patterns provide details of common architectures
• As the application grows, scalability
for systems, which are deployed in on-premises
can become a challenge.
environments, and can be rehosted to an equivalent
cloud-hosted solution. Each architecture represents • Since all components reside in a single
an approach to structuring a system within the cloud location, security and fault tolerance
environment. is sacrificed or significantly reduced
compared with other architectures.
Single-tier
A single-tier provides a combination of user

interface, business processing logic, and data
store in the form of a file system or database.
All system and user actions are processed here.
Figure 1 - Single tier system architecture

Two-tier architecture
In a two-tier architecture, the client and server components are separated, typically by a client tier (user
interface) that communicates directly with the data tier (database or file store).
Advantages
• Better performance and scalability than single tier, as the client and server are separated.
• Enables scalability of each tier or independent management, potentially

resulting in lower cost for greater performance gains.
Disadvantages
• Lack of separation between the application logic and database can

lead to slower performance as the application grows.
• Greater likelihood of security issues as there is a direct link between the client and database.
Client tier
This tier provides a combination of user

interface and business processing logic.
Actions from the user are evaluated,
logic decisions made, and calculations
performed. Information is sent to and
retrieved from the data tier. Presentation to
a user is typically done via a web page.
Data tier
This tier is responsible for the storage

and retrieval of information using a
database or file system. The information
is sent to the logic tier for processing.
Figure 2 - Two-tier system architecture
cyber.gov.au 9
N-tier architecture
An n-tier architecture (also known as multi-tier architecture) divides a system into three or more separate tiers.
A common model for this architecture is a system consisting of a presentation layer (client/user interface), an
application layer (business logic), and a data layer (database or file store).
Advantages
• High scalability and flexibility, as each tier can be managed, scaled, and updated independently.
• Provides increased security as each tier acts as a boundary, making it more

difficult for an attacker to compromise the entire system.
Disadvantages
• More complex to design, deploy and manage due to the separation of components.
• Requires careful design to ensure performance and responsiveness,

particularly as network latency can become a factor.
Presentation tier
Top level of an N-Tier architecture, providing the

user interface. The main function of this tier is to
translate users actions into system processes, and
system processing results into user understandable
information. Typicaly user interfaces may be in the
form of web pages or mobile device applications.
Logic / business processing tier
The system or service middle layer provides a

coordination function. Processes commands and
makes logic decisions and evaluations, including
performing calculations and processing and
movement of data between the presentation layer
and data layer.
Data tier
This tier is responsible for the storage and retrieval

of information using a database or file system. The
information is sent tot the logic tier for processing.
Figure 3 - N-tier system architecture

Example IaaS solutions A traditional three-tier application has a presentation
tier, a middle or application tier, and a database
The following solution designs provide details of a tier. The middle tier is optional. More complex
system rehosted from an on-premises environment applications can have more than three tiers.
to Azure, AWS, and Google Cloud. The details within The diagram below shows a typical 3-tier IaaS,
these examples provide information on the various encapsulating different areas of functionality.
technologies available within each platform.
Each tier consists of two or more VMs, placed in
Solution design example for Azure an availability set or virtual machine scale set.
Azure IaaS is a cloud computing service Multiple VMs provide resiliency in case one VM fails.
that offers essential computing, storage Load balancers are used to distribute requests
and networking resources on demand, across the VMs in a tier. A tier can be scaled
through a pay-as-you-go service. horizontally by adding more VMs to the pool.
Migration of your organisation’s infrastructure to an Each tier is also placed inside its own subnet, meaning
IaaS solution provides a reduction in maintenance its internal IP addresses fall within the same address
of the on-premises data centre, savings on range. That makes it easy to apply network security
hardware costs, and gains real-time business group rules and route tables to individual tiers.
insights. IaaS solutions allow the organisation The web and application tiers are stateless. Any
to scale IT resources up and down with business VM can handle any request for that tier. The data
demands. IaaS also helps the organisation to tier should consist of a replicated database.
quickly provision new applications and increase For Windows, we recommend SQL Server, using
the reliability of the underlying infrastructure. Always On availability groups for high availability.
Azure manages the infrastructure, while organisations For Linux, choose a database that supports
purchase, install, configure and manage their replication, such as Apache Cassandra.
software, including operating systems, middleware Network security groups restrict access to
and applications. Tiers are a way to separate each tier. For example, the database tier only
responsibilities and manage dependencies – each allows access from the application tier.
layer has a specific responsibility. A higher tier can use
services in a lower tier, but not the other way around. For secure administration of the system, it is
recommended to deploy an Azure Bastion service.
Tiers are physically separated, running on separate Bastion provides secure remote desktop protocol
machines. A tier can call another tier directly or (RDP) and secure socket shell (SSH) connectivity
use asynchronous messaging (message queue). to all the VMs in the virtual network in which it is
Although each layer might be hosted in its tier, it is provisioned. Azure Bastion protects your virtual
not required. Several layers might be hosted on the machines from exposing RDP/SSH ports to the outside
same tier. Physically separating the tiers improves world while providing secure access using RDP/SSH.
scalability and resilience but also adds latency
from the additional network communication.
Dev Ops Azure portal Bastian host Web tier Business tier Data tier
Primary SQL
Load Load Load

balancer balancer balancer
Secondary SQL
Internet WAF
Virtual network
Figure 4 – typical Azure N-tier IaaS system architecture
cyber.gov.au 11
Solution design example for AWS multiple times, whether in the same region and
account or multiple regions and accounts.
Amazon Elastic Compute Cloud (Amazon EC2)
provides scalable computing capacity in the AWS Amazon EC2 provides a Query API. These requests
Cloud. Using Amazon EC2 eliminates the need are HTTP or HTTPS requests that use the HTTP
for organisations to invest in hardware upfront verbs GET or POST and a query parameter
to develop and deploy applications faster. named Action. Developers may prefer to build
applications using language-specific APIs instead
Amazon EC2 can be used to launch as many
of submitting a request over HTTP or HTTPS.
or as few virtual servers as required, configure
AWS provides libraries, sample code, tutorials,
security and networking, and manage
and other resources for software developers.
storage. Amazon EC2 enables an organisation
to scale up or down to handle changes in When administering the EC2 platform, AWS strongly
requirements or spikes in the required resources, suggests using SSH access to further secure the
reducing the need to forecast traffic. services and their instances by implementing
a Bastion host, also known as a ‘Jump Box’.
Amazon EC2 provides a web-based user interface, the
Amazon EC2 console. Administrators can access the A bastion host is a special-purpose machine
privileged user interface after signing up for an AWS utilised for privileged access that is configured and
account, signing into the AWS Management Console, hardened to work against attacks. The machine
and selecting EC2 from the console home page. contains a single application, which it hosts.
Bastion hosts are accessed with the help of SSH
Amazon EC2 supports creating resources using AWS
or RDP protocols. After connectivity (remotely) is
CloudFormation. Developers can create a template
established with the bastion host, it allows using
in JSON or YAML that describes the organisation’s
SSH or RDP to log in to other instances (thereby
AWS resources, AWS CloudFormation provisions,
behaving like a ‘jump server’) that are present within
and configures those resources. Organisations
the private network/subnet. The diagram below
can reuse the developed CloudFormation
shows a typical AWS EC2 3-tier IaaS architecture.
templates to provision the same resources
Availability zone A
Dev Ops Bastian host Web subnet 01 Application subnet 01 Database subnet 01
Web server EC2 App server EC2 Database master

Auto Auto
Scaling Scaling
Synchronous
Application Network replication
WAF load balancer load balancer
Web server EC2 App server EC2 Database replica
Web subnet 02 Application subnet 02 Database subnet 02
Availability zone B
Figure 5 – typical Amazon Web Services N-Tier IaaS system architecture

Solution design example for Google Cloud Platform and firewall rules, are global resources and are
not associated with any distinct region or zone.
Google Cloud Platform (GCP) is a suite of cloud
A VPC network provides the following benefits:
computing resources for developing, deploying and
operating applications on the web. GCP utilises the • Connectivity to your Compute Engine VM instances,
same infrastructure that Google uses internally for including Google Kubernetes Engine (GKE) clusters,
its end-user products. GCP IaaS provides a series of App Engine flexible environment instances, and
modular cloud services, including computing, data other GCP products built on Compute Engine VMs.
storage, data analytics and machine learning.
• Native Internal TCP/UDP Load Balancing and proxy
GCP provides whole infrastructure for business systems for Internal HTTP(S) Load Balancing.
applications and assures security and reliability.
• Connection to on-premises networks using Cloud
GCP provides many APIs such as YouTube,
VPN tunnels and Cloud Interconnect attachments.
Gmail, maps etc. It includes the options to
create projects and work on specific projects, • Distributes traffic from Google Cloud
thus creating isolation. GCP is widely used in external load balancers to back ends.
app development, as it provides several APIs.
Google recommends that the management of the
When applications, websites or other cloud services GCP be conducted by a bastion host, providing
are run on GCP, Google tracks the resources being an external facing point of entry into a network
used, such as processing power, storage and containing private network instances. Bastion
network connections. Unlike most conventional host offers a single point of fortification or audit
services that charge by the month, GCP charges and can be started and stopped to enable or
by the minute to keep customer costs low. When disable inbound SSH. By using a bastion host,
using GCP to build and deliver your services, privileged users can connect to a VM that does
organisations can leverage the power of hyperscale not have an external IP address. This approach
in data centres or borrow sophisticated analytics allows administrators to connect to a development
and AI functions to reach users worldwide. environment or manage the database instance – at
times without configuring additional firewall rules
The GCP Virtual Private Cloud (VPC) network is a
– for an external application. The below diagram
virtual version of a physical network implemented
represents typical GCP N-Tier architecture.
inside Google’s production network using Andromeda.
VPC networks, along with their associated routes
Dev Ops Bastian host Cloud NAT
Cloud load balancer Managed Cloud ﬁrewall Cloud SQL

& Cloud DNS instance group rules
Figure 6 – typical Google Cloud Platform N-tier IaaS system architecture
cyber.gov.au 13
Contact
For any enquiries concerning this guidance or to ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by using
provide feedback, please navigate to cyber.gov.au/ ReportCyber at cyber.gov.au/report-and-recover/
about-us/about-asd-acsc/contact-us. Select ‘General report.
enquiry or feedback’, and choose ‘Business Continuity
United States organisations may report cyber
in a Box’ from the drop-down menu under ‘Your
incidents to CISA’s 24/7 Operations Center at report@
enquiry/feedback type’.
cisa.dhs.gov, cisa.gov/report, or (888) 282-0870.
If you or your organisation are victim of a data breach When available, please include information regarding
or cyber incident, follow relevant cyber incident the incident: date, time and location of the incident;
response and communication plans, as appropriate. type of activity; number of people affected; type
of equipment used for the activity; the name of
Australian organisations impacted by, or requiring
the submitting company or organisation; and a
assistance relating to, a cyber incident can contact
designated point of contact.
Appendix A: acronyms,
abbreviations and
definitions
This document uses the following acronyms and abbreviations:
Acronym or Abbreviation Definition
ACL Access Control Lists
Amazon EC2 Amazon Elastic Compute Cloud
API Application Programming Interface
AWS Amazon Web Services
CSP Cloud Service Provider
DLP Data Loss Prevention
EFS Elastic File System
GCP Google Cloud Platform

GKE Google Kubernetes Engine
HTTP(S) Hyper Text Transfer Protocol (Secure)
IaaS Infrastructure-as-a-Service
IDS/IPS Intrusion Detection and Prevention Systems
IP Internet Protocol
JSON JavaScript Object Notation
MFA Multifactor Authentication
PaaS Platform-as-a-Service
RBAC Role based Access Control
RDP Remote Desktop Protocol
SaaS Software-as-a-Service
SQL Structured Query Language
SSH Secure Socket Shell
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
VM Virtual Machine
VPC Virtual Private Cloud
VPN Virtual Private Network
YAML A Human-Readable Data Serialisation Language
cyber.gov.au 15
Disclaimer

Copyright.



BCP in A Box

Uploaded by

Copyright:

Available Formats

BCP in A Box

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCP in A Box

Uploaded by

Copyright:

Available Formats

Business Continuity

Why use Business Continuity in a Box? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Is Business Continuity in a Box right for your organisation?. . . . . . . . . . 5

How does Business Continuity in a Box fit into a cyber incident

2 ASD’s ACSC | Business Continuity in a Box - Overview

Why use Business

Whilst a Business Continuity Plan (BCP) remains • Business-Critical Applications

4 ASD’s ACSC | Business Continuity in a Box - Overview

Keep communication flowing

Establish interim core applications

Business Continuity in a Box

Continuity of • Written guidance on provisioning a

• CIS Microsoft 365 Benchmark at cisecurity. • Australian organisations impacted by, or

6 ASD’s ACSC | Business Continuity in a Box - Overview

The Commonwealth accepts no responsibility or liability for any damage, loss or

Use of the Coat of Arms.

For more information, or to report a cyber security incident, contact us:

How to use this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Stage 2: Provision Microsoft 365 Business Standard Tenant . . . . . . . . . . . . . . . . . . . . . 7

Stage 3: Configure Organisation Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Stage 4: Run Automated Configuration of Environment. . . . . . . . . . . . . . . . . . . . . . . 19

Stage 5: Validate Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Appendix A: acronyms, abbreviations and definitions . . . . . . . . . . . . . 23

2 ASD’s ACSC | Business Continuity in a Box - Communications

What is Microsoft 365?

• Microsoft 365 and Office 365 Plan Options at learn.microsoft.com/en-au/office365/

• Microsoft Entra ID provides centralised Identity and Access Management

• Office Applications are the online versions of the equivalent desktop

• Teams provides a platform for unified communications and collaboration.

How to use this document

NOTE: Information to assist the reader in understanding the document, including

WARNING: Highlights information that requires careful attention, such as implementation

4 ASD’s ACSC | Business Continuity in a Box - Communications

STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5

Review pack Provision Configure Run automated Validate

WARNING: Incorrectly configuring, adding or removing an organisation’s DNS records can

6 ASD’s ACSC | Business Continuity in a Box - Communications

• Microsoft Business Subscriptions and Billing Documentation at learn.microsoft.com/en-au/microsoft-365/commerce

Stage 2: Provision Microsoft 365 Business Standard Tenant

The trial provides up to 25 user licences for 30 days.

1. PC with a connection to the Internet

2. Up-to-date web browser

5. Valid credit card

2. Select ‘Try free for one month’.

8 ASD’s ACSC | Business Continuity in a Box - Communications

5. Click ‘Set up account’.

10 ASD’s ACSC | Business Continuity in a Box - Communications

• Understand Billing Accounts at learn.microsoft.com/en-us/

12 ASD’s ACSC | Business Continuity in a Box - Communications

13. The Microsoft 365 Business Standard trial is now active.

1. PC with a connection to the Internet

2. Up-to-date web browser

14 ASD’s ACSC | Business Continuity in a Box - Communications

16 ASD’s ACSC | Business Continuity in a Box - Communications

18 ASD’s ACSC | Business Continuity in a Box - Communications

The automation tool will perform the following actions:

1. Install required Microsoft modules from the PowerShell gallery

2. Create a connection to the Microsoft 365 tenant

4. Create a ‘catch-all’ mailbox, associated group, and mail transport rules