Sorry, you need to enable JavaScript to visit this website.
Skip to main content

May 2019 Changes Document

Guidelines for Cyber Security Incidents

  • Security control 0122 was removed due to being a duplication of the intent of security control 0043.
  • Minor amendment to fix the reference to the system-specific security documentation section.
  • Amendments to ‘Reporting cyber security incidents to the ACSC’ content.
  • Security control 0140 was reworded.

Guidelines for Security Documentation

  • Amendments to ‘Security documentation’ content.
  • Reintroduction of security control 0039.
  • Amendments to ‘Approval of security documentation’.
  • Security control 0047 was modified to include organisational-level security documentation within its scope.
  • Amendments to ‘Maintenance of security documentation’ content.
  • Security control 0888 was modified to include organisational-level security documentation within its scope.

Guidelines for Media Management

  • Security control 0338 was removed due to being a duplication of the intent of security control 0161.

Guidelines for Network Management

  • Security control 0576 was moved to the detecting cyber security incidents section of the Guidelines for Cyber Security Incidents.

Guidelines for Using Cryptography

  • ‘Suite B’ content was removed.
  • ‘Commercial National Security Algorithm Suite’ content was removed.
  • ‘Selecting cryptographic algorithms’ content was removed.
  • Amendments were made to ‘Protecting highly classified information’ content.
  • Security control 1232 was modified to remove references to Suite B and CNSA Suite algorithms.
  • Security control 1468 was modified to include key sizes.

Guidelines for Data Transfers and Content Filtering

  • Security control 0665 was modified to remove the requirement for a formal risk assessment. This ensures consistency with other circumstances in which a Chief Information Security Officer (CISO) may delegate duties.

List of new or modified security controls

Security Control: 0140; Revision: 6; Updated: May-19; Applicability: O, P, S, TS; Priority: Must
Cyber security incidents are reported to the ACSC.

Security Control: 0039; Revision: 4; Updated: May-19; Applicability: O, P, S, TS; Priority: Must
A cyber security strategy is developed and implemented for the organisation.

Security Control: 0047; Revision: 4; Updated: May-19; Applicability: O, P, S, TS; Priority: Should
Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.

Security Control: 0888; Revision: 5; Updated: May-19; Applicability: O, P, S, TS; Priority: Should
Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.

Security Control: 1232; Revision: 5; Updated: May-19; Applicability: S, TS; Priority: Must
AACAs are used in an evaluated implementation.

Security Control: 1468; Revision: 4; Updated: May-19; Applicability: S, TS; Priority: Should
Preference is given to using the CNSA Suite algorithms and key sizes where possible.

Security Control: 0665; Revision: 4; Updated: May-19; Applicability: S, TS; Priority: Must
Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO.

Date
July 9th, 2019