Individuals & families Small & medium businesses Large organisations & infrastructure Government

Cryptographic system management

This section of the ISM provides guidance on cryptographic system management.

Cryptographic systems

Cryptographic systems are comprised of cryptographic equipment and keying material. Where security controls for cryptographic systems are different to other systems, the variations are contained in this section.

Commercial grade cryptographic equipment

Transporting Commercial Grade Cryptographic Equipment (CGCE) in a keyed state may expose the keying material in it to potential compromise. Therefore, if CGCE is transported in a keyed state it should be done based on the sensitivity or classification of the keying material in it.

If CGCE or associated keying material is compromised or suspected of being compromised (e.g. stolen, lost, copied or communicated over the internet) then the confidentiality and integrity of previous and future communications may also be compromised.

Security Control: 0501; Revision: 4; Updated: Sep-18; Applicability: O, P
Keyed CGCE is transported based on the sensitivity or classification of the keying material in it.

Security Control: 0142; Revision: 3; Updated: Jun-19; Applicability: O, P
The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.

Security Control: 1091; Revision: 5; Updated: Jun-19; Applicability: O, P
Keying material is changed when compromised or suspected of being compromised.

High Assurance Cryptographic Equipment

HACE can be used by organisations to protect highly classified information. ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and equipment-specific doctrine outline the requirements that need to be complied with for the use of HACE.

Security Control: 0499; Revision: 8; Updated: Apr-19; Applicability: S, TS
ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE.

Storing cryptographic equipment

As cryptographic equipment can protect sensitive or classified information, additional physical security controls should be applied to its storage.

Security Control: 0505; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes.

Security Control: 0506; Revision: 3; Updated: Sep-18; Applicability: S, TS
Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area.

Further information

Further information on the use of HACE can be found in associated ACSIs. ACSIs can be provided to organisations by the ACSC upon request.

Further information on Security Zones and secure rooms can be found in AGD’s PSPF, Entity facilities policy, at https://www.protectivesecurity.gov.au/physical/entity-facilities/Pages/default.aspx.

Protect yourself online ACSC's StaySmartOnline program Be alerted of new threats AlertService Report a cybercrime or cyber security incident