Australian Government Information Security Manual
- Various fixes to use of shortened forms of words and phrases throughout the document.
Guidelines for Enterprise Mobility
- Update of reference to the Australian Cyber Security Centre’s Travelling Overseas with Electronic Devices publication.
Guidelines for Database Management
- Security control 1252 was modified. The use of the term ‘strong hashing algorithm’ was replaced with ‘Australian Signals Directorate Approved Cryptographic Algorithm’.
Guidelines for Network Management
- Security control 1427 was moved to the Guidelines for Gateway Management.
Guidelines for Using Cryptography
- The rationale relating to the compromise of keying material was merged with the rational relating to the use of Commercial Grade Cryptographic Equipment (CGCE).
- Security control 0143 was removed. Requirements for reporting the compromise or suspected compromise of High Assurance Cryptographic Equipment or associated keying material are covered by Australian Communications Security Instruction 107 B.
- Security control 0142 was modified. The focus was changed to compromises or suspected compromises of CGCE or associated keying material.
- Security control 1091 was modified. The use of the term ‘revoked’ with changed to ‘changed’.
Guidelines for Gateway Management
- Security control 0631 was modified. Logging and alerting capabilities of gateways were moved into security control 0634.
- Security control 1427 was modified. The focus was changed to the intent behind Internet Engineering Task Force Best Current Practice 38.
- Security control 0634 was modified. The focus was changed to logging and alerting capabilities of gateways.
List of new or modified security controls
Security Control: 1252; Revision: 3; Updated: Jun-19; Applicability: O, P, S, TS; Priority: Must
Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm.
Security Control: 0142; Revision: 3; Updated: Jun-19; Applicability: O, P; Priority: Must
The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.
Security Control: 1091; Revision: 5; Updated: Jun-19; Applicability: O, P; Priority: Must
Keying material is changed when compromised or suspected of being compromised.
Security Control: 0631; Revision: 5; Updated: Jun-19; Applicability: O, P, S, TS; Priority: Must
- are the only communications paths into and out of internal networks
- allow only explicitly authorised connections
- are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
- are protected by authentication, logging and auditing of all physical and logical access to gateway components
- have all security controls tested to verify their effectiveness after any changes to their configuration.
Security Control: 1427; Revision: 2; Updated: Jun-19; Applicability: O, P, S, TS; Priority: Should
Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing.
Security Control: 0634; Revision: 7; Updated: Jun-19; Applicability: O, P, S, TS; Priority: Must
All gateways connecting networks in different security domains are operated such that they:
- log network traffic permitted through the gateway
- log network traffic attempting to leave the gateway
- are configured to save event logs to a secure logging facility
- provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns.