Sorry, you need to enable JavaScript to visit this website.
Skip to main content

October 2019 ISM Changes

Australian Government Information Security Manual

  • Removal of all ‘should’ and ‘must’ markings associated with security controls in order to reflect the risk management nature of the cyber security guidelines.

Guidelines for Cyber Security Incidents

Managing cyber security incidents

  • Minor changes to ‘handling and containing malicious code infections’ content.
  • Security control 0917 was modified to note that system restoration or rebuild is only necessary when infections cannot be reliably removed from systems.

Security Control: 0917; Revision: 7; Updated: Oct-19; Applicability: O, P, S, TS

When malicious code is detected, the following steps are taken to handle the infection:

  • the infected systems are isolated
  • all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary
  • antivirus software is used to remove the infection from infected systems and media
  • if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.

Guidelines for Security Documentation

Development and maintenance of security documentation

  • Minor grammar fix to ‘further information’ content.

Guidelines for Physical Security

Facilities and systems

  • Minor changes to ‘facilities containing systems’ content.

Wireless devices and Radio Frequency transmitters

  • Security control 1155 was merged with security control 1058.

Security Control: 1058; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Bluetooth and wireless keyboards are not used unless in an RF screened building.

Guidelines for Personnel Security

Cyber security awareness raising and training

  • Security control 0821 was reworded to note that personnel can’t be forced to make their social media profiles private.

Security Control: 0821; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.

Access to systems and their resources

  • Minor change to ‘security clearances’ content.

Guidelines for Communications Infrastructure

Cable management

  • Security control 0186 was merged with security control 0926.

Security Control: 0926; Revision: 7; Updated: Oct-19; Applicability: O, P, S, TS

The cable colours in the following table are used.

System

Cable Colour

TOP SECRET

Red

SECRET

Salmon (Pink)

PROTECTED

Blue

OFFICIAL

Black or grey

  • Security control 0827 was merged with security control 0825.

Security Control: 0825; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems.

  • Security control 0828 was merged with security control 0826.

Security Control: 0826; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner.

  • Security controls 1117, 1125 and 0182 were merged with security control 1111.

Security Control: 1111; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Fibre-optic cables are used for network infrastructure instead of copper cables.

  • Security controls 1120, 1127 and 1128 were merged with security control 1114.

Security Control: 1114; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups.

  • Security control 1131 was merged with security control 1130.

Security Control: 1130; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

In shared non-government facilities, cables are run in an enclosed cable reticulation system.

  • Security control 1165 was merged with security control 1164.

Security Control: 1164; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic.

  • Security control 1099 was merged with security control 1098.

Security Control: 1098; Revision: 2; Updated: Oct-19; Applicability: O, P, S

Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications.

  • Security controls 1124 and 1136 were merged with security control 1116.

Security Control: 1116; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications.

  • Security controls 1121 and 1132 were merged with security control 1115.

Security Control: 1115; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

Cables from cable trays to wall outlets are run in flexible or plastic conduit.

  • Security control 1108 was merged with security control 1107. In addition, wall outlet colours for non-TOP SECRET infrastructure have been specified to match recommended cabling colours.

Security Control: 1107; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

The wall outlet colours in the following table are used.

System

Wall Outlet Colour

TOP SECRET

Red

SECRET

Salmon (Pink)

PROTECTED

Blue

OFFICIAL

Black or grey

  • Security control 1110 was merged with security control 1109.

Security Control: 1109; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Faceplates on wall outlets are clear plastic.

Cable labelling and registration

  • Security control 0205 was merged with security control 1095.

Security Control: 1095; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Wall outlet boxes denote the classification, cable number and outlet number.

  • Security control 0207 was merged with security control 1096.

Security Control: 1096; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.

  • Security control 0210 was merged with security control 0208.

Security Control: 0208; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

A cable register is maintained with the following information:

  • cable identification number
  • classification
  • source
  • destination
  • site/floor plan diagram
  • seal numbers (if applicable).

Cable patching

  • Security control 0215 was merged with security control 1094.

Security Control: 1094; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

In areas containing cables for systems of different classifications, the selection of connector types is documented.

Guidelines for Communications Systems

Video conferencing and Internet Protocol telephony

  • Minor change to ‘video and voice-aware firewalls’ content.
  • Security control 0552 was merged with security control 0551.

Security Control: 0551; Revision: 6; Updated: Oct-19; Applicability: O, P, S, TS

IP telephony is configured such that:

  • IP phones authenticate themselves to the call controller upon registration
  • auto-registration is disabled and only a whitelist of authorised devices is allowed to access the network
  • unauthorised devices are blocked by default
  • all unused and prohibited functionality is disabled.
  • Security control 0550 was merged with security control 0549.

Security Control: 0549; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.

  • Security control 0557 was merged with security control 0556.

Security Control: 0556; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS

Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.

Guidelines for Enterprise Mobility

Mobile device management

  • Revision of ‘types of mobile devices’ content to reduce confusion.
  • Removal of ‘device specific guidance’ content due to being covered in other areas of these guidelines.
  • Minor terminology change to ‘privately-owned mobile devices’ content.
  • Security control 1400 was modified slightly to adopt new terminology.

Security Control: 1400; Revision: 3; Updated: Oct-19; Applicability: O, P

Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information.

  • Minor terminology change to ‘organisation-owned mobile devices’ content.
  • Security control 1482 was modified slightly to adopt new terminology.

Security Control: 1482; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance.

  • Minor terminology change to ‘connecting mobile devices to the Internet’ content.

Mobile device usage

  • Changes to ‘before travelling overseas with mobile devices’ content.
  • Security control 1298 was modified slightly to capture privacy risks when travelling overseas.

Security Control: 1298; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Personnel are advised of privacy and security risks when travelling overseas with mobile devices.

  • Technical hardening measures for mobile devices being taken on overseas travel were split out of security control 1298 into security controls 1554 and 1555. In addition, content was updated to align with advice within the ACSC’s Travelling Overseas with Electronic Devices publication.

Security Control: 1554; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS

If travelling overseas with mobile devices to high/extreme risk countries, personnel are:

  • issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities
  • advised on how to apply and inspect tamper seals to key areas of devices
  • advised to avoid taking any personal devices, especially if rooted or jailbroken.

Security Control: 1555; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS

Before travelling overseas with mobile devices, personnel take the following actions:

  • record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers
  • update all applications and operating systems
  • remove all non-essential accounts, applications and data
  • apply security configuration settings, such as lock screens
  • configure remote locate and wipe functionality
  • enable encryption, including for any media used
  • backup all important data and configuration settings.
  • Changes to ‘while travelling overseas with mobile devices’ content.
  • Security control 1087 was merged into security control 1299. In addition, security control 1299 was updated to align with advice within the ACSC’s Travelling Overseas with Electronic Devices publication.

Security Control: 1299; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Personnel take the following precautions when travelling overseas with mobile devices:

  • never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
  • never storing credentials with devices that they grant access to, such as in laptop bags
  • never lending devices to untrusted people, even if briefly
  • never allowing untrusted people to connect other devices or media to their devices, including for charging
  • never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
  • avoiding connecting devices to open or untrusted Wi-Fi networks
  • using an approved Virtual Private Network to encrypt all device communications
  • using encrypted mobile applications for communications instead of using foreign telecommunication networks
  • disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
  • avoiding reuse of media once used with other parties’ devices or systems
  • ensuring any media used for data transfers are thoroughly checked for malicious code beforehand
  • never using any gifted devices, especially media, when travelling or upon returning from travelling.
  • Security control 1088 was modified to align with advice within the ACSC’s Travelling Overseas with Electronic Devices publication.

Security Control: 1088; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:

  • provide credentials, decrypt devices or have devices taken out of sight by foreign government officials
  • have devices or media stolen that are later returned
  • loose devices or media that are later found
  • observe unusual behaviour of devices.
  • Changes to ‘after travelling overseas with mobile devices’ content.
  • Security control 1300 was modified to align with advice within the ACSC’s Travelling Overseas with Electronic Devices publication.

Security Control: 1300; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Upon returning from travelling overseas with mobile devices, personnel take the following actions:

  • sanitise and reset devices, including all media used with them
  • decommission any physical credentials that left their possession during their travel
  • report if significant doubt exists as to the integrity of any devices following their travel.
  • Security control 1556 was added to align with advice within the ACSC’s Travelling Overseas with Electronic Devices publication.

Security Control: 1556; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS

If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:

  • reset user credentials used with devices, including those used for remote access to their organisation’s systems
  • monitor accounts for any indicators of compromise, such as failed login attempts.

Guidelines for ICT Equipment Management

ICT equipment maintenance and repairs

  • Introduction of ‘maintenance and repairs of high assurance ICT equipment’ content.
  • Changes to ‘On-site maintenance and repairs’ content.
  • Security control 0305 was modified slightly.

Security Control: 0305; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS

Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician.

ICT equipment sanitisation and disposal

  • Security control 1218 was modified slightly.

Security Control: 1218; Revision: 2; Updated: Oct-19; Applicability: S, TS

ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ.

Guidelines for Media Management

Media sanitisation

  • Minor change to ‘media sanitisation process and procedures’ content.

Media destruction

  • Security control 1069 was removed as often media is being destroyed due to not being able to be sanitised in the first place. Furthermore, media retains its sensitivity or classification until destroyed and as such needs to be transported in a suitable manner for that sensitivity or classification.

Guidelines for System Hardening

Operating system hardening

  • Minor terminology change to ‘Operating system configuration’ content.

Application hardening

  • Minor terminology change to ‘Hardening application configurations’ content.

Authentication hardening

  • Minor changes to ‘account types’ content.
  • Minor changes to ‘authenticating to systems’ content.
  • Minor changes to ‘multi-factor authentication’ content.
  • Following a rigorous review of the ability of passwords used as part of multi-factor authentication to withstand attack, security control 1401 was modified while security controls 1559, 1560 and 1561 were added.

Security Control: 1401; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.

Security Control: 1559; Revision: 0; Updated: Oct-19; Applicability: O, P

Passwords used for multi-factor authentication are a minimum of 6 characters.

Security Control: 1560; Revision: 0; Updated: Oct-19; Applicability: S

Passwords used for multi-factor authentication are a minimum of 8 characters.

Security Control: 1561; Revision: 0; Updated: Oct-19; Applicability: TS

Passwords used for multi-factor authentication are a minimum of 10 characters.

  • Changes to ‘single-factor authentication’ content.
  • Security control 0417 was modified to reflect that passphrases are currently the only endorsed form of single-factor authentication.

Security Control: 0417; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS

When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.

  • Following a rigorous review of the ability of passphrases used for single-factor authentication to withstand attack, security controls 0421 and 0422 were modified, 1426 was removed, and security controls 1557 and 1558 were added.

Security Control: 0421; Revision: 6; Updated: Oct-19; Applicability: O, P

Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words.

Security Control: 1557; Revision: 0; Updated: Oct-19; Applicability: S

Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words.

Security Control: 0422; Revision: 6; Updated: Oct-19; Applicability: TS

Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words.

Security Control: 1558; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS

Passphrases used for single-factor authentication:

  • are not constructed from song lyrics, movies, literature or any other publically available material
  • do not form a real sentence in a natural language
  • are not a list of categorised words.
  • Minor change to ‘account lockouts’ content.
  • Security control 1403 was modified slightly.

Security Control: 1403; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Accounts are locked out after a maximum of five failed logon attempts.

  • Minor changes to ‘resetting passwords/passphrases content’.
  • Security controls 0976 and 1227 were modified slightly.

Security Control: 0976; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS

Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset.

Security Control: 1227; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date.

  • Minor change to ‘password/passphrase authentication’.
  • Security control 1055 was modified slightly.

Security Control: 1055; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

LAN Manager is disabled for password/passphrase authentication.

  • Changes to ‘protecting credentials’ content.
  • Security control 0418 was modified slightly.

Security Control: 0418; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Credentials are stored separately from systems to which they grant access.

  • Following a rigorous review of the ability of passwords and passphrases to withstand attack, security control 0423 was merged into security control 1402 and additional recommendations were added.

Security Control: 1402; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Credentials are protected by ensuring:

  • passwords/passphrases expire every 12 months
  • passwords/passphrases are stored as salted hashes
  • password/passphrase stretching is implemented
  • password/passwords appearing in breach databases are blacklisted
  • passwords/passphrases are never sent in the clear across networks.

Guidelines for System Management

System administration

  • Security control 1473 was merged with security control 1380.

Security Control: 1380; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Privileged users use a dedicated administrator workstation when performing privileged tasks.

  • Security control 1474 was merged with security control 1386.

Security Control: 1386; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Management traffic is only allowed to originate from network zones that are used to administer systems and applications.

System patching

  • Security controls 0298 and 1498 were slightly reworded to align with their associated rationale.

Security Control: 0298; Revision: 7; Updated: Oct-19; Applicability: O, P, S, TS

A centralised and managed approach is used to patch or update applications and drivers.

Security Control: 1498; Revision: 1; Updated: Oct-19; Applicability: O, P, S, TS

A centralised and managed approach is used to patch or update operating systems and firmware.

Guidelines for System Monitoring

Vulnerability management

  • Minor changes to ‘conducting vulnerability assessments and penetration tests’ content.

Guidelines for Software Development

Application development

  • Inclusion of new ‘types of application development’ content in order to note that these guidelines relate to mobile application development activities as well as traditional application development activities.
  • Security control 0401 was modified to include the recommendation to encrypt all communications.

Security Control: 0401; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications.

Web application development

  • Inclusion of new ‘web application interactions’ content to specify the use of Hypertext Transfer Protocol Secure (HTTPS) by web applications in order to product the confidentiality and integrity of communications.
  • Addition of security control 1552 covering the exclusive use of HTTPS by web applications.

Security Control: 1552; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS

All web application content is offered exclusively using HTTPS.

  • Changes to ‘web application input handling’ content.
  • Minor heading change to ‘web application output encoding’ content.
  • Changes to ‘web browser-based security controls’ content.
  • Security control 1424 was modified to state the response header types to implement for web applications.

Security Control: 1424; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.

  • An additional reference on implementing TLS was added to the ‘further information’ content.

Guidelines for Email Management

Email gateways and servers

  • Changes to ‘Sender Policy Framework’ content to remove references to Sender ID.
  • Security control 0574 was modified to remove references to Sender ID and to ensure that SPF is specified for all domains, not just those that have email servers.

Security Control: 0574; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

SPF is used to specify authorised email services (or lack thereof) for all domains.

  • Security control 1151 was modified to remove references to Sender ID.

Security Control: 1151; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

SPF is used to verify the authenticity of incoming emails.

  • Security control 1025 was removed due to being redundant.
  • Minor changes to ‘Domain-based Message Authentication, Reporting and Conformance’ content to remove references to Sender ID.
  • Security control 1540 was modified to remove references to Sender ID and to ensure that DMARC is used for all domains, not just those that have email servers.

Security Control: 1540; Revision: 1; Updated: Oct-19; Applicability: O, P, S, TS

DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks.

  • Security control 0561 was removed due to insufficient justification for its continued inclusion.
  • The ‘further information’ content was updated to include a reference to the ACSC’s How to Combat Fake Emails publication.
  • The ‘further information’ content was updated to add references to new versions of email security standards and to remove superseded versions of email security standards.

Guidelines for Network Management

Wireless networks

  • Minor change to ‘Remote Authentication Dial-In User Service authentication’ content.

Guidelines for Using Cryptography

Cryptographic fundamentals

  • Minor changes to ‘additional cryptographic requirements’ content.
  • Minor change to ‘Federal Information Processing Standard 140’ content.

ASD Approved Cryptographic Algorithms

  • Minor terminology change to ‘ASD Approved Cryptographic Algorithms’ content.
  • Minor changes to ‘protecting highly classified information’ content.
  • Security control 1468 was modified slightly to match its associated rationale.

Security Control: 1468; Revision: 5; Updated: Oct-19; Applicability: S, TS

Preference is given to using the CNSA Suite algorithms and key sizes.

ASD Approved Cryptographic Protocols

  • Minor change to ‘ASD Approved Cryptographic Protocols’ content.

Transport Layer Security

  • Security control 1139 was modified to remove ambiguity around which versions of TLS should be supported.

Security Control: 1139; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS

Only the latest version of TLS is used.

  • Security control 1369 was modified

Security Control: 1369; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

AES in Galois Counter Mode is used for symmetric encryption.

  • Security control 1371 was merged with security control 1370.

Security Control: 1370; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Only sever-initiated secure renegotiation is used.

  • Security control 1374 was modified

Security Control: 1374; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

SHA-2-based certificates are used.

  • Security control 1375 was modified

Security Control: 1375; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function.

  • Security control 1553 was added.

Security Control: 1553; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS

TLS compression is disabled.

Secure/Multipurpose Internet Mail Extension

  • Minor change to ‘using Secure/Multipurpose Internet Mail Extension’ content.

Internet Protocol Security

  • Minor terminology change to ‘Internet Key Exchange Extended Authentication’ content.

Cryptographic system management

  • Minor changes to ‘cryptographic systems’ content.

Guidelines for Gateway Management

Gateways

  • Minor change to ‘deploying gateways’ content.
  • Security control 0617 was merged with security control 0616.

Security Control: 0616; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

Roles for the administration of gateways are separated.

  • Security control 0608 was merged with security control 0607.

Security Control: 0607; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS

Once connectivity is established, system owners become information stakeholders for all connected security domains.

Cross Domain Solutions

  • Minor change to ‘introduction to Cross Domain Solutions’ content.
  • Minor change to ‘types of Cross Domain Solutions’ content.

Guidelines for Data Transfers and Content Filtering

Content filtering

  • Security control 1285 was merged with security control 1284.

Security Control: 1284; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS

Content validation is performed on all data passing through a content filter with content which fails content validation blocked.

  • Minor change to ‘content conversion and transformation’ content.
  • Minor change to ‘content sanitisation’ content.
  • Security control 0650 was merged with security control 0649.

Security Control: 0649; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS

A whitelist of permitted content types is created and enforced based on business requirements and the results of a security risk assessment.

Cyber Security Terminology

Glossary of abbreviations

  • Addition of ‘HSTS’ and ‘HTTPS’ entries.
  • Removal of ‘JPEG’ entry.

Glossary of cyber security terms

  • Update to ‘High Assurance Cryptographic Equipment’, ‘high assurance ICT equipment, ‘mobile device’ and ‘passphrase’ definitions.
  • Addition of ‘password’ definition.
Date
October 1st, 2019