ICT equipment and media register
Maintaining and regularly auditing a register of authorised ICT equipment and media can assist organisations in both tracking legitimate assets and determining whether unauthorised assets have been introduced into a system or its operating environment.
Security Control: 0336; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS
An ICT equipment and media register is maintained and regularly audited.
Security Control: 0159; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
All ICT equipment and media are accounted for on a regular basis.
Securing ICT equipment and media
ICT equipment and media needs to be secured when not in use. This can be achieved by implementing one of the following approaches:
- securing ICT equipment and media in an appropriate security container or secure room
- using ICT equipment without hard drives and sanitising memory at shut down
- encrypting hard drives of ICT equipment and sanitising memory at shut down
- sanitising memory of ICT equipment at shut down and removing and securing any hard drives.
If none of the above approaches are feasible, organisation may wish to minimise the potential impact of not securing ICT equipment when not in use. This can be achieved by preventing sensitive or classified information from being stored on hard drives (e.g. by storing user profiles and documents on network shares), removing temporary user data at logoff, scrubbing virtual memory at shut down, and sanitising memory at shut down. It should be noted though that there is no guarantee that such measures will always work effectively or will not be bypassed due to circumstances such as an unexpected loss of power. Therefore, hard drives in such cases will retain their sensitivity or classification for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal.
Security Control: 0161; Revision: 5; Updated: Mar-19; Applicability: O, P, S, TS
ICT equipment and media are secured when not in use.
Further information on ICT equipment and media can be found in the fax machines and multifunction devices section of the Guidelines for Communications Systems as well as in the Guidelines for ICT Equipment and Guidelines for Media.
Further information on the encryption of media can be found in the Guidelines for Cryptography.
Further information on the storage of ICT equipment can be found in AGD’s PSPF, Physical security for entity resources policy, at https://www.protectivesecurity.gov.au/physical/physical-security-entity-resources/Pages/default.aspx.