ICT equipment management policy
Since ICT equipment is capable of processing, storing or communicating sensitive or classified information, it is important that an ICT equipment management policy is developed and implemented to ensure that ICT equipment, and the information it processes, stores or communicates, is protected in an appropriate manner.
Security Control: 1551; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS
An ICT equipment management policy is developed and implemented.
Classifying ICT equipment
The purpose of classifying ICT equipment it to acknowledge the sensitivity or classification of information that it is approved for processing, storing or communicating.
Classifying ICT equipment also assists in ensuring that the appropriate sanitisation, destruction and disposal processes are followed at the end of its life.
Security Control: 0293; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating.
Labelling ICT equipment
Applying protective markings to ICT equipment assists to reduce the likelihood that a user will accidentally input information into it that it is not approved for processing, storing or communicating.
While text-based protective markings are typically used for labelling ICT equipment, there may be circumstances where colour-based protective markings or other marking schemes need to be used instead. In such cases, the marking scheme will need to be documented and personnel will need to be trained in its use.
Security Control: 0294; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
Labelling high assurance ICT equipment
High assurance ICT equipment often has tamper-evident seals placed on its external surfaces. To assist users in noticing changes to these seals, and to prevent functionality being degraded, organisations should limit the use of labels on high assurance ICT equipment.
Security Control: 0296; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment.
Handling ICT equipment
As ICT equipment can often retain sensitive or classified information, it will need to be handled, and subsequently protected, as per the sensitivity or classification of information that it displays, processes, stores or communicates. However, applying encryption to media within ICT equipment may reduce the requirements for storage and physical transfer. Any reduction in requirements needs to be based on the original sensitivity or classification of information residing on media within the ICT equipment and the level of assurance in the encryption software being used to encrypt the media.
Security Control: 1599; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
ICT equipment is handled in a manner suitable for its sensitivity or classification.
Further information on classifying and labelling of media can be found in the media usage section of the Guidelines for Media.
Further information on the use of protective markings can be found in the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF), Sensitive and classified information policy, at https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Pages/default.aspx.