{ "catalog" : { "uuid" : "4cb84bc8-10bd-4af9-81c5-180b1d692bbb", "metadata" : { "title" : "Information security manual Essential Eight Maturity Level Three Baseline", "last-modified" : "2025-12-09T05:06:50.063565474Z", "version" : "2025.12.9", "oscal-version" : "1.1.2", "props" : [ { "name" : "resolution-tool", "value" : "libOSCAL-Java+xslt" } ], "links" : [ { "href" : "https://www.cyber.gov.au/ism/oscal/v2025.12.9/artifacts/ISM_E8_ML3-baseline_profile.xml", "rel" : "source-profile" } ], "roles" : [ { "id" : "prepared-by", "title" : "Document creator" } ], "parties" : [ { "uuid" : "ae0012b5-2a98-4610-ba74-08928451a4c0", "type" : "organization", "name" : "Australian Cyber Security Centre", "short-name" : "ACSC", "links" : [ { "href" : "https://www.cyber.gov.au", "rel" : "homepage" } ], "email-addresses" : [ "asd.assist@defence.gov.au" ], "addresses" : [ { "type" : "work", "addr-lines" : [ "Australian Cyber Security Centre", "General enquiries", "PO Box 5076" ], "city" : "Kingston", "state" : "ACT", "postal-code" : "2604", "country" : "AU" } ] } ], "responsible-parties" : [ { "role-id" : "prepared-by", "party-uuids" : [ "ae0012b5-2a98-4610-ba74-08928451a4c0" ] } ] }, "groups" : [ { "title" : "Guidelines for cyber security incidents", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04]" } ], "groups" : [ { "title" : "Managing cyber security incidents", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[1]" } ], "parts" : [ { "name" : "overview", "prose" : "# Cyber security events\n\nA cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.\n\n# Cyber security incidents\n\nA cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.\n\n# Cyber resilience\n\nCyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.\n\n# Detecting cyber security incidents\n\nOne of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources, such as event logs. The following event logs can be used by an organisation to assist with detecting and investigating cyber security incidents:\n\n- **Artificial intelligence applications:** May assist in identifying anomalous or malicious code or user behaviour indicating an exploitation attempt or successful compromise.\n- **Cross Domain Solutions:** May assist in identifying anomalous or malicious network traffic indicating an exploitation attempt or successful compromise.\n- **Databases:** May assist in identifying anomalous or malicious code or user behaviour indicating an exploitation attempt or successful compromise.\n- **Domain Name System services:** May assist in identifying attempts to resolve malicious domain names or Internet Protocol addresses indicating an exploitation attempt or successful compromise.\n- **Email servers:** May assist in identifying users targeted with phishing emails thereby helping to identify the initial vector of a compromise.\n- **Gateways:** May assist in identifying anomalous or malicious network traffic indicating an exploitation attempt or successful compromise.\n- **Mobile applications:** May assist in identifying anomalous or malicious code or user behaviour indicating an exploitation attempt or successful compromise.\n- **Multifunction devices:** May assist in identifying anomalous or malicious user behaviour indicating a cyber security incident.\n- **Operating systems:** May assist in identifying anomalous or malicious activity indicating an exploitation attempt or successful compromise.\n- **Remote access services:** May assist in identifying unusual locations of access or times of access indicating an exploitation attempt or successful compromise.\n- **Security products:** May assist in identifying anomalous or malicious code or network traffic indicating an exploitation attempt or successful compromise.\n- **Server applications:** May assist in identifying anomalous or malicious code or user behaviour indicating an exploitation attempt or successful compromise.\n- **System access:** May assist in identifying anomalous or malicious user behaviour indicating an exploitation attempt or successful compromise.\n- **User applications:** May assist in identifying anomalous or malicious code or user behaviour indicating an exploitation attempt or successful compromise.\n- **Web applications:** May assist in identifying anomalous or malicious code or user behaviour indicating an exploitation attempt or successful compromise.\n- **Web proxies:** May assist in identifying anomalous or malicious network traffic indicating an exploitation attempt or successful compromise.\n\n# Further information\n\nFurther information on event logging can be found in the ‘Event logging and monitoring’ section of the [Guidelines for system monitoring](#edc24216-f52b-4513-bcda-5fa564661999).\n\nFurther information on cyber security incident response plans can be found in the ‘System-specific cyber security documentation’ section of the [Guidelines for cyber security documentation](#578d0434-6b3f-46f3-aad8-c7ac75c2ebcc).\n\nFurther information on preparing for and responding to cyber security incidents can be found in ASD’s [Cyber security incident response planning: Executive guidance](#403f72c6-3e85-4185-8df3-130b2a6b25b3) and [Cyber security incident response planning: Practitioner guidance](#041bce05-55ad-4a2a-93e3-c582d39fce94) publications.\n\nFurther information on understanding, identifying and preventing the insider threat can be found in the Attorney-General’s Department’s [Countering the Insider Threat: A guide for Australian Government](#fb60e251-ed4c-4781-96db-58a0225bca89) publication.\n\nFurther information on understanding, identifying and preventing the insider threat can also be found in the Australian Security Intelligence Organisation’s [Countering the insider threat](#fb60e251-ed4c-4781-96db-58a0225bca89) brochure and [Countering the insider threat: A security manager’s guide](#f6813648-fe24-4d45-9e45-c97b4021506e) publication.\n\nFurther information on understanding, identifying and preventing the insider threat can also be found on the United Kingdom’s National Protective Security Authority’s [Insider Risk Guidance](#c2a2f934-c5d6-46a7-86db-7fec1565058e) website.\n\nFurther information on developing, implementing and maintaining an insider threat mitigation program can be found in the United States’ Cybersecurity \\& Infrastructure Security Agency’s [Insider Threat Mitigation Guide](#c322926a-13b3-4efe-8573-06624418e8f5).\n\nFurther information on developing, implementing and maintaining an insider threat mitigation program can also be found in Carnegie Mellon University’s Software Engineering Institute’s [Common Sense Guide to Mitigating Insider Threats, Seventh Edition](#cad720b4-e47a-437d-b272-6958e738131d) publication.\n\nFurther information on reporting of cyber security incidents by service providers can be found in the ‘Managed services and cloud services’ section of the [Guidelines for procurement and outsourcing](#f37a4848-0791-4870-b316-5536c2681c28).\n\nFurther information on [reporting cybercrime incidents](#188466f6-be12-49ce-b99a-981e54b1663e) and [reporting cyber security incidents](#626d3582-3caf-49d6-89d5-4b8fdbbf1f31), including ASD’s [limited use obligation](#cae0ac6b-e69b-4359-bfd7-5ee5eff1049d), is available from ASD." } ], "groups" : [ { "title" : "Reporting cyber security incidents", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[1].group[5]" } ], "parts" : [ { "name" : "overview", "prose" : "Reporting cyber security incidents to the chief information security officer, or one of their delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to assess the impact to their organisation and to oversee any cyber security incident response activities. Note, an organisation should also be cognisant of any legislative obligations regarding the reporting of cyber security incidents to authorities." } ], "controls" : [ { "id" : "ism-0123", "class" : "ISM-control", "title" : "Control: ism-0123", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[1].group[5].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "4" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0123_smt", "name" : "statement", "prose" : "Cyber security incidents are reported to the chief information security officer, or one of their delegates, as soon as possible after they occur or are discovered." } ] } ] }, { "title" : "Reporting cyber security incidents to ASD", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[1].group[6]" } ], "parts" : [ { "name" : "overview", "prose" : "The Australian Signals Directorate (ASD) uses the cyber security incident reports it receives as the basis for providing assistance to organisations. In addition, cyber security incident reports are used to identify trends and maintain an accurate threat environment picture. Finally, ASD utilises this understanding to assist in the development of new and updated cyber security advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. Note, under ASD’s limited use obligation, information voluntarily provided to ASD about cyber security incidents, or potential cyber security incidents, cannot be used for regulatory purposes.\n\nAn organisation is recommended to internally coordinate their reporting of cyber security incidents to ASD. In doing so, the organisation should be cognisant of any legislative obligations regarding the reporting of cyber security incidents to ASD.\n\nThe types of cyber security incidents that should be reported to ASD include:\n\n- suspicious privileged user account lockouts\n- suspicious remote access authentication events\n- service accounts suspiciously communicating with internet-based infrastructure\n- compromise of sensitive or classified data\n- unauthorised access or attempts to access a system\n- emails with suspicious attachments or links\n- denial-of-service attacks\n- ransomware attacks\n- suspected tampering of electronic devices." } ], "controls" : [ { "id" : "ism-0140", "class" : "ISM-control", "title" : "Control: ism-0140", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[1].group[6].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "8" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0140_smt", "name" : "statement", "prose" : "Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered." } ] } ] } ] }, { "title" : "Responding to cyber security incidents", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[2]" } ], "parts" : [ { "name" : "overview", "prose" : "# Further information\n\nFurther information on cyber security incident response plans can be found in the ‘System-specific cyber security documentation’ section of the [Guidelines for cyber security documentation](#578d0434-6b3f-46f3-aad8-c7ac75c2ebcc).\n\nFurther information on handling malicious code infections can be found in National Institute of Standards and Technology Special Publication 800-61 Rev. 3, [Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile](#f48c0d05-5173-4c8e-8748-e5591518c1fb)." } ], "groups" : [ { "title" : "Enacting cyber security incident response plans", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[2].group[1]" } ], "parts" : [ { "name" : "overview", "prose" : "Following a cyber security incident being identified, an organisation’s cyber security incident response plan should be enacted." } ], "controls" : [ { "id" : "ism-1819", "class" : "ISM-control", "title" : "Control: ism-1819", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[04].group[2].group[1].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1819_smt", "name" : "statement", "prose" : "Following the identification of a cyber security incident, the cyber security incident response plan is enacted." } ] } ] } ] } ] }, { "title" : "Guidelines for personnel security", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08]" } ], "groups" : [ { "title" : "Access to systems and their resources", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2]" } ], "parts" : [ { "name" : "overview", "prose" : "# Security clearances\n\nWhere these guidelines refer to security clearances, it applies to Australian security clearances or security clearances from a foreign government which are formally recognised by Australia.\n\n# Further information\n\nFurther information on access to government resources, including required security clearances, can be found in the Department of Home Affairs’ [Protective Security Policy Framework](#92679127-f61d-486a-a93e-df2a26dfb07a).\n\nFurther information on access to highly sensitive government resources, including required briefings, can be found in the Government Security Committee’s Australian Government Security Caveat Guidelines. This publication is available from the Protective Security Policy GovTEAMS community or the Australian Security Intelligence Organisation by email.\n\nFurther information on restricting the use of privileged user accounts can be found in ASD’s [Restricting administrative privileges](#3ccea9a8-a728-4f5b-a0a8-43f2f206f76b) publication.\n\nFurther information on administering systems and their resources can be found in the ‘System administration’ section of the [Guidelines for system management](#c6ca6620-ccd5-4c5d-b97c-9d92f1162948).\n\nFurther information on event logging can be found in the ‘Event logging and monitoring’ section of the [Guidelines for system monitoring](#edc24216-f52b-4513-bcda-5fa564661999)." } ], "groups" : [ { "title" : "Privileged access to systems", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08]" } ], "parts" : [ { "name" : "overview", "prose" : "Privileged user accounts are considered those that can alter or circumvent system controls. This also applies to user accounts that may only have limited privileges but still have the ability to bypass some system controls.\n\nPrivileged user accounts are often targeted by malicious actors as they can potentially give full access to systems and their resources. As such, ensuring that privileged user accounts are prevented from accessing the internet, email and web services minimises opportunities for these accounts to be compromised. However, if privileged user accounts are explicitly authorised to access online services, they should be strictly limited to only what is required for users and services to undertake their duties.\n\nFinally, centrally logging and analysing privileged access events, as well as privileged user account and security group management events, can assist in monitoring the security posture of systems and their resources, detecting malicious behaviour and contributing to investigations following cyber security incidents." } ], "controls" : [ { "id" : "ism-1507", "class" : "ISM-control", "title" : "Control: ism-1507", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "4" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1507_smt", "name" : "statement", "prose" : "Requests for privileged access to systems and their resources are validated when first requested." } ] }, { "id" : "ism-1508", "class" : "ISM-control", "title" : "Control: ism-1508", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "4" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1508_smt", "name" : "statement", "prose" : "Privileged access to systems and their resources is limited to only what is required for users and services to undertake their duties." } ] }, { "id" : "ism-1175", "class" : "ISM-control", "title" : "Control: ism-1175", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "6" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1175_smt", "name" : "statement", "prose" : "Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services." } ] }, { "id" : "ism-1883", "class" : "ISM-control", "title" : "Control: ism-1883", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1883_smt", "name" : "statement", "prose" : "Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties." } ] }, { "id" : "ism-1649", "class" : "ISM-control", "title" : "Control: ism-1649", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[5]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1649_smt", "name" : "statement", "prose" : "Just-in-time administration is used for the administration of systems and their resources." } ] }, { "id" : "ism-0445", "class" : "ISM-control", "title" : "Control: ism-0445", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[6]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "8" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0445_smt", "name" : "statement", "prose" : "Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access." } ] }, { "id" : "ism-1509", "class" : "ISM-control", "title" : "Control: ism-1509", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[8]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1509_smt", "name" : "statement", "prose" : "Privileged access events are centrally logged." } ] }, { "id" : "ism-1650", "class" : "ISM-control", "title" : "Control: ism-1650", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[08].control[9]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1650_smt", "name" : "statement", "prose" : "Privileged user account and security group management events are centrally logged." } ] } ] }, { "title" : "Suspension of access to systems", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[10]" } ], "parts" : [ { "name" : "overview", "prose" : "Removing or suspending access to systems and their resources, ideally using an automatic mechanism, can prevent them from being accessed when there is no longer a legitimate business requirement for their use, such as when personnel change duties, leave an organisation or are detected undertaking malicious activities." } ], "controls" : [ { "id" : "ism-1648", "class" : "ISM-control", "title" : "Control: ism-1648", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[10].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1648_smt", "name" : "statement", "prose" : "Privileged access to systems and their resources are disabled after 45 days of inactivity." } ] }, { "id" : "ism-1647", "class" : "ISM-control", "title" : "Control: ism-1647", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[08].group[2].group[10].control[5]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1647_smt", "name" : "statement", "prose" : "Privileged access to systems and their resources are disabled after 12 months unless revalidated." } ] } ] } ] } ] }, { "title" : "Guidelines for system hardening", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15]" } ], "groups" : [ { "title" : "Operating system hardening", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1]" } ], "parts" : [ { "name" : "overview", "prose" : "# Further information\n\nFurther information on cyber supply chain risk management can be found in the ‘Cyber supply chain risk management’ section of the [Guidelines for procurement and outsourcing](#f37a4848-0791-4870-b316-5536c2681c28).\n\nFurther information on vendors that have made a pledge to implement Secure by Design and Secure by Default principles and practices can be found on the United States’ Cybersecurity \\& Infrastructure Security Agency’s [Secure by Design Pledge](#4974639a-f41a-4280-ae06-33d1f13d6083) website.\n\nFurther information on patching or updating operating systems can be found in the ‘System patching’ section of the [Guidelines for system management](#c6ca6620-ccd5-4c5d-b97c-9d92f1162948).\n\nFurther information on hardening Microsoft Windows operating systems can be found in ASD’s [Hardening Microsoft Windows 10 workstations](#9209d9cd-86c1-486f-890e-1edfa4545093) and [Hardening Microsoft Windows 11 workstations](#43fbcaf9-03a3-493a-83be-9340a37778fa) publications.\n\nFurther information on hardening Microsoft Windows operating systems can also be found in Microsoft’s [Windows 11 Security Book](#63bba9d2-127e-41d5-b735-e0cf3fe4b9aa) and on the [Microsoft Security Baselines Blog](#0bf3a1ef-031a-419b-80c3-08a08b1cee9d) website.\n\nFurther information on hardening Linux workstations and servers can be found in ASD’s [Hardening Linux workstations and servers](#8132c47e-a2dc-4dd9-81d6-38db96e5cec6) publication.\n\nFurther information on [exploit protection functionality](#d0df96bb-7236-4784-8f54-2cb6335ad228) within Microsoft Windows is available from Microsoft.\n\nFurther information on implementing application control can be found in ASD’s [Implementing application control](#4eeff329-cea0-4baf-a80b-8b0b76436075) publication.\n\nFurther information on Microsoft’s [recommended application blocklist](#5a2ed3ef-afcc-485e-8014-5107e9ed97e3) and [vulnerable driver blocklist](#4a3a265f-7772-433b-9906-7f784052f28b) are available from Microsoft.\n\nFurther information on [command line process logging](#0a1508c0-b062-4d85-8ded-a95316e17a3a) is available from Microsoft.\n\nFurther information on the use of PowerShell can be found in ASD’s [Securing PowerShell in the enterprise](#8ffea524-0974-4b53-a8f5-41166073ede5) publication.\n\nFurther information on [the use of PowerShell by blue teams](#7d22400c-ddef-4cbb-90f1-7502dc569e5b) is available from Microsoft.\n\nFurther information on obtaining [greater visibility through PowerShell logging](#af0810aa-3486-4ca6-a48a-fad8ce9ac193) is available from Google.\n\nFurther information on independent testing of security products’ ability to [detect or prevent various stages of network intrusions](#3a1a00f6-2f56-4d04-b99d-6f1682b95a98) is available from MITRE.\n\nFurther information on independent testing of antivirus applications is available from [AV-Comparatives](#c852e735-4920-4616-8e34-2fddfb49eea8) and [AV-TEST](#18203e18-2aca-492e-be44-770b2f47242f).\n\nFurther information on the use of removable media can be found in the ‘Media usage’ section of the [Guidelines for media](#b594c9c0-b42f-4f06-b643-38023275a5c7).\n\nFurther information on event logging can be found in the ‘Event logging and monitoring’ section of the [Guidelines for system monitoring](#edc24216-f52b-4513-bcda-5fa564661999).\n\nFurther information on security-relevant events to monitor for Apple macOS, Linux and Microsoft Windows operating systems can be found in the following ASD publications:\n\n- [Hardening Microsoft Windows 10 workstations](#9209d9cd-86c1-486f-890e-1edfa4545093)\n- [Hardening Microsoft Windows 11 workstations](#43fbcaf9-03a3-493a-83be-9340a37778fa)\n- [Priority logs for SIEM ingestion: Practitioner guidance](#1dbda98a-4e8b-4a52-b4f7-9d1a895fd324)\n- [Windows event logging and forwarding](#de239dae-d1e8-4969-9680-ef3444d32a83)." } ], "groups" : [ { "title" : "Operating system releases and versions", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[02]" } ], "parts" : [ { "name" : "overview", "prose" : "Newer releases of operating systems often introduce improvements in security functionality. This can make it more difficult for malicious actors to craft reliable exploits for vulnerabilities they discover. Using older releases of operating systems, especially those no longer supported by vendors, may expose an organisation to vulnerabilities or exploitation techniques that have since been mitigated. In addition, 64-bit versions of operating systems support additional security functionality that 32-bit versions do not." } ], "controls" : [ { "id" : "ism-1407", "class" : "ISM-control", "title" : "Control: ism-1407", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[02].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "5" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-22" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1407_smt", "name" : "statement", "prose" : "The latest release, or the previous release, of operating systems are used." } ] } ] }, { "title" : "Hardening operating system configurations", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[04]" } ], "parts" : [ { "name" : "overview", "prose" : "When operating systems are deployed in their default state, or with an unapproved configuration, it can lead to an insecure operating environment that may allow malicious actors to gain an initial foothold on networks. Many settings exist within operating systems to allow them to be configured in an approved secure state in order to minimise this security risk. As such, the Australian Signals Directorate (ASD) and vendors often produce hardening guidance to assist in hardening the configuration of operating systems. Note, however, in situations where ASD and vendor hardening guidance conflicts, precedence should be given to implementing the most restrictive guidance." } ], "controls" : [ { "id" : "ism-1654", "class" : "ISM-control", "title" : "Control: ism-1654", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[04].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1654_smt", "name" : "statement", "prose" : "Internet Explorer 11 is disabled or removed." } ] }, { "id" : "ism-1655", "class" : "ISM-control", "title" : "Control: ism-1655", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[04].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1655_smt", "name" : "statement", "prose" : ".NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed." } ] } ] }, { "title" : "Application control", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06]" } ], "parts" : [ { "name" : "overview", "prose" : "Application control can be an effective way to not only prevent malicious code from executing on workstations and servers, but also to ensure only approved applications can execute. When developing application control rulesets, determining approved executables (e.g. .exe and .com files), libraries (e.g. .dll and.ocx files), scripts (e.g. .ps1, .bat, .cmd, .vbs and .js files), installers (e.g. .msi, .msp and .mst files), compiled HTML (e.g. .chm files), HTML applications (e.g. .hta files), control panel applets (e.g. .cpl files) and drivers based on business requirements is a more secure method than simply approving those already residing on a workstation or server. Furthermore, it is preferable that an organisation defines their own application control rulesets, rather than relying on those from application control vendors, and validate them on an annual or more frequent basis.\n\nIn implementing application control, an organisation should use a reliable method, or combination of methods, such as cryptographic hash rules, publisher certificate rules or path rules. Depending on the method chosen, further hardening may be required to ensure that application control mechanisms and application control rulesets cannot be bypassed by malicious actors.\n\nFinally, centrally logging and analysing application control events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents." } ], "controls" : [ { "id" : "ism-0843", "class" : "ISM-control", "title" : "Control: ism-0843", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[01]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "9" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0843_smt", "name" : "statement", "prose" : "Application control is implemented on workstations." } ] }, { "id" : "ism-1490", "class" : "ISM-control", "title" : "Control: ism-1490", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[02]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1490_smt", "name" : "statement", "prose" : "Application control is implemented on internet-facing servers." } ] }, { "id" : "ism-1656", "class" : "ISM-control", "title" : "Control: ism-1656", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[03]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1656_smt", "name" : "statement", "prose" : "Application control is implemented on non-internet-facing servers." } ] }, { "id" : "ism-1870", "class" : "ISM-control", "title" : "Control: ism-1870", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[04]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1870_smt", "name" : "statement", "prose" : "Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients." } ] }, { "id" : "ism-1871", "class" : "ISM-control", "title" : "Control: ism-1871", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[05]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1871_smt", "name" : "statement", "prose" : "Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients." } ] }, { "id" : "ism-1657", "class" : "ISM-control", "title" : "Control: ism-1657", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1657_smt", "name" : "statement", "prose" : "Application control restricts the execution of executables, libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set." } ] }, { "id" : "ism-1658", "class" : "ISM-control", "title" : "Control: ism-1658", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1658_smt", "name" : "statement", "prose" : "Application control restricts the execution of drivers to an organisation-approved set." } ] }, { "id" : "ism-1544", "class" : "ISM-control", "title" : "Control: ism-1544", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[12]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1544_smt", "name" : "statement", "prose" : "Microsoft’s recommended application blocklist is implemented." } ] }, { "id" : "ism-1659", "class" : "ISM-control", "title" : "Control: ism-1659", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[13]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1659_smt", "name" : "statement", "prose" : "Microsoft’s vulnerable driver blocklist is implemented." } ] }, { "id" : "ism-1582", "class" : "ISM-control", "title" : "Control: ism-1582", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[14]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1582_smt", "name" : "statement", "prose" : "Application control rulesets are validated on an annual or more frequent basis." } ] }, { "id" : "ism-1660", "class" : "ISM-control", "title" : "Control: ism-1660", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[06].control[16]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1660_smt", "name" : "statement", "prose" : "Allowed and blocked application control events are centrally logged." } ] } ] }, { "title" : "Command Shell", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[07]" } ], "parts" : [ { "name" : "overview", "prose" : "The Command shell was the first shell developed by Microsoft to assist with the automation of routine system administration tasks, such as running Windows Commands via batch scripts. However, the Command shell can also be used by malicious actors to run Windows Commands on compromised systems. As such, centrally logging and analysing command line process creation events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents." } ], "controls" : [ { "id" : "ism-1889", "class" : "ISM-control", "title" : "Control: ism-1889", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[07].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1889_smt", "name" : "statement", "prose" : "Command line process creation events are centrally logged." } ] } ] }, { "title" : "PowerShell", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[08]" } ], "parts" : [ { "name" : "overview", "prose" : "PowerShell is a powerful scripting language developed by Microsoft and, due to its ubiquity and ease with which it can be used to fully control operating systems, is an important part of system administrator toolkits. However, PowerShell can also be a dangerous exploitation tool in the hands of malicious actors.\n\nIn order to prevent attacks leveraging vulnerabilities in earlier PowerShell versions, Windows PowerShell 2.0 should be disabled or removed from operating systems. Additionally, PowerShell’s language mode should be set to Constrained Language Mode to achieve a balance between security and functionality.\n\nFinally, centrally logging and analysing PowerShell events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents." } ], "controls" : [ { "id" : "ism-1621", "class" : "ISM-control", "title" : "Control: ism-1621", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[08].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1621_smt", "name" : "statement", "prose" : "Windows PowerShell 2.0 is disabled or removed." } ] }, { "id" : "ism-1622", "class" : "ISM-control", "title" : "Control: ism-1622", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[08].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Oct-20" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1622_smt", "name" : "statement", "prose" : "PowerShell is configured to use Constrained Language Mode." } ] }, { "id" : "ism-1623", "class" : "ISM-control", "title" : "Control: ism-1623", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[1].group[08].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1623_smt", "name" : "statement", "prose" : "PowerShell module logging, script block logging and transcription events are centrally logged." } ] } ] } ] }, { "title" : "User application hardening", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2]" } ], "parts" : [ { "name" : "overview", "prose" : "# User applications\n\nThis section is applicable to user applications typically installed on user workstations, such as office productivity suites, web browsers and their extensions, email clients, Portable Document Format (PDF) applications, and security products (e.g. antivirus applications, device access control applications, HIPS and software firewalls). Information on server applications can be found in the ‘Server application hardening’ section of these guidelines.\n\n# Further information\n\nFurther information on cyber supply chain risk management can be found in the ‘Cyber supply chain risk management’ section of the [Guidelines for procurement and outsourcing](#f37a4848-0791-4870-b316-5536c2681c28).\n\nFurther information on vendors that have made a pledge to implement Secure by Design and Secure by Default principles and practices can be found on the United States’ Cybersecurity \\& Infrastructure Security Agency’s [Secure by Design Pledge](#4974639a-f41a-4280-ae06-33d1f13d6083) website.\n\nFurther information on patching or updating user applications can be found in the ‘System patching’ section of the [Guidelines for system management](#c6ca6620-ccd5-4c5d-b97c-9d92f1162948).\n\nFurther information on the implementation and configuration of security products can be found in the ‘Operating system hardening’ section of these guidelines.\n\nFurther information on hardening Microsoft Office can be found in ASD’s [Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016](#58c9abfb-58fe-416e-a279-dfbfe123c99f) publication.\n\nFurther information on hardening Microsoft Office can also be found on the [Microsoft Security Baselines Blog](#0bf3a1ef-031a-419b-80c3-08a08b1cee9d) website.\n\nFurther information on hardening Microsoft Edge can be found on the [Microsoft Security Baselines Blog](#0bf3a1ef-031a-419b-80c3-08a08b1cee9d) website.\n\nFurther information on hardening Google Chrome can be found in Google’s [Chrome Browser Enterprise Security Configuration Guide (Windows)](#741ab440-5759-4571-894d-e499dea3a54c).\n\nFurther information on hardening Adobe Reader and Adobe Acrobat can be found in Adobe’s [Security Configuration Guide for Acrobat](#9ad09461-7b3d-4faf-bdcd-61df9952cf49) publication.\n\nFurther information on Microsoft’s attack surface reduction rules can be found on Microsoft’s [attack surface reduction rules overview](#82ae76a4-ed9e-4a7b-8bad-f1950c41eab7) website.\n\nFurther information on configuring Microsoft Office macro settings can be found in ASD’s [Restricting Microsoft Office macros](#dfb52998-0e7e-420d-97e1-d1313c8f919a) publication." } ], "groups" : [ { "title" : "Hardening user application configurations", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3]" } ], "parts" : [ { "name" : "overview", "prose" : "When user applications are deployed in their default state, or with an unapproved configuration, it can lead to an insecure operating environment that may allow malicious actors to gain an initial foothold on networks. This can be especially risky for office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products as such applications are routinely targeted for exploitation. Many settings exist within such applications to allow them to be configured in an approved secure state in order to minimise this security risk. As such, ASD and vendors often produce hardening guidance to assist in hardening the configuration of these applications. Note, however, in situations where ASD and vendor hardening guidance conflicts, precedence should be given to implementing the most restrictive guidance." } ], "controls" : [ { "id" : "ism-1667", "class" : "ISM-control", "title" : "Control: ism-1667", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[05]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1667_smt", "name" : "statement", "prose" : "Microsoft Office is blocked from creating child processes." } ] }, { "id" : "ism-1668", "class" : "ISM-control", "title" : "Control: ism-1668", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1668_smt", "name" : "statement", "prose" : "Microsoft Office is blocked from creating executable content." } ] }, { "id" : "ism-1669", "class" : "ISM-control", "title" : "Control: ism-1669", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1669_smt", "name" : "statement", "prose" : "Microsoft Office is blocked from injecting code into other processes." } ] }, { "id" : "ism-1542", "class" : "ISM-control", "title" : "Control: ism-1542", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[08]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jan-19" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1542_smt", "name" : "statement", "prose" : "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { "id" : "ism-1859", "class" : "ISM-control", "title" : "Control: ism-1859", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[09]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1859_smt", "name" : "statement", "prose" : "Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur." } ] }, { "id" : "ism-1823", "class" : "ISM-control", "title" : "Control: ism-1823", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[10]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Mar-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1823_smt", "name" : "statement", "prose" : "Office productivity suite security settings cannot be changed by users." } ] }, { "id" : "ism-1486", "class" : "ISM-control", "title" : "Control: ism-1486", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[11]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1486_smt", "name" : "statement", "prose" : "Web browsers do not process Java from the internet." } ] }, { "id" : "ism-1485", "class" : "ISM-control", "title" : "Control: ism-1485", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[12]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1485_smt", "name" : "statement", "prose" : "Web browsers do not process web advertisements from the internet." } ] }, { "id" : "ism-1412", "class" : "ISM-control", "title" : "Control: ism-1412", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[13]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "6" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1412_smt", "name" : "statement", "prose" : "Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur." } ] }, { "id" : "ism-1585", "class" : "ISM-control", "title" : "Control: ism-1585", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[14]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Mar-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1585_smt", "name" : "statement", "prose" : "Web browser security settings cannot be changed by users." } ] }, { "id" : "ism-1670", "class" : "ISM-control", "title" : "Control: ism-1670", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[15]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1670_smt", "name" : "statement", "prose" : "PDF applications are blocked from creating child processes." } ] }, { "id" : "ism-1860", "class" : "ISM-control", "title" : "Control: ism-1860", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[16]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1860_smt", "name" : "statement", "prose" : "PDF applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur." } ] }, { "id" : "ism-1824", "class" : "ISM-control", "title" : "Control: ism-1824", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[3].control[17]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1824_smt", "name" : "statement", "prose" : "PDF application security settings cannot be changed by users." } ] } ] }, { "title" : "Microsoft Office macros", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4]" } ], "parts" : [ { "name" : "overview", "prose" : "Microsoft Office files can contain embedded code, known as a macro, written in the Visual Basic for Applications programming language. A macro can contain a series of commands that can be coded or recorded and replayed at a later time to automate repetitive tasks. Macros are powerful tools that can be easily created by users to greatly improve their productivity. However, malicious actors can also create macros to perform a variety of malicious activities, such as assisting to compromise workstations in order to exfiltrate or deny access to data. To reduce this security risk, an organisation should disable Microsoft Office macros for users that do not have a demonstrated business requirement and secure their use for the remaining users that do." } ], "controls" : [ { "id" : "ism-1671", "class" : "ISM-control", "title" : "Control: ism-1671", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[01]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1671_smt", "name" : "statement", "prose" : "Microsoft Office macros are disabled for users that do not have a demonstrated business requirement." } ] }, { "id" : "ism-1488", "class" : "ISM-control", "title" : "Control: ism-1488", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[02]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1488_smt", "name" : "statement", "prose" : "Microsoft Office macros in files originating from the internet are blocked." } ] }, { "id" : "ism-1672", "class" : "ISM-control", "title" : "Control: ism-1672", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[03]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1672_smt", "name" : "statement", "prose" : "Microsoft Office macro antivirus scanning is enabled." } ] }, { "id" : "ism-1673", "class" : "ISM-control", "title" : "Control: ism-1673", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[04]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1673_smt", "name" : "statement", "prose" : "Microsoft Office macros are blocked from making Win32 API calls." } ] }, { "id" : "ism-1674", "class" : "ISM-control", "title" : "Control: ism-1674", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[05]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1674_smt", "name" : "statement", "prose" : "Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute." } ] }, { "id" : "ism-1890", "class" : "ISM-control", "title" : "Control: ism-1890", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1890_smt", "name" : "statement", "prose" : "Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations." } ] }, { "id" : "ism-1487", "class" : "ISM-control", "title" : "Control: ism-1487", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1487_smt", "name" : "statement", "prose" : "Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations." } ] }, { "id" : "ism-1675", "class" : "ISM-control", "title" : "Control: ism-1675", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[08]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1675_smt", "name" : "statement", "prose" : "Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View." } ] }, { "id" : "ism-1891", "class" : "ISM-control", "title" : "Control: ism-1891", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[09]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1891_smt", "name" : "statement", "prose" : "Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View." } ] }, { "id" : "ism-1676", "class" : "ISM-control", "title" : "Control: ism-1676", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[10]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1676_smt", "name" : "statement", "prose" : "Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis." } ] }, { "id" : "ism-1489", "class" : "ISM-control", "title" : "Control: ism-1489", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[2].group[4].control[11]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-18" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1489_smt", "name" : "statement", "prose" : "Microsoft Office macro security settings cannot be changed by users." } ] } ] } ] }, { "title" : "Authentication hardening", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4]" } ], "parts" : [ { "name" : "overview", "prose" : "# User accounts and authentication types\n\nThe guidance within this section is equally applicable to all user accounts unless specified otherwise. This includes unprivileged user accounts and privileged user accounts, which includes break glass accounts and service accounts. In addition, the guidance is equally applicable to interactive authentication and non-interactive authentication.\n\n# Further information\n\nFurther information on implementing multi-factor authentication can be found in ASD’s [Implementing multi-factor authentication](#83e3a9b1-5057-4531-91dd-03c8d92634b0) publication.\n\nFurther information on event logging can be found in the ‘Event logging and monitoring’ section of the [Guidelines for system monitoring](#edc24216-f52b-4513-bcda-5fa564661999).\n\nFurther information on [randomly generating passphrases](#58282062-5c17-476a-98b1-105a627cd28d) is available from the Electronic Frontier Foundation while a [random dice roller](#0508be6f-cb97-44da-b212-42416a0048b0) is available from RANDOM.ORG.\n\nFurther information on how to [secure group Managed Service Accounts](#91b92563-d991-40fa-9adc-548df9f6c496) in Microsoft Windows Server is available from Microsoft.\n\nFurther information on changing credentials for the Kerberos Key Distribution Center’s service account can be found in Microsoft’s [Active Directory accounts](#ae426d0a-adb6-43b8-a463-faa33e83b679) and [Active Directory Forest Recovery - Reset the krbtgt password](#3e5a98e5-9219-46c8-81c2-e3a4d13407ce) publications. A script for [changing credentials for this service account](#f74ba095-a7f7-4b8c-9e60-5fe84f2a2d0b) is also available from Microsoft.\n\nFurther information [memory integrity functionality](#d446dea3-c36d-45af-9623-05b686624af0) is available from Microsoft.\n\nFurther information on [Local Security Authority protection functionality](#3f43c8d2-8a8c-4e2f-af80-48a607bce643) is available from Microsoft.\n\nFurther information on [Credential Guard functionality](#8d53ee7f-54c2-4380-8408-f7403db30ba1) and [Remote Credential Guard functionality](#92975dff-58e0-4813-842b-f27c0533ca56) is available from Microsoft." } ], "groups" : [ { "title" : "Multi-factor authentication", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03]" } ], "parts" : [ { "name" : "overview", "prose" : "Multi-factor authentication uses two or more different authentication factors. This may include:\n\n- something users know, such as a password\n- something users have, such as a security key, smart card, passkey, smartphone or one-time password token\n- something users are, such as a fingerprint pattern or their facial geometry.\n\nUsers of online services, privileged users of systems and users with access to data repositories are more likely to be targeted by malicious actors due to their access. For this reason, it is especially important that multi-factor authentication is used for these user accounts. In addition, multi-factor authentication is vital to any administrative activities as it can limit the consequences of a compromise by preventing or slowing malicious actors’ ability to gain unrestricted access to assets. In this regard, multi-factor authentication can be implemented as part of jump server authentication where assets being administered do not support multi-factor authentication themselves.\n\nWhen implementing multi-factor authentication, several different authentication factors can be implemented. Unfortunately, some authentication factors, such as biometrics or codes sent via Short Message Service, Voice over Internet Protocol or email, are more susceptible to compromise than others. For this reason, authentication factors that involve something users have should be used with something users know. Alternatively, something users have that is unlocked by something users know or are (often known as passwordless multi-factor authentication) can be used. Furthermore, for increased security, the use of phishing-resistant multi-factor authentication is recommended to protect against real-time phishing attacks.\n\nFinally, centrally logging and analysing multi-factor authentication events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents." } ], "controls" : [ { "id" : "ism-1504", "class" : "ISM-control", "title" : "Control: ism-1504", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[01]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1504_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data." } ] }, { "id" : "ism-1679", "class" : "ISM-control", "title" : "Control: ism-1679", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[02]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1679_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation’s sensitive data." } ] }, { "id" : "ism-1680", "class" : "ISM-control", "title" : "Control: ism-1680", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[03]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1680_smt", "name" : "statement", "prose" : "Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation’s non-sensitive data." } ] }, { "id" : "ism-1892", "class" : "ISM-control", "title" : "Control: ism-1892", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[04]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1892_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate users to their organisation’s online customer services that process, store or communicate their organisation’s sensitive customer data." } ] }, { "id" : "ism-1893", "class" : "ISM-control", "title" : "Control: ism-1893", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[05]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1893_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation’s sensitive customer data." } ] }, { "id" : "ism-1681", "class" : "ISM-control", "title" : "Control: ism-1681", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1681_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data." } ] }, { "id" : "ism-1173", "class" : "ISM-control", "title" : "Control: ism-1173", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[08]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "4" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1173_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate privileged users of systems." } ] }, { "id" : "ism-0974", "class" : "ISM-control", "title" : "Control: ism-0974", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[09]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "6" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0974_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate unprivileged users of systems." } ] }, { "id" : "ism-1505", "class" : "ISM-control", "title" : "Control: ism-1505", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[10]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1505_smt", "name" : "statement", "prose" : "Multi-factor authentication is used to authenticate users of data repositories." } ] }, { "id" : "ism-1401", "class" : "ISM-control", "title" : "Control: ism-1401", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[11]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "5" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1401_smt", "name" : "statement", "prose" : "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." } ] }, { "id" : "ism-1872", "class" : "ISM-control", "title" : "Control: ism-1872", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[12]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1872_smt", "name" : "statement", "prose" : "Multi-factor authentication used for authenticating users of online services is phishing-resistant." } ] }, { "id" : "ism-1874", "class" : "ISM-control", "title" : "Control: ism-1874", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[14]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1874_smt", "name" : "statement", "prose" : "Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant." } ] }, { "id" : "ism-1682", "class" : "ISM-control", "title" : "Control: ism-1682", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[15]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1682_smt", "name" : "statement", "prose" : "Multi-factor authentication used for authenticating users of systems is phishing-resistant." } ] }, { "id" : "ism-1894", "class" : "ISM-control", "title" : "Control: ism-1894", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[16]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1894_smt", "name" : "statement", "prose" : "Multi-factor authentication used for authenticating users of data repositories is phishing-resistant." } ] }, { "id" : "ism-1683", "class" : "ISM-control", "title" : "Control: ism-1683", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[03].control[19]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1683_smt", "name" : "statement", "prose" : "Successful and unsuccessful multi-factor authentication events are centrally logged." } ] } ] }, { "title" : "Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[07]" } ], "parts" : [ { "name" : "overview", "prose" : "When built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts use common usernames or weak credentials, it may allow malicious actors that compromise credentials on one workstation or server to easily compromise other workstations and servers. As such, it is critical that credentials for the built-in Administrator account, break glass accounts, local administrator accounts and service accounts in each domain are long, unique, unpredictable and managed.\n\nTo provide additional security and credential management functionality for service accounts, Microsoft introduced group Managed Service Accounts to Microsoft Windows Server. In doing so, service accounts that are created as group Managed Service Accounts do not require manual credential management by system administrators, as the operating system automatically ensures that they are long, unique, unpredictable and managed. This ensures that service account credentials are secure, not misplaced or forgotten, and that they are automatically changed on a regular basis. However, in cases where the use of group Managed Service Accounts is not possible, credentials for service accounts should still be unique, unpredictable and random with a minimum length of 30 characters." } ], "controls" : [ { "id" : "ism-1685", "class" : "ISM-control", "title" : "Control: ism-1685", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[07].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1685_smt", "name" : "statement", "prose" : "Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed." } ] } ] }, { "title" : "Protecting credentials", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[09]" } ], "parts" : [ { "name" : "overview", "prose" : "Obscuring credentials as they are entered into systems can assist in protecting them against screen scrapers and shoulder surfers. In addition, physical credentials, such as written down credentials (e.g. passwords) and dedicated devices that store or generate credentials (e.g. security keys, smart cards and one-time password tokens), when kept together with systems they are used to authenticate to, can increase the likelihood of malicious actors gaining unauthorised access to systems. For example, when smart cards are left on card readers, one-time password tokens are left in laptop computer bags, security keys are left connected to computers or passwords are written down and stuck to computer monitors. To reduce this security risk, physical credentials should be keep separate from systems they are used to authenticate to, except for when performing authentication activities.\n\nIf storing credentials on systems, sufficient protection should be implemented to prevent them from being compromised. For example, credentials can be stored in a password manager or hardware security module, while credentials stored in a database should be hashed, salted and stretched.\n\nWhen using Microsoft Windows systems, memory integrity, Local Security Authority protection, Credential Guard and Remote Credential Guard functionality, all preferably with a Unified Extensible Firmware Interface (UEFI) lock, can be enabled to provide additional protection for credentials. In addition, malicious actors that have access to systems may attempt to steal cached credentials. To reduce this security risk, cached credentials should be limited to only one previous logon.\n\nFinally, an organisation should regularly scan their systems to detect and remediate any credentials that are being stored in an unprotected manner, such as in the clear in documents, on network file shares or in other data repositories." } ], "controls" : [ { "id" : "ism-1896", "class" : "ISM-control", "title" : "Control: ism-1896", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[09].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1896_smt", "name" : "statement", "prose" : "Memory integrity functionality is enabled." } ] }, { "id" : "ism-1861", "class" : "ISM-control", "title" : "Control: ism-1861", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[09].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1861_smt", "name" : "statement", "prose" : "Local Security Authority protection functionality is enabled." } ] }, { "id" : "ism-1686", "class" : "ISM-control", "title" : "Control: ism-1686", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[09].control[08]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1686_smt", "name" : "statement", "prose" : "Credential Guard functionality is enabled." } ] }, { "id" : "ism-1897", "class" : "ISM-control", "title" : "Control: ism-1897", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[15].group[4].group[09].control[09]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1897_smt", "name" : "statement", "prose" : "Remote Credential Guard functionality is enabled." } ] } ] } ] } ] }, { "title" : "Guidelines for system management", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16]" } ], "groups" : [ { "title" : "System administration", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1]" } ], "parts" : [ { "name" : "overview", "prose" : "# System administration of cloud services\n\nSystem administration of cloud services brings unique challenges when compared to system administration of on-premises assets. Notably, responsibility for system administration of cloud services is often shared between service providers and their customers. As the system administration processes and procedures implemented by service providers are often opaque to their customers, customers should consider a service provider’s control plane to operate within a different security domain.\n\n# Further information\n\nFurther information on system administration can be found in the Australian Signals Directorate’s (ASD) [Secure administration](#131048c7-a2e7-4da3-9257-7a058b06c1f8) publication.\n\nFurther information on change and configuration management plans can be found in the ‘System-specific cyber security documentation’ section of the [Guidelines for cyber security documentation](#578d0434-6b3f-46f3-aad8-c7ac75c2ebcc).\n\nFurther information on the use of privileged user accounts for system administration activities can be found in the ‘Access to systems and their resources’ section of the [Guidelines for personnel security](#7d16ae67-87a7-4861-b939-e13ec279b5a2).\n\nFurther information on network segmentation and segregation can be found in the ‘Network design and configuration’ section of the [Guidelines for networking](#f145ff5b-d396-4248-8f48-621349d6f0ed)." } ], "groups" : [ { "title" : "Separate privileged operating environments", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[2]" } ], "parts" : [ { "name" : "overview", "prose" : "One of the greatest threats to the security of networks is the compromise of privileged user accounts. Providing a separate privileged operating environment for system administrators, in addition to their unprivileged operating environment, makes it much harder for administrative activities and privileged user accounts to be compromised by malicious actors.\n\nUsing different physical workstations, with one being a dedicated Secure Admin Workstation, is the most secure approach to separating privileged and unprivileged operating environments for system administrators. However, a trusted and hardened virtualisation-based solution may be sufficient for separating privileged and unprivileged operating environments on the same Secure Admin Workstation. In such cases, privileged operating environments should not be virtualised within unprivileged operating environments." } ], "controls" : [ { "id" : "ism-1898", "class" : "ISM-control", "title" : "Control: ism-1898", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[2].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1898_smt", "name" : "statement", "prose" : "Secure Admin Workstations are used in the performance of administrative activities." } ] }, { "id" : "ism-1380", "class" : "ISM-control", "title" : "Control: ism-1380", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[2].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "5" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1380_smt", "name" : "statement", "prose" : "Privileged users use separate privileged and unprivileged operating environments." } ] }, { "id" : "ism-1687", "class" : "ISM-control", "title" : "Control: ism-1687", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[2].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1687_smt", "name" : "statement", "prose" : "Privileged operating environments are not virtualised within unprivileged operating environments." } ] }, { "id" : "ism-1688", "class" : "ISM-control", "title" : "Control: ism-1688", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[2].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1688_smt", "name" : "statement", "prose" : "Unprivileged user accounts cannot logon to privileged operating environments." } ] }, { "id" : "ism-1689", "class" : "ISM-control", "title" : "Control: ism-1689", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[2].control[5]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1689_smt", "name" : "statement", "prose" : "Privileged user accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." } ] } ] }, { "title" : "Administrative infrastructure", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[3]" } ], "parts" : [ { "name" : "overview", "prose" : "The security of administrative activities can be improved by segregating administrative infrastructure from the wider network and the internet. In doing so, the use of a jump server (also known as a jump host or jump box) that allows only necessary ports and services to be used can be an effective way of simplifying and securing administrative activities. Specifically, a jump server can provide filtering of network management traffic while also acting as a focal point to perform multi-factor authentication; store and manage administrative tools; and perform logging, monitoring and alerting activities. In addition, using separate jump servers for the administration of critical servers (such as Microsoft Active Directory Domain Services domain controllers, Microsoft Active Directory Certificate Services Certification Authority servers, Microsoft Active Directory Federation Services servers and Microsoft Entra Connect servers), high-value servers (such as Domain Name System servers, database servers, email servers, file servers and web servers) and regular servers can further assist in protecting these assets." } ], "controls" : [ { "id" : "ism-1387", "class" : "ISM-control", "title" : "Control: ism-1387", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[1].group[3].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1387_smt", "name" : "statement", "prose" : "Administrative activities are conducted through jump servers." } ] } ] } ] }, { "title" : "System patching", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2]" } ], "parts" : [ { "name" : "overview", "prose" : "# Further information\n\nFurther information on system patching can be found in ASD’s [Patching applications and operating systems](#02fb4cb5-e4c4-4097-97a2-f1b6aa04131a) publication.\n\nFurther information on patching evaluated products can be found in the ‘Evaluated product usage’ section of the [Guidelines for evaluated products](#a699a3aa-828d-479b-b50b-98127bb19437).\n\nFurther information on managing risks associated with legacy IT can be found in ASD’s [Managing the risks of legacy IT: Executive guidance](#065263a6-4634-4a52-bd3f-48b83bf437d8) and [Managing the risks of legacy IT: Practitioner guidance](#089badd3-ed47-4597-8b1f-bce3e42f4ac4) publications.\n\nFurther information on cessation of support for Microsoft Windows operating systems, including potential compensating controls for use beyond their cessation date for support, can be found in ASD’s [End of support for Microsoft Windows and Microsoft Windows Server](#d36ce452-ec21-4b05-89c1-f29a444a3dca) publication.\n\nFurther information on hardening user applications can be found in the ‘User application hardening’ section of the [Guidelines for system hardening](#de7525f3-a466-40a5-abdd-3ae24a6d1b44).\n\nFurther information on hardening server applications can be found in the ‘Server application hardening’ section of the [Guidelines for system hardening](#de7525f3-a466-40a5-abdd-3ae24a6d1b44)." } ], "groups" : [ { "title" : "Scanning for unmitigated vulnerabilities", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3]" } ], "parts" : [ { "name" : "overview", "prose" : "To ensure that patches or updates are being applied to applications, operating systems, drivers and firmware, it is essential that an organisation regularly identifies all assets within their environment using an automated method of asset discovery, such as an asset discovery tool or a vulnerability scanner with equivalent functionality. Following asset discovery, identified assets can be scanned for missing patches or updates using a vulnerability scanner with an up-to-date vulnerability database. Ideally, vulnerability scanning should be conducted in an automated manner and take place at twice the frequency in which patches or updates need to be applied. For example, if patches or updates are to be applied within two weeks of release then vulnerability scanning should be undertaken at least weekly." } ], "controls" : [ { "id" : "ism-1807", "class" : "ISM-control", "title" : "Control: ism-1807", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[01]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-22" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1807_smt", "name" : "statement", "prose" : "An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities." } ] }, { "id" : "ism-1808", "class" : "ISM-control", "title" : "Control: ism-1808", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[02]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-22" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1808_smt", "name" : "statement", "prose" : "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities." } ] }, { "id" : "ism-1698", "class" : "ISM-control", "title" : "Control: ism-1698", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[03]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1698_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services." } ] }, { "id" : "ism-1699", "class" : "ISM-control", "title" : "Control: ism-1699", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[04]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1699_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products." } ] }, { "id" : "ism-1700", "class" : "ISM-control", "title" : "Control: ism-1700", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[05]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1700_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products." } ] }, { "id" : "ism-1701", "class" : "ISM-control", "title" : "Control: ism-1701", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1701_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices." } ] }, { "id" : "ism-1702", "class" : "ISM-control", "title" : "Control: ism-1702", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1702_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices." } ] }, { "id" : "ism-1703", "class" : "ISM-control", "title" : "Control: ism-1703", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[09]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1703_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers." } ] }, { "id" : "ism-1900", "class" : "ISM-control", "title" : "Control: ism-1900", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[3].control[10]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1900_smt", "name" : "statement", "prose" : "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware." } ] } ] }, { "title" : "Mitigating known vulnerabilities", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4]" } ], "parts" : [ { "name" : "overview", "prose" : "When patches or updates are released by vendors for vulnerabilities, an organisation should apply them in a timeframe commensurate with the likelihood of attempted exploitation by malicious actors. For example, by prioritising patches or updates for vulnerabilities in online services as well as operating systems of internet-facing servers and internet-facing network devices. This is especially important when vulnerabilities are assessed as critical by vendors or working exploits exist.\n\nIf no patches or updates are available for vulnerabilities, mitigation advice from vendors, trustworthy authorities or security researchers may provide some protection until patches or updates are made available. Such mitigation advice may be published in conjunction with, or soon after, announcements made relating to vulnerabilities. Mitigation advice may cover how to disable or block access to vulnerable functionality, how to reconfigure vulnerable functionality, or how to detect attempted or successful exploitation of vulnerable functionality.\n\nIf a patch or update is released for high assurance IT equipment, ASD will conduct an assessment of the patch or update. Subsequently, if the patch or update is approved for deployment, ASD will provide guidance on the methods and timeframes in which it is to be applied." } ], "controls" : [ { "id" : "ism-1876", "class" : "ISM-control", "title" : "Control: ism-1876", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[01]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1876_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist." } ] }, { "id" : "ism-1690", "class" : "ISM-control", "title" : "Control: ism-1690", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[02]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1690_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist." } ] }, { "id" : "ism-1692", "class" : "ISM-control", "title" : "Control: ism-1692", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[04]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1692_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist." } ] }, { "id" : "ism-1901", "class" : "ISM-control", "title" : "Control: ism-1901", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[05]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1901_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist." } ] }, { "id" : "ism-1693", "class" : "ISM-control", "title" : "Control: ism-1693", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[06]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1693_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within one month of release." } ] }, { "id" : "ism-1877", "class" : "ISM-control", "title" : "Control: ism-1877", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[07]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1877_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist." } ] }, { "id" : "ism-1694", "class" : "ISM-control", "title" : "Control: ism-1694", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[08]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1694_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist." } ] }, { "id" : "ism-1696", "class" : "ISM-control", "title" : "Control: ism-1696", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[10]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1696_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist." } ] }, { "id" : "ism-1902", "class" : "ISM-control", "title" : "Control: ism-1902", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[11]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1902_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist." } ] }, { "id" : "ism-1879", "class" : "ISM-control", "title" : "Control: ism-1879", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[14]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1879_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist." } ] }, { "id" : "ism-1697", "class" : "ISM-control", "title" : "Control: ism-1697", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[15]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1697_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist." } ] }, { "id" : "ism-1903", "class" : "ISM-control", "title" : "Control: ism-1903", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[16]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1903_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist." } ] }, { "id" : "ism-1904", "class" : "ISM-control", "title" : "Control: ism-1904", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[4].control[17]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1904_smt", "name" : "statement", "prose" : "Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist." } ] } ] }, { "title" : "Cessation of support", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[5]" } ], "parts" : [ { "name" : "overview", "prose" : "When applications, operating systems, network devices and networked IT equipment reach their cessation date for support, and become legacy IT, an organisation will find it increasingly difficult to protect them against vulnerabilities as patches, updates and other forms of support will no longer be made available by vendors. As such, unsupported applications, operating systems, network devices and networked IT equipment should be removed or replaced.\n\nIn planning for cessation of support, it is important to note that while vendors generally advise the cessation date for support of operating systems well in advance, some applications, network devices and networked IT equipment may cease to receive support immediately after newer versions are released.\n\nFinally, when the immediate removal or replacement of unsupported applications, operating systems, network devices or networked IT equipment is not possible, compensating controls should be implemented until such time that they can be removed or replaced." } ], "controls" : [ { "id" : "ism-1905", "class" : "ISM-control", "title" : "Control: ism-1905", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[5].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1905_smt", "name" : "statement", "prose" : "Online services that are no longer supported by vendors are removed." } ] }, { "id" : "ism-1704", "class" : "ISM-control", "title" : "Control: ism-1704", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[5].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1704_smt", "name" : "statement", "prose" : "Office productivity suites, web browsers and their extensions, email clients, PDF applications, Adobe Flash Player, and security products that are no longer supported by vendors are removed." } ] }, { "id" : "ism-0304", "class" : "ISM-control", "title" : "Control: ism-0304", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[5].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "8" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Jun-25" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0304_smt", "name" : "statement", "prose" : "Applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, Adobe Flash Player, and security products that are no longer supported by vendors are removed." } ] }, { "id" : "ism-1501", "class" : "ISM-control", "title" : "Control: ism-1501", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[2].group[5].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-21" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1501_smt", "name" : "statement", "prose" : "Operating systems that are no longer supported by vendors are replaced." } ] } ] } ] }, { "title" : "Data backup and restoration", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3]" } ], "parts" : [ { "name" : "overview", "prose" : "# Further information\n\nFurther information on [digital preservation planning](#53da8dba-961e-4222-94e0-68cb9510384d) and [data retention](#348be728-4459-4447-990e-1dfb3049c71f) is available from the National Archives of Australia.\n\nFurther information on the collection and retention of personal information can be found in the Office of the Australian Information Commissioner’s [Australian Privacy Principles](#bac2c6f2-9356-46d2-b7c4-9af7393008df) and the associated [Australian Privacy Principles guidelines](#1e4a57a2-2832-441d-8ea4-12a98d2be417).\n\nFurther information on business continuity and disaster recovery planning can be found in the ‘Chief information security officer’ section of the [Guidelines for cyber security roles](#626dab35-81ab-45fe-8c12-0faff1c23c07)." } ], "groups" : [ { "title" : "Performing and retaining backups", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[3]" } ], "parts" : [ { "name" : "overview", "prose" : "To mitigate the security risk of losing system availability or data as part of a ransomware attack, or other form of destructive attack, backups of data, applications and settings should be performed and retained in accordance with an organisation’s business criticality and business continuity requirements. In doing so, backups of all data, applications and settings should be synchronised to enable restoration to a common point in time. Furthermore, it is essential that all backups are retained in a secure and resilient manner. This will ensure that should a system fall victim to a ransomware attack, or other form of destructive attack, data will not be lost and, if necessary, systems can be quickly restored." } ], "controls" : [ { "id" : "ism-1511", "class" : "ISM-control", "title" : "Control: ism-1511", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[3].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "4" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1511_smt", "name" : "statement", "prose" : "Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements." } ] }, { "id" : "ism-1810", "class" : "ISM-control", "title" : "Control: ism-1810", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[3].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1810_smt", "name" : "statement", "prose" : "Backups of data, applications and settings are synchronised to enable restoration to a common point in time." } ] }, { "id" : "ism-1811", "class" : "ISM-control", "title" : "Control: ism-1811", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[3].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1811_smt", "name" : "statement", "prose" : "Backups of data, applications and settings are retained in a secure and resilient manner." } ] } ] }, { "title" : "Backup access", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[4]" } ], "parts" : [ { "name" : "overview", "prose" : "To mitigate the security risk of unauthorised access to backups, an organisation should ensure that access to backups is controlled through the use of appropriate access controls." } ], "controls" : [ { "id" : "ism-1812", "class" : "ISM-control", "title" : "Control: ism-1812", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[4].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1812_smt", "name" : "statement", "prose" : "Unprivileged user accounts cannot access backups belonging to other user accounts." } ] }, { "id" : "ism-1813", "class" : "ISM-control", "title" : "Control: ism-1813", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[4].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1813_smt", "name" : "statement", "prose" : "Unprivileged user accounts cannot access their own backups." } ] }, { "id" : "ism-1705", "class" : "ISM-control", "title" : "Control: ism-1705", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[4].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1705_smt", "name" : "statement", "prose" : "Privileged user accounts (excluding backup administrator accounts) cannot access backups belonging to other user accounts." } ] }, { "id" : "ism-1706", "class" : "ISM-control", "title" : "Control: ism-1706", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[4].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1706_smt", "name" : "statement", "prose" : "Privileged user accounts (excluding backup administrator accounts) cannot access their own backups." } ] } ] }, { "title" : "Backup modification and deletion", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[5]" } ], "parts" : [ { "name" : "overview", "prose" : "To mitigate the security risk of backups being accidentally or maliciously modified or deleted, an organisation should ensure that backups are sufficiently protected from unauthorised modification and deletion through the use of appropriate access controls during their retention period." } ], "controls" : [ { "id" : "ism-1814", "class" : "ISM-control", "title" : "Control: ism-1814", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[5].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1814_smt", "name" : "statement", "prose" : "Unprivileged user accounts are prevented from modifying and deleting backups." } ] }, { "id" : "ism-1707", "class" : "ISM-control", "title" : "Control: ism-1707", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[5].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Sep-24" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1707_smt", "name" : "statement", "prose" : "Privileged user accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups." } ] }, { "id" : "ism-1708", "class" : "ISM-control", "title" : "Control: ism-1708", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[5].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "2" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1708_smt", "name" : "statement", "prose" : "Backup administrator accounts are prevented from modifying and deleting backups during their retention period." } ] } ] }, { "title" : "Testing restoration of backups", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[6]" } ], "parts" : [ { "name" : "overview", "prose" : "To ensure that backups can be restored when the need arises, and that any dependencies can be identified and managed beforehand, it is important that the restoration of data, applications and settings from backups to a common point in time is tested in a coordinated manner as part of disaster recovery exercises." } ], "controls" : [ { "id" : "ism-1515", "class" : "ISM-control", "title" : "Control: ism-1515", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[16].group[3].group[6].control[1]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "4" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML1" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1515_smt", "name" : "statement", "prose" : "Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises." } ] } ] } ] } ] }, { "title" : "Guidelines for system monitoring", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17]" } ], "groups" : [ { "title" : "Event logging and monitoring", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1]" } ], "parts" : [ { "name" : "overview", "prose" : "# Event logging and monitoring activities\n\nThese guidelines are intended for security-relevant event logs. They are not intended for non-security-relevant event logs, such as operating system and application performance-related event logs.\n\n# Further information\n\nFurther information on logging intrusion activity can be found in the ‘Managing cyber security incidents’ section of the [Guidelines for cyber security incidents](#fe0138db-e83b-4a23-85d3-d84e1c22816f).\n\nFurther information on event logging for application-based security products can be found in the ‘Operating system hardening’ section of the [Guidelines for system hardening](#de7525f3-a466-40a5-abdd-3ae24a6d1b44).\n\nFurther information on event logging for artificial intelligence applications can be found in the ‘Software development fundamentals’ section of the [Guidelines for software development](#506198a8-7ae8-4c95-8b7b-2a4833cfab4b).\n\nFurther information on event logging for Cross Domain Solutions can be found in the ‘Cross Domain Solutions’ section of the [Guidelines for gateways](#e8bde527-526c-4a6a-b66f-05228f09dd7b).\n\nFurther information on event logging for databases can be found in the ‘Databases’ section of the [Guidelines for database systems](#3f349d16-11a1-459a-a299-c9446aea7597).\n\nFurther information on event logging for gateways can be found in the ‘Gateways’ section of the [Guidelines for gateways](#e8bde527-526c-4a6a-b66f-05228f09dd7b).\n\nFurther information on event logging for mobile applications can be found in the ‘Software development fundamentals’ section of the [Guidelines for software development](#506198a8-7ae8-4c95-8b7b-2a4833cfab4b).\n\nFurther information on event logging for multifunction devices can be found in the ‘Multifunction devices’ section of the [Guidelines for communications systems](#3a7b903b-ed0d-450d-9123-60f6f8fd5dd2).\n\nFurther information on event logging for network-based security products can be found in the ‘Network design and configuration’ section of the [Guidelines for networking](#f145ff5b-d396-4248-8f48-621349d6f0ed).\n\nFurther information on event logging for operating systems can be found in the ‘Operating system hardening’ and ‘Authentication hardening’ sections of the [Guidelines for system hardening](#de7525f3-a466-40a5-abdd-3ae24a6d1b44).\n\nFurther information on event logging for server applications can be found in the ‘Server application hardening’ section of the [Guidelines for system hardening](#de7525f3-a466-40a5-abdd-3ae24a6d1b44).\n\nFurther information on event logging for system access can be found in the ‘Access to systems and their resources’ section of the [Guidelines for personnel security](#7d16ae67-87a7-4861-b939-e13ec279b5a2).\n\nFurther information on event logging for user applications can be found in the ‘User application hardening’ section of the [Guidelines for system hardening](#de7525f3-a466-40a5-abdd-3ae24a6d1b44).\n\nFurther information on event logging for web applications can be found in the ‘Software development’ section of the [Guidelines for software development](#506198a8-7ae8-4c95-8b7b-2a4833cfab4b).\n\nFurther information on event logging for web proxies can be found in the ‘Web proxies’ section of the [Guidelines for gateways](#e8bde527-526c-4a6a-b66f-05228f09dd7b).\n\nFurther information on event logging can be found in the following Australian Signals Directorate publications:\n\n- [Best practices for event logging and threat detection](#b95c4745-572a-4121-b4e1-d0baa90a84fc)\n- [Detecting and mitigating Active Directory compromises](#331263bc-3314-496b-9d35-76788eb0f403)\n- [Hardening Microsoft Windows 10 workstations](#9209d9cd-86c1-486f-890e-1edfa4545093)\n- [Hardening Microsoft Windows 11 workstations](#43fbcaf9-03a3-493a-83be-9340a37778fa)\n- [Priority logs for SIEM ingestion: Practitioner guidance](#1dbda98a-4e8b-4a52-b4f7-9d1a895fd324)\n- [Windows event logging and forwarding](#de239dae-d1e8-4969-9680-ef3444d32a83).\n\nFurther information on SIEM and SOAR platforms can be found in the Australian Signals Directorate’s [Implementing SIEM and SOAR platforms: Executive guidance](#4bebe303-7a91-4ffa-90d8-8df9f80a6318) and [Implementing SIEM and SOAR platforms: Practitioner guidance](#4e01708d-9c2d-4a84-a08a-cb98077235a6) publications.\n\nFurther information on prioritising the collection and storage of event logs can be found in the United States’ Cybersecurity \\& Infrastructure Security Agency’s [Guidance for Implementing M-21-31: Improving the Federal Government's Investigative and Remediation Capabilities](#aeba0a2d-b48a-42f0-b047-622b9fea9a91) publication.\n\nFurther information on the National Archives of Australia’s requirements for event log retention can be found in their [AFDA Express Version 2 – Technology \\& Information Management](#cc1a55cb-34ab-4418-b660-53571b3af899) publication." } ], "groups" : [ { "title" : "Centralised event logging facility", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[2]" } ], "parts" : [ { "name" : "overview", "prose" : "A centralised event logging facility can be used to capture, protect and manage event logs from multiple sources in a coordinated manner. This may be achieved by using a Security Information and Event Management (SIEM) platform, a Security Orchestration, Automation and Response (SOAR) platform, or both. Furthermore, in support of a centralised event logging facility, it is important that an accurate and consistent time source is used to assist with identifying connections between events." } ], "controls" : [ { "id" : "ism-1815", "class" : "ISM-control", "title" : "Control: ism-1815", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[2].control[5]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "1" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1815_smt", "name" : "statement", "prose" : "Event logs are protected from unauthorised modification and deletion." } ] } ] }, { "title" : "Event log monitoring", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[4]" } ], "parts" : [ { "name" : "overview", "prose" : "Event log monitoring is critical to maintaining the security posture of systems. Notably, such activities involve analysing event logs in a timely manner to detect cyber security events, thereby, leading to the identification of cyber security incidents." } ], "controls" : [ { "id" : "ism-1906", "class" : "ISM-control", "title" : "Control: ism-1906", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[4].control[2]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1906_smt", "name" : "statement", "prose" : "Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events." } ] }, { "id" : "ism-1907", "class" : "ISM-control", "title" : "Control: ism-1907", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[4].control[3]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "0" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1907_smt", "name" : "statement", "prose" : "Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events." } ] }, { "id" : "ism-0109", "class" : "ISM-control", "title" : "Control: ism-0109", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[4].control[4]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "9" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Dec-23" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-0109_smt", "name" : "statement", "prose" : "Event logs from workstations are analysed in a timely manner to detect cyber security events." } ] }, { "id" : "ism-1228", "class" : "ISM-control", "title" : "Control: ism-1228", "props" : [ { "name" : "sort-id", "value" : "catalog[1].group[17].group[1].group[4].control[8]" }, { "name" : "revision", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "3" }, { "name" : "updated", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "Mar-22" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "NC" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "OS" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "P" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "S" }, { "name" : "applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "TS" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML2" }, { "name" : "essential-eight-applicability", "ns" : "https://cyber.gov.au/ns/ism/oscal/3.0", "value" : "ML3" } ], "parts" : [ { "id" : "ism-1228_smt", "name" : "statement", "prose" : "Cyber security events are analysed in a timely manner to identify cyber security incidents." } ] } ] } ] } ] } ], "back-matter" : { "resources" : [ { "uuid" : "02fb4cb5-e4c4-4097-97a2-f1b6aa04131a", "title" : "Patching applications and operating systems", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/system-administration/patching-applications-and-operating-systems" } ] }, { "uuid" : "041bce05-55ad-4a2a-93e3-c582d39fce94", "title" : "Cyber security incident response planning: Practitioner guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/cyber-security-incident-response/cyber-security-incident-response-planning-practitioner-guidance" } ] }, { "uuid" : "0508be6f-cb97-44da-b212-42416a0048b0", "title" : "random dice roller", "rlinks" : [ { "href" : "https://www.random.org/dice/?num=5" } ] }, { "uuid" : "065263a6-4634-4a52-bd3f-48b83bf437d8", "title" : "Managing the risks of legacy IT: Executive guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/legacy-it-management/managing-the-risks-of-legacy-it-executive-guidance" } ] }, { "uuid" : "089badd3-ed47-4597-8b1f-bce3e42f4ac4", "title" : "Managing the risks of legacy IT: Practitioner guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/legacy-it-management/managing-the-risks-of-legacy-it-practitioner-guidance" } ] }, { "uuid" : "0a1508c0-b062-4d85-8ded-a95316e17a3a", "title" : "command line process logging", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing" } ] }, { "uuid" : "0bf3a1ef-031a-419b-80c3-08a08b1cee9d", "title" : "Microsoft Security Baselines Blog", "rlinks" : [ { "href" : "https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines" } ] }, { "uuid" : "131048c7-a2e7-4da3-9257-7a058b06c1f8", "title" : "Secure administration", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/system-administration/secure-administration" } ] }, { "uuid" : "18203e18-2aca-492e-be44-770b2f47242f", "title" : "AV-TEST", "rlinks" : [ { "href" : "https://www.av-test.org/en/" } ] }, { "uuid" : "188466f6-be12-49ce-b99a-981e54b1663e", "title" : "reporting cybercrime incidents", "rlinks" : [ { "href" : "https://reportapp.cyber.gov.au/" } ] }, { "uuid" : "1dbda98a-4e8b-4a52-b4f7-9d1a895fd324", "title" : "Priority logs for SIEM ingestion: Practitioner guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/event-logging/implementing-siem-soar-platforms/priority-logs-for-siem-ingestion-practitioner-guidance" } ] }, { "uuid" : "1e4a57a2-2832-441d-8ea4-12a98d2be417", "title" : "Australian Privacy Principles guidelines", "rlinks" : [ { "href" : "https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines" } ] }, { "uuid" : "331263bc-3314-496b-9d35-76788eb0f403", "title" : "Detecting and mitigating Active Directory compromises", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/detecting-and-mitigating-active-directory-compromises" } ] }, { "uuid" : "348be728-4459-4447-990e-1dfb3049c71f", "title" : "data retention", "rlinks" : [ { "href" : "https://www.naa.gov.au/information-management/records-authorities/types-records-authorities/afda-express-version-2-functions" } ] }, { "uuid" : "3a1a00f6-2f56-4d04-b99d-6f1682b95a98", "title" : "detect or prevent various stages of network intrusions", "rlinks" : [ { "href" : "https://evals.mitre.org/" } ] }, { "uuid" : "3a7b903b-ed0d-450d-9123-60f6f8fd5dd2", "title" : "Guidelines for communications systems", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-communications-systems" } ] }, { "uuid" : "3ccea9a8-a728-4f5b-a0a8-43f2f206f76b", "title" : "Restricting administrative privileges", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/system-administration/restricting-administrative-privileges" } ] }, { "uuid" : "3e5a98e5-9219-46c8-81c2-e3a4d13407ce", "title" : "Active Directory Forest Recovery - Reset the krbtgt password", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password" } ] }, { "uuid" : "3f349d16-11a1-459a-a299-c9446aea7597", "title" : "Guidelines for database systems", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-database-systems" } ] }, { "uuid" : "3f43c8d2-8a8c-4e2f-af80-48a607bce643", "title" : "Local Security Authority protection functionality", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection" } ] }, { "uuid" : "403f72c6-3e85-4185-8df3-130b2a6b25b3", "title" : "Cyber security incident response planning: Executive guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/cyber-security-incident-response/cyber-security-incident-response-planning-executive-guidance" } ] }, { "uuid" : "43fbcaf9-03a3-493a-83be-9340a37778fa", "title" : "Hardening Microsoft Windows 11 workstations", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/hardening-microsoft-windows-11-workstations" } ] }, { "uuid" : "4974639a-f41a-4280-ae06-33d1f13d6083", "title" : "Secure by Design Pledge", "rlinks" : [ { "href" : "https://www.cisa.gov/securebydesign/pledge" } ] }, { "uuid" : "4a3a265f-7772-433b-9906-7f784052f28b", "title" : "vulnerable driver blocklist", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules" } ] }, { "uuid" : "4bebe303-7a91-4ffa-90d8-8df9f80a6318", "title" : "Implementing SIEM and SOAR platforms: Executive guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/event-logging/implementing-siem-soar-platforms/implementing-siem-and-soar-platforms-executive-guidance" } ] }, { "uuid" : "4e01708d-9c2d-4a84-a08a-cb98077235a6", "title" : "Implementing SIEM and SOAR platforms: Practitioner guidance", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/event-logging/implementing-siem-soar-platforms/implementing-siem-and-soar-platforms-practitioner-guidance" } ] }, { "uuid" : "4eeff329-cea0-4baf-a80b-8b0b76436075", "title" : "Implementing application control", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/implementing-application-control" } ] }, { "uuid" : "506198a8-7ae8-4c95-8b7b-2a4833cfab4b", "title" : "Guidelines for software development", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-software-development" } ] }, { "uuid" : "53da8dba-961e-4222-94e0-68cb9510384d", "title" : "digital preservation planning", "rlinks" : [ { "href" : "https://www.naa.gov.au/information-management/information-management-legislation/digital-preservation-planning" } ] }, { "uuid" : "578d0434-6b3f-46f3-aad8-c7ac75c2ebcc", "title" : "Guidelines for cyber security documentation", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-cyber-security-documentation" } ] }, { "uuid" : "58282062-5c17-476a-98b1-105a627cd28d", "title" : "randomly generating passphrases", "rlinks" : [ { "href" : "https://www.eff.org/dice" } ] }, { "uuid" : "58c9abfb-58fe-416e-a279-dfbfe123c99f", "title" : "Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/hardening-microsoft-365-office-2021-office-2019-and-office-2016" } ] }, { "uuid" : "5a2ed3ef-afcc-485e-8014-5107e9ed97e3", "title" : "recommended application blocklist", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol" } ] }, { "uuid" : "626d3582-3caf-49d6-89d5-4b8fdbbf1f31", "title" : "reporting cyber security incidents", "rlinks" : [ { "href" : "https://www.cyber.gov.au/report-and-recover/report/report-a-cyber-security-incident" } ] }, { "uuid" : "626dab35-81ab-45fe-8c12-0faff1c23c07", "title" : "Guidelines for cyber security roles", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-cyber-security-roles" } ] }, { "uuid" : "63bba9d2-127e-41d5-b735-e0cf3fe4b9aa", "title" : "Windows 11 Security Book", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows/security/book/" } ] }, { "uuid" : "741ab440-5759-4571-894d-e499dea3a54c", "title" : "Chrome Browser Enterprise Security Configuration Guide (Windows)", "rlinks" : [ { "href" : "https://support.google.com/chrome/a/answer/9710898?hl=en" } ] }, { "uuid" : "7d16ae67-87a7-4861-b939-e13ec279b5a2", "title" : "Guidelines for personnel security", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-personnel-security" } ] }, { "uuid" : "7d22400c-ddef-4cbb-90f1-7502dc569e5b", "title" : "the use of PowerShell by blue teams", "rlinks" : [ { "href" : "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/" } ] }, { "uuid" : "8132c47e-a2dc-4dd9-81d6-38db96e5cec6", "title" : "Hardening Linux workstations and servers", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/hardening-linux-workstations-and-servers" } ] }, { "uuid" : "82ae76a4-ed9e-4a7b-8bad-f1950c41eab7", "title" : "attack surface reduction rules overview", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/defender-endpoint/attack-surface-reduction?view=o365-worldwide" } ] }, { "uuid" : "83e3a9b1-5057-4531-91dd-03c8d92634b0", "title" : "Implementing multi-factor authentication", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/implementing-multi-factor-authentication" } ] }, { "uuid" : "8d53ee7f-54c2-4380-8408-f7403db30ba1", "title" : "Credential Guard functionality", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows/security/identity-protection/credential-guard/" } ] }, { "uuid" : "8ffea524-0974-4b53-a8f5-41166073ede5", "title" : "Securing PowerShell in the enterprise", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/system-administration/securing-powershell-in-the-enterprise" } ] }, { "uuid" : "91b92563-d991-40fa-9adc-548df9f6c496", "title" : "secure group Managed Service Accounts", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/entra/architecture/service-accounts-group-managed" } ] }, { "uuid" : "9209d9cd-86c1-486f-890e-1edfa4545093", "title" : "Hardening Microsoft Windows 10 workstations", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/hardening-microsoft-windows-10-workstations" } ] }, { "uuid" : "92679127-f61d-486a-a93e-df2a26dfb07a", "title" : "Protective Security Policy Framework", "rlinks" : [ { "href" : "https://www.protectivesecurity.gov.au/" } ] }, { "uuid" : "92975dff-58e0-4813-842b-f27c0533ca56", "title" : "Remote Credential Guard functionality", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows/security/identity-protection/remote-credential-guard/" } ] }, { "uuid" : "9ad09461-7b3d-4faf-bdcd-61df9952cf49", "title" : "Security Configuration Guide for Acrobat", "rlinks" : [ { "href" : "https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/index.html" } ] }, { "uuid" : "a699a3aa-828d-479b-b50b-98127bb19437", "title" : "Guidelines for evaluated products", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-evaluated-products" } ] }, { "uuid" : "ae426d0a-adb6-43b8-a463-faa33e83b679", "title" : "Active Directory accounts", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/windows-server/identity/ad-ds/manage/understand-default-user-accounts" } ] }, { "uuid" : "aeba0a2d-b48a-42f0-b047-622b9fea9a91", "title" : "Guidance for Implementing M-21-31: Improving the Federal Government's Investigative and Remediation Capabilities", "rlinks" : [ { "href" : "https://www.cisa.gov/sites/default/files/2023-02/TLP%20CLEAR%20-%20Guidance%20for%20Implementing%20M-21-31_Improving%20the%20Federal%20Governments%20Investigative%20and%20Remediation%20Capabilities_.pdf" } ] }, { "uuid" : "af0810aa-3486-4ca6-a48a-fad8ce9ac193", "title" : "greater visibility through PowerShell logging", "rlinks" : [ { "href" : "https://cloud.google.com/blog/topics/threat-intelligence/greater-visibility/" } ] }, { "uuid" : "b594c9c0-b42f-4f06-b643-38023275a5c7", "title" : "Guidelines for media", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-media" } ] }, { "uuid" : "b95c4745-572a-4121-b4e1-d0baa90a84fc", "title" : "Best practices for event logging and threat detection", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/event-logging/best-practices-for-event-logging-and-threat-detection" } ] }, { "uuid" : "bac2c6f2-9356-46d2-b7c4-9af7393008df", "title" : "Australian Privacy Principles", "rlinks" : [ { "href" : "https://www.oaic.gov.au/privacy/australian-privacy-principles" } ] }, { "uuid" : "c2a2f934-c5d6-46a7-86db-7fec1565058e", "title" : "Insider Risk Guidance", "rlinks" : [ { "href" : "https://www.npsa.gov.uk/specialised-guidance/insider-risk-guidance" } ] }, { "uuid" : "c322926a-13b3-4efe-8573-06624418e8f5", "title" : "Insider Threat Mitigation Guide", "rlinks" : [ { "href" : "https://www.cisa.gov/resources-tools/resources/insider-threat-mitigation-guide" } ] }, { "uuid" : "c6ca6620-ccd5-4c5d-b97c-9d92f1162948", "title" : "Guidelines for system management", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-system-management" } ] }, { "uuid" : "c852e735-4920-4616-8e34-2fddfb49eea8", "title" : "AV-Comparatives", "rlinks" : [ { "href" : "https://www.av-comparatives.org/" } ] }, { "uuid" : "cad720b4-e47a-437d-b272-6958e738131d", "title" : "Common Sense Guide to Mitigating Insider Threats, Seventh Edition", "rlinks" : [ { "href" : "https://insights.sei.cmu.edu/library/common-sense-guide-to-mitigating-insider-threats-seventh-edition/" } ] }, { "uuid" : "cae0ac6b-e69b-4359-bfd7-5ee5eff1049d", "title" : "limited use obligation", "rlinks" : [ { "href" : "https://www.cyber.gov.au/report-and-recover/how-we-help-during-a-cyber-security-incident/limited-use" } ] }, { "uuid" : "cc1a55cb-34ab-4418-b660-53571b3af899", "title" : "AFDA Express Version 2 – Technology \\& Information Management", "rlinks" : [ { "href" : "https://www.naa.gov.au/information-management/records-authorities/types-records-authorities/afda-express-version-2-functions/afda-express-version-2-technology-information-management" } ] }, { "uuid" : "d0df96bb-7236-4784-8f54-2cb6335ad228", "title" : "exploit protection functionality", "rlinks" : [ { "href" : "https://learn.microsoft.com/en-au/defender-endpoint/exploit-protection?view=o365-worldwide" } ] }, { "uuid" : "d36ce452-ec21-4b05-89c1-f29a444a3dca", "title" : "End of support for Microsoft Windows and Microsoft Windows Server", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/legacy-it-management/end-of-support-for-microsoft-windows-and-microsoft-windows-server" } ] }, { "uuid" : "d446dea3-c36d-45af-9623-05b686624af0", "title" : "memory integrity functionality", "rlinks" : [ { "href" : "https://support.microsoft.com/en-au/windows/device-security-in-the-windows-security-app-afa11526-de57-b1c5-599f-3a4c6a61c5e2" } ] }, { "uuid" : "de239dae-d1e8-4969-9680-ef3444d32a83", "title" : "Windows event logging and forwarding", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/detecting-responding-to-threats/event-logging/windows-event-logging-and-forwarding" } ] }, { "uuid" : "de7525f3-a466-40a5-abdd-3ae24a6d1b44", "title" : "Guidelines for system hardening", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-system-hardening" } ] }, { "uuid" : "dfb52998-0e7e-420d-97e1-d1313c8f919a", "title" : "Restricting Microsoft Office macros", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/restricting-microsoft-office-macros" } ] }, { "uuid" : "e8bde527-526c-4a6a-b66f-05228f09dd7b", "title" : "Guidelines for gateways", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-gateways" } ] }, { "uuid" : "edc24216-f52b-4513-bcda-5fa564661999", "title" : "Guidelines for system monitoring", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-system-monitoring" } ] }, { "uuid" : "f145ff5b-d396-4248-8f48-621349d6f0ed", "title" : "Guidelines for networking", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-networking" } ] }, { "uuid" : "f37a4848-0791-4870-b316-5536c2681c28", "title" : "Guidelines for procurement and outsourcing", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-procurement-and-outsourcing" } ] }, { "uuid" : "f48c0d05-5173-4c8e-8748-e5591518c1fb", "title" : "Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile", "rlinks" : [ { "href" : "https://csrc.nist.gov/pubs/sp/800/61/r3/final" } ] }, { "uuid" : "f6813648-fe24-4d45-9e45-c97b4021506e", "title" : "Countering the insider threat: A security manager’s guide", "rlinks" : [ { "href" : "https://www.asio.gov.au/outreach" } ] }, { "uuid" : "f74ba095-a7f7-4b8c-9e60-5fe84f2a2d0b", "title" : "changing credentials for this service account", "rlinks" : [ { "href" : "https://www.microsoft.com/en-us/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/" } ] }, { "uuid" : "fb60e251-ed4c-4781-96db-58a0225bca89", "title" : "Countering the Insider Threat: A guide for Australian Government", "rlinks" : [ { "href" : "https://www.ag.gov.au/integrity/publications/countering-insider-threat-guide-australian-government" } ] }, { "uuid" : "fe0138db-e83b-4a23-85d3-d84e1c22816f", "title" : "Guidelines for cyber security incidents", "rlinks" : [ { "href" : "https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-cyber-security-incidents" } ] } ] } } }