Sorry, you need to enable JavaScript to visit this website.
Skip to main content

January 2019 Changes Document

Cyber Security Guidelines

  • Title changed from ‘Cyber Security Guidelines’ to ‘Cyber Security Framework’.

Guidelines for Cyber Security Rules

  • Reference to ‘Guidelines for System Administration’ changed to ‘Guidelines for System Management’.

Guidelines for Authorising Systems

  • Security control 0809 was modified to shift the focus from ‘reaccreditation’ to activities required when a change to a system or its environment impacts its security posture.
  • Fixed typographical error in security control 0904 – ‘Statement of Applicably’ replaced with ‘Statement of Applicability’.

Guidelines for Cyber Security Incidents

  • Fixed typographical error in security control 0917 – ‘inflected systems’ replaced with ‘infected systems’.

Guidelines for Outsourcing

  • Amendment made to the wording referencing the Guidelines for Authorising Systems.
  • Reference added under further information for the Australian Cyber Security Center’s Managed Service Provider Partner Program (MSP3).

Guidelines for Enterprise Mobility

  • Updated the references to the ‘Enterprise Mobility including Bring Your Own Device (BYOD)’ publication to ‘Enterprise Mobility Including Bring Your Own Device (BYOD)’.

Guidelines for ICT Equipment Management

  • Amendment made to ‘Sanitisation and disposal of ICT equipment’ to reflect solid state drives being a class of non-volatile semiconductor memory and not non-volatile magnetic memory.

Guidelines for Media Management

  • Fixed typographical error in ‘External interface connections that allow Direct Memory Access’ – ‘physically measures’ replaced with ‘physical measures’.
  • Updated the URL for the National Security Agency’s Degausser Evaluated Product List.

Guidelines for System Hardening

  • Updated the reference to the ‘Application Whitelisting Explained’ publication to ‘Implementing Application Whitelisting’.
  • Security control 1484 was modified to emphasis it relates to all Flash content.
  • Security control 1541 was added to address support for Flash content within Microsoft Office.
  • Security control 1542 was added to address the activation of Object Linking and Embedding packages within Microsoft Office.
  • Updated the reference to the ‘Hardening Microsoft Office 2016’ publication to ‘Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016’.
  • Updated the reference to the ‘Multi-factor Authentication’ publication to ‘Implementing Multi-Factor Authentication’.

Guidelines for Network Management

  • Updated the reference to the ‘Network Segmentation and Segregation’ publication to ‘Implementing Network Segmentation and Segregation’.
  • Updated the URL for the National Security Agency’s Manageable Network Plan Guide (version 4.0) publication.

Guidelines for Using Cryptography

  • Updated the URL for the National Security Agency’s CNSA Suite and Quantum Computing FAQ publication.

Guidelines for Connecting Networks and Security Domains

  • Revision number for security control 1192 was changed from ‘1’ to ‘2’.
  • Added missing semi-colon following the last updated date in security control 0597.

Supporting Information

  • The entry for ‘accreditation’ was removed to avoid confusion with the process for physical security accreditation.
  • The definition of ‘authorising officer’ was updated to reflect the content with the Guidelines for Authorising Systems.
  • The entry for ‘certification’ was removed to avoid confusion with the process for physical security certification.

Security Assessment Aid

  • The XML ‘<Decription>’ tag was changed to ‘<Description>’.
  • Fixed typographical error in security control 0904 – ‘Statement of Applicably’ replaced with ‘Statement of Applicability’.
  • Applicability markings for security control 0100 was changed from ‘O,P,S,TS’ to ‘O,P,-,-’.
  • Fixed typographical error in security control 0917 – ‘inflected systems’ replaced with ‘infected systems’.
  • Revision number for security control 0430 was changed from ‘8’ to ‘5’.
  • Applicability markings for security control 1215 was changed from ‘O,P,-,TS’ to ‘O,P,S,-’.
  • Applicability markings for security control 0421 was changed from ‘O,P,S,TS’ to ‘O,P,S,-’.
  • Revision number for security control 1192 was changed from ‘1’ to ‘2’.

List of new or modified security controls

Security Control: 0809; Revision: 3; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
When a change to a system or its environment impacts the security posture of the system, security risks associated with the operation of the system are determined by a security assessment, and formally accepted by an authorising officer, before the system is authorised to continue operating.

Security Control: 1484; Revision: 1; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Web browsers are configured to block or disable support for Flash content.

Security Control: 1541; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Microsoft Office is configured to disable support for Flash content.

Security Control: 1542; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.

Date
July 9th, 2019