Sorry, you need to enable JavaScript to visit this website.
Skip to main content

July 2019 Changes Document

Cyber Security Framework

  • Content merged into the new The Australian Government Information Security Manual executive overview.

Guidelines for Cyber Security Roles

  • References to the Guidelines for Authorising Systems removed due to the content being merged into the new The Australian Government Information Security Manual executive overview.

Guidelines for Authorising Systems

  • Security controls 0064, 0809, 0904, 1531, 0805 and 1140 removed due to being covered by the new The Australian Government Information Security Manual executive overview.
  • Security control 0100 moved to the Guidelines for Outsourcing.

Guidelines for Outsourcing

  • Security control 0100 moved from the Guidelines for Authorising Systems.
  • Reference to the Guidelines for Authorising Systems removed due to the content being merged into the new The Australian Government Information Security Manual executive overview.
  • Updated URLs to new IRAP webpages on cyber.gov.au.

Guidelines for Communications Infrastructure

  • Minor grammar correction.

Guidelines for System Hardening

  • Security control 1490 was modified to expand its scope from specific types of servers to all servers within an organisation’s ICT environment.
  • Security control 1544 was added to ensure organisations are aware of, and mitigate, common application whitelisting bypass techniques used by adversaries.

Guidelines for System Management

  • Minor updates were made to the ‘Testing restoration of backups’ content to focus on the restoration of backups.
  • Security control 1515 was modified to focus on the restoration of backups.
  • Security control 1516 was modified to focus on the restoration of backups. Furthermore, the frequency for partial restoration of backups was changed from an annual or more frequent basis to a quarterly or more frequent basis.

Guidelines for Email Management

  • Minor grammar correction.

Guidelines for Network Management

  • Security control 1462 was reintroduced to rectify an oversight in the November 2018 release of the ISM. Guidance relating to CONFIDENTIAL and above information has been merged into security control 1461 while guidance relating to PROTECTED information remains.
  • Security control 1461 was modified to incorporate guidance from security controls 1462 and 1463 from the November 2018 release of the ISM.

Guidelines for Gateway Management

  • References to the Guidelines for Authorising Systems removed due to the content being merged into the new The Australian Government Information Security Manual executive overview.

Cyber Security Terminology

Change of title from Supporting Information to Cyber Security Terminology.

List of new or modified security controls

Security Control: 1490; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS; Priority: Must
An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set.

Security Control: 1544; Revision: 0; Updated: Jul-19; Applicability: O, P, S, TS; Priority: Must
Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses.

Security Control: 1515; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS; Priority: Must
Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.

Security Control: 1516; Revision: 1; Updated: Jul-19; Applicability: O, P, S, TS; Priority: Must
Partial restoration of backups is tested on a quarterly or more frequent basis.

Security Control: 1462; Revision: 1; Updated: Jul-19; Applicability: P; Priority: Must
When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification.

Security Control: 1461; Revision: 2; Updated: Jul-19; Applicability: S, TS; Priority: Must
When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain.

Date
July 9th, 2019