Sorry, you need to enable JavaScript to visit this website.
Skip to main content

August 2019 ISM Changes

The Australian Government Information Security Manual

Executive summary

  • Minor changes to ‘intended audience’ and ‘further information’ content.

Applying a risk-based approach to cyber security

  • Minor grammar corrections throughout the section.
  • Changes to ‘authorise the system’ content to note that in the absence of a Chief Information Security Officer, a Chief Security Officer, a Chief Information Officer or other senior executive in the organisation, should accept security risks associated with a system before it is authorised to operate.
  • Changes to ‘monitor the system’ content to note that cyber threats and security risks in a system’s operating environment should also be monitored.

Guidelines for Roles and Responsibilities

Chief Information Security Officer

  • Minor changes to ‘responsibilities’ content to note that Chief Information Security Officers work with the Chief Security Officer, Chief Information Officer and other senior executives within their organisation.

System owners

  • Removal of the further information reference to the change management section of the Guidelines for System Management as it was no longer directly relevant to the content in this section.

Guidelines for Cyber Security Incidents

Detecting cyber security incidents

  • Change to ‘intrusion detection and prevention policy’ content.
  • Security control 0576 was modified to refer to an intrusion detection and prevention policy rather than a strategy. The content for such a policy was reviewed and lifted up into associated rational for this security control.

Security Control: 0576; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An intrusion detection and prevention policy is developed and implemented.

Managing cyber security incidents

  • Minor change to ‘cyber security incident register’ content.
  • Security control 0125 was modified to refer explicitly to a cyber security incident register.

Security Control: 0125; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
A cyber security incident register is maintained with the following information:

  • the date the cyber security incident occurred
  • the date the cyber security incident was discovered
  • a description of the cyber security incident
  • any actions taken in response to the cyber security incident
  • to whom the cyber security incident was reported.
  • Minor change to ‘further information’ content.

Guidelines for Security Documentation

Development and maintenance of security documentation

  • Minor changes to ‘security documentation’ content.
  • Minor changes to ‘approval of security documentation’ content.
  • Addition of further information references to all strategies, policies, processes, procedures and registers mentioned throughout the document.

System-specific security documentation

  • Changes to ‘System Security Plan’ content to note that the document formerly known as the ‘Statement of Applicability’ now forms an annex to a system’s System Security Plan.
  • Security control 0041 was modified to specifically note the inclusion of an annex to the System Security Plan.

Security Control: 0041; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system.

  • ‘Standard Operating Procedures’ content was moved, along with security control 0042, to the system administration section of the Guidelines for System Management.
  • Removal of ‘further information’ content due to being captured in a more comprehensive list within the development and maintenance of security documentation section.

Guidelines for Physical Security

ICT equipment and media

  • Minor changes to ‘ICT equipment and media register’ content.
  • Security control 0336 was modified to refer explicitly to an ICT equipment and media register.

Security Control: 0336; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An ICT equipment and media register is maintained and regularly audited.

Wireless devices and Radio Frequency transmitters

  • Security control 1543 was modified to refer explicitly to an authorised RF devices for SECRET and TOP SECRET areas register.

Security Control: 1543; Revision: 1; Updated: Aug-19; Applicability: S, TS; Priority: Should
An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited.

Guidelines for Personnel Security

Cyber security awareness raising and training

  • Minor change to ‘further information’ content.

Access to systems and their resources

  • Changes to ‘system access requirements’ content to include access to system resources.
  • Security control 0432 was modified to include access to system resources.

Security Control: 0432; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources.

  • Changes to ‘security clearances, briefings and user identification’ content.
  • All ‘user identification’ and ‘shared user accounts’ content from the Guidelines for System Hardening, including security controls 0414, 0975, 0420, 1538 and 0415, were merged with the ‘security clearances and briefings’ content.
  • Security control 0434 was modified to include access to system resources.

Security Control: 0434; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources.

  • Security control 0435 was modified to include access to system resources.

Security Control: 0435; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Personnel receive any necessary briefings before being granted access to a system and its resources.

  • Security control 0414 was modified to focus on the identification of users. Guidance relating to authenticating users was moved into security control 1546 in the Guidelines for System Hardening.

Security Control: 0414; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Personnel granted access to a system and its resources are uniquely identifiable.

  • Security control 0415 was modified to note that when shared user accounts are used, personnel using such accounts still need to be uniquely identifiable by some other means.

Security Control: 0415; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.

  • Security control 0975 was modified to use consistent language with security controls 0420 and 1538.

Security Control: 0975; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
Personnel who are foreign nationals are identified as such, including by their specific nationality.

  • Security control 0420 was modified to include systems that process or communication Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information.

Security Control: 0420; Revision: 8; Updated: Aug-19; Applicability: S, TS; Priority: Must
Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality.

  • Security control 1538 was modified to reference the correct protective marking for Releasable To (REL) information.

Security Control: 1538; Revision: 1; Updated: Aug-19; Applicability: P, S, TS; Priority: Must
Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality.

  • Minor changes to ‘standard access to systems by foreign nationals’ content.
  • Security control 0409 was modified to ensure consistency with similar controls that focus on effective security controls being in place.

Security Control: 0409; Revision: 5; Updated: Aug-19; Applicability: S, TS; Priority: Must
Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them.

  • Security control 0411 was modified to ensure consistency with similar controls that focus on effective security controls being in place.

Security Control: 0411; Revision: 5; Updated: Aug-19; Applicability: S, TS; Priority: Must
Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them.

  • Security control 0816 was modified to reference the correct protective marking for REL information.

Security Control: 0816; Revision: 5; Updated: Aug-19; Applicability: P, S, TS; Priority: Must
Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them.

  • Changes to ‘privileged access to systems’ content.
  • Changes to ‘privileged access to systems by foreign nationals’ content.
  • Security controls 0446 and 0447 were modified to use consistent language with security controls 0409 and 0411.

Security Control: 0446; Revision: 3; Updated: Aug-19; Applicability: S, TS; Priority: Must
Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information.

Security Control: 0447; Revision: 3; Updated: Aug-19; Applicability: S, TS; Priority: Must
Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information.

  • Security control 1545 was added to cover privileged access to systems by foreign nationals where such systems process, store or communicate REL information.

Security Control: 1545; Revision: 0; Updated: Aug-19; Applicability: P, S, TS; Priority: Must
Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information.

  • Minor changes to ‘suspension of access to systems’ content.
  • Security control 0430 was slightly reworded.

Security Control: 0430; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Access to systems, applications and information is removed or suspended on the same day personnel no longer have a legitimate requirement for access.

Guidelines for Communications Infrastructure

Cable management

  • Security control 0926 was modified to reflect the absence of a specified colour for colour-based protective markings for official and sensitive information within the Protective Security Policy Framework (PSPF).

Security Control: 0926; Revision: 6; Updated: Aug-19; Applicability: O; Priority: Should
The cable colours in the following table are used.

System

Cable Colour

OFFICIAL

Black or grey

  • Security control 0186 was modified to reflect the mandatory colours specified for colour-based protective markings for classified information within the PSPF’s Sensitive and classified information policy (see Table 3 – Minimum protective markings for sensitive and security classified information). Further, the priority for PROTECTED and SECRET cabling was raised to ensure compliance with PSPF requirements even when outside of TOP SECRET areas.

Security Control: 0186; Revision: 5; Updated: Aug-19; Applicability: P, S, TS; Priority: Must
The cable colours in the following table are used.

System

Cable Colour

TOP SECRET

Red

SECRET

Salmon (Pink)

PROTECTED

Blue

Cable labelling and registration

  • Changes to ‘cable labelling process and procedures’ content.
  • Security control 0206 was modified to focus on the process and procedures for cable labelling.

Security Control: 0206; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
A cable labelling process, and supporting cable labelling procedures, is developed and implemented.

Guidelines for Communications Systems

Telephone systems

  • Security control 1078 was modified to refer explicitly to a telephone usages usage policy.

Security Control: 1078; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A telephone systems usage policy is developed and implemented.

Fax machines and multifunction devices

  • Minor change to ‘using cryptographic equipment with fax machines and multifunction devices’ content.
  • Security control 0588 was modified to refer explicitly to a fax machine and MFD user policy.

Security Control: 0588; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A fax machine and MFD usage policy is developed and implemented.

Guidelines for Enterprise Mobility

Mobile device management

  • Minor changes to ‘mobile device management policy’ content.
  • Security control 1533 was modified to refer explicitly to a mobile device management policy.

Security Control: 1533; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A mobile device management policy is developed and implemented.

  • Security control 1399 was reviewed and merged into security control 1400.

Security Control: 1400; Revision: 2; Updated: Aug-19; Applicability: O, P; Priority: Must
Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC hardening guidance, and have enforced separation of official and classified information from any personal information.

  • Security control 1481 was reviewed and merged into security control 1482.

Security Control: 1482; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC hardening guidance.

Mobile device usage

  • Minor change to ‘mobile device usage policy’ content.
  • Security control 1082 was modified to refer explicitly to a mobile device usage policy.

Security Control: 1082; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A mobile device usage policy is developed and implemented.

  • Minor change to ‘mobile device emergency sanitisation process and procedures’ content.
  • Security control 0701 was modified to include a mobile device emergency sanitisation process to guide the existing recommendation for emergency sanitisation procedures.

Security Control: 0701; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented.

  • Security control 0702 was modified to refer to the guiding mobile device emergency sanitisation process rather than the specific mobile device emergency sanitisation procedures.

Security Control: 0702; Revision: 4; Updated: Aug-19; Applicability: S, TS; Priority: Must
If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process.

Guidelines for ICT Equipment Management

ICT equipment usage

  • New content added on ‘ICT equipment management policy’ to cover the management of all forms of ICT equipment.
  • Security control 1551 was added to cover the development and implementation of an ICT equipment management policy.

Security Control: 1551; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An ICT equipment management policy is developed and implemented.

ICT equipment sanitisation and disposal

  • Minor change to ‘ICT equipment sanitisation and disposal process and procedures’ content.
  • Security control 0313 was modified to include a process for ICT equipment sanitisation.

Security Control: 0313; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented.

  • Security control 1550 was added to include a process for ICT equipment disposal.

Security Control: 1550; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented.

Guidelines for Media Management

Media usage

  • New content added on ‘media management policy’ to cover the management of all forms of media (including within ICT equipment).
  • Security control 1549 was added to cover the development and implementation of a media management policy.

Security Control: 1549; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A media management policy is developed and implemented.

  • Changes to ‘media usage policy’ content to focus on the use of removable media by users.
  • Security control 1359 was modified to focus on the use of removable media by users.

Security Control: 1359; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A removable media usage policy is developed and implemented.

  • Minor changes to ‘connecting media to systems’ content.

Media sanitisation

  • Minor changes to ‘media in ICT equipment’ content.
  • Minor change to ‘hybrid hard drives’ content.
  • Minor change to ‘solid state drives’ content.
  • Minor changes to ‘media sanitisation process and procedures’ content.
  • Security control 0348 was modified to include a process for media sanitisation.

Security Control: 0348; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented.

Media destruction

  • Minor changes to ‘media destruction process and procedures’ content.
  • Security control 0363 was modified to include a process for media destruction.

Security Control: 0363; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A media destruction process, and supporting media destruction procedures, is developed and implemented.

Media disposal

  • Minor changes to ‘media disposal process and procedures’ content.
  • Security control 0374 was modified to include a process for media disposal.

Security Control: 0374; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A media disposal process, and supporting media disposal procedures, is developed and implemented.

Guidelines for System Hardening

Operating system hardening

  • The ‘further information’ content was updated to reference the retitled authentication hardening section.

Authentication hardening

  • Change of section title from ‘system access’ to ‘authentication hardening’ to avoid confusion with the access to systems and their resources section of the Guidelines for Personnel Security.
  • All ‘user identification’ and ‘shared user accounts’ content, including security controls 0414, 0975, 0420, 1538 and 0415, were moved to the access to systems and their resources section of the Guidelines for Personnel Security.
  • Addition of new ‘authenticating to systems’ content.
  • Security control 1546 was added following the split of content in security control 0414.

Security Control: 1546; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Users are authenticated before they are granted access to a system and its resources.

Guidelines for System Management

System administration

  • Given the focus on system administration activities, the ‘system administration process and procedures’ content, and security control 0042, was moved from the Guidelines for Security Documentation to the Guidelines for System Management.
  • Security control 0042 was modified to remove content that is covered by other security controls. For example, the management of assets by the new ICT equipment management policy (see security control 1551).

Security Control: 0042; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A system administration process, with supporting system administration procedures, is developed and implemented.

  • The ‘further information’ content was updated to reference the retitled authentication hardening section of the Guidelines for System Management.

System patching

  • Changes made to ‘patching management process and procedures’ content.
  • Security control 1143 was modified to clarify the recommendation for a patch management process and supporting patch management procedures.

Security Control: 1143; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A patch management process, and supporting patch management procedures, is developed and implemented.

  • Security control 1493 was modified to replace ‘an inventory’ with ‘a register’ to ensure consistency with similar security controls.

Security Control: 1493; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
To maintain visibility of applications, drivers, operating systems and firmware that potentially require patching or updating, a register (including details of versions and patching histories) is maintained for workstations, servers, mobile devices, network devices and all other ICT equipment.

Change management

  • Changes made to ‘change management process and procedures’ content.
  • Security controls 1211 was modified to include content from security control 0115.

Security Control: 1211; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A change management process, and supporting change management procedures, is developed and implemented covering:

  • identification and documentation of requests for change
  • approval required for changes to be made
  • implementation and testing of approved changes
  • the maintenance of system and security documentation.
  • Security control 0115 was merged into security control 1211.

Data backup and restoration

  • Change of section title from ‘data backups’ to ‘data backup and restoration’.
  • New ‘digital preservation policy’ content was added.
  • Changes made to ‘data backup and restoration processes and procedures’ content.
  • Security control 1510 was split into three separate security controls to focus on a digital preservation policy (security control 1510), a data backup process and supporting procedures (security control 1547), and a data restoration process and supporting procedures (security control 1548).

Security Control: 1510; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A digital preservation policy is developed and implemented.

Security Control: 1547; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A data backup process, and supporting data backup procedures, is developed and implemented.

Security Control: 1548; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A data restoration process, and supporting data restoration procedures, is developed and implemented.

  • Minor change to ‘further information’ content.

Guidelines for System Monitoring

Event logging and auditing

  • Changes to ‘event logging policy’ content.
  • Security control 0580 was modified to refer to an event logging policy rather than a strategy. The content for such a policy was reviewed and lifted up into associated rational for this security control.

Security Control: 0580; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An event logging policy is developed and implemented.

  • Minor change to ‘event log auditing process and procedures’ content.
  • Security control 0109 was modified to include a process for event log auditing.

Security Control: 0109; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements.

Vulnerability management

  • Minor change to ‘vulnerability management policy’ content.
  • Security control 1163 was modified to refer to a vulnerability management policy rather than vulnerability management strategies.

Security Control: 1163; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
A vulnerability management policy is developed and implemented that includes:

  • conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities
  • analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
  • using a risk-based approach to prioritise the implementation of identified mitigations.

Guidelines for Database Systems Management

Database management system software

  • The ‘further information’ content was updated to reference the retitled authentication hardening section of the Guidelines for System Management.

Databases

  • Minor change to ‘database register’ content.
  • Security control 1243 was modified to refer explicitly to a database register.

Security Control: 1244; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
A database register is maintained and regularly audited.

Guidelines for Email Management

Email usage

  • Minor change to ‘email usage policy’ content.
  • Security control 0264 was modified to refer explicitly to an email usage policy.

Security Control: 0264; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
An email usage policy is developed and implemented.

  • Minor change to ‘email distribution lists’ content.
  • Security control 1539 was modified to reference the correct protective marking for REL information.

Security Control: 1539; Revision: 2; Updated: Aug-19; Applicability: P, S, TS; Priority: Must
Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed.

Guidelines for Network Management

Network design and configuration

  • Security control 1310 was merged into security control 1532.

Security Control: 1532; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
VLANs are not used to separate network traffic between official or classified networks and public network infrastructure.

  • Minor changes to ‘network device register’ content.
  • Security control 1301 was modified to refer explicitly to a network device register. Furthermore, the priority was raised to ensure alignment with similar recommendations for ICT equipment and media registers.

Security Control: 1301; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A network device register is maintained and regularly audited.

Wireless networks

  • Security control 1322 was modified to reference products that have been evaluated and certified against the Common Criteria.

Security Control: 1322; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Evaluated supplicants, authenticators and authentication servers are used in wireless networks.

  • Security control 1324 was modified to reference products that have been evaluated and certified against the Common Criteria.

Security Control: 1324; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Certificates are generated using an evaluated certificate authority solution or hardware security module.

  • Changes made to ‘encryption for wireless network traffic’ content.
  • Security control 1332 was modified to capture all use cases for encrypting wireless network traffic.

Security Control: 1332; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic.

  • Security controls 0543 and 1445 were removed due to duplicating security controls 0465 and 0467 within the Guidelines for Using Cryptography.

Guidelines for Using Cryptography

Cryptographic fundamentals

  • Changes made to ‘encrypting information in transit’ content to note its applicability to wireless networks.

Guidelines for Gateway Management

Gateways

  • Security control 0625 was modified to include a reference an organisation’s change management process and procedures.

Security Control: 0625; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
All changes to a gateway architecture are considered prior to implementation, documented and assessed in accordance with the organisation’s change management process and supporting change management procedures.

Web content and connections

  • Security control 0258 was modified to refer explicitly to a web usage policy.

Security Control: 0258; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A web usage policy is developed and implemented.

  • The reference to the whitetrash software application was removed as the project was abandoned in May 2014.

Guidelines for Data Transfers and Content Filtering

Data transfers

  • Changes to ‘data transfer process and procedures’ content.
  • Security control 0663 was modified to specify the development and implementation of a data transfer process and supporting data transfer procedures.

Security Control: 0663; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
A data transfer process, and supporting data transfer procedures, is developed and implemented.

  • Minor changes to ‘data transfer approval’ content.
  • Minor changes to ‘preventing export of particularly important data to foreign systems’ content.
  • Security control 1535 was modified to specify the development and implement of an appropriate process to prevent data spills of particularly important information onto foreign systems.

Security Control: 1535; Revision: 1; Updated: Aug-19; Applicability: S, TS; Priority: Must
A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems.

Cyber Security Terminology

Glossary of abbreviations

  • Addition of ‘REL’ entry.
  • Removal of ‘CCMP’ entry.

Glossary of cyber security terms

  • Various minor grammar changes to entries.
  • Addition of ‘Australian Signals Directorate (ASD) Cryptographic Evaluation’ and ‘Releasable To information’ entries.
  • Removal of ‘nationality releasable information’ entry.
Date
August 1st, 2019