Sorry, you need to enable JavaScript to visit this website.
Skip to main content

September 2019 ISM Changes

Using the Australian Government Information Security Manual

  • Change of title from ‘The Australian Government Information Security Manual’ to ‘Using the Australian Government Information Security Manual’ in order to reduce reader confusion.

Executive summary

  • Minor changes to ‘purpose’ content.
  • Minor changes to ‘authority’ content.
  • The ‘cyber security principles’ content was rewritten.
  • The ‘cyber security guidelines’ content was rewritten.

Applying a risk-based approach to cyber security

  • Change to ‘define the system’ content to more clearly separate the applicability of controls for organisations that don’t deal with government information (e.g. industry and academia).

Cyber Security Principles

  • Introduction of the new cyber security principles.

Guidelines for Security Documentation

System-specific security documentation

  • Minor change to ‘Incident Response Plan’ content.

Guidelines for Personnel Security

Cyber security awareness raising and training

  • Security control 0252 was modified to focus on the high level elements of cyber security awareness raising and training.

Security Control: 0252; Revision: 4; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
Ongoing cyber security awareness raising and training is provided to personnel and includes:

  • the purpose of the cyber security awareness raising and training program
  • security appointments and contacts within the organisation
  • the authorised use of systems and their resources
  • the protection of systems and their resources
  • reporting of cyber security incidents and suspected compromises of systems and their resources.

Access to systems and their resources

  • Minor change to ‘standard access to systems’ content.
  • Security controls 0405, 1503, 1507 and 1508 were modified to replace references to ‘information’ with ‘data repositories’ in order to align with language used by the Essential Eight mitigation strategies.

Security Control: 0405; Revision: 5; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.

Security Control: 1503; Revision: 1; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties.

Security Control: 1507; Revision: 1; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.

Security Control: 1508; Revision: 1; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties.

  • Security control 0448 was modified to adopt similar language to other security controls within this section.

Security Control: 0448; Revision: 6; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Should
Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories.

  • Minor change to ‘suspension of access to systems’ content.
  • Security controls 0430 and 1404 were modified to replace references to ‘information’ with ‘data repositories’ in order to align with language used by the Essential Eight mitigation strategies.

Security Control: 0430; Revision: 7; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Should
Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.

Security Control: 1404; Revision: 2; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Should
Access to systems, applications and data repositories is removed or suspended after one month of inactivity.

  • Changes to ‘temporary access to systems’ content.
  • Security control 0441 was modified to focus primarily on the use of security controls to restrict access to information.

Security Control: 0441; Revision: 6; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties.

Guidelines for Communications Systems

Telephone systems

  • Security control 0234 was removed due to its intent being already covered by security control 0233.

Guidelines for Enterprise Mobility

Mobile device management

  • Minor change to ‘privately-owned mobile devices’ content.
  • Minor change to ‘seeking legal advice for privately-owned mobile devices’ content.
  • Minor change to ‘organisation-owned mobile devices’ content.

Guidelines for Evaluated Products

Evaluated product acquisition

  • Changes to ‘evaluated products’ content to specifically note that the Evaluated Products List only lists products that have been evaluated through the ASD Cryptographic Evaluations (ACE) program or the High Assurance evaluations program while the Certified Products List contains products that have been certified in accordance with the Common Criteria.
  • The ‘protection profiles’ content was rewritten.
  • Minor changes to ‘evaluation documentation’ content.
  • Minor changes to ‘evaluated product selection’ content.
  • Security control 0280 was updated to refer to ‘PP-based evaluations’.

Security Control: 0280; Revision: 7; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Should
If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation.

  • Changes to ‘further information’ content to include references to additional information on the ACE program and the High Assurance evaluation program.

Evaluated product usage

  • Minor change to ‘unevaluated configuration’ content.

Guidelines for Media Management

Media sanitisation

  • Minor change to ‘encrypted media’ content.

Guidelines for System Hardening

Authentication hardening

  • Security control 0423 was modified to clearly state it’s applicability to scenarios where passphrases are used as the sole method of authentication. Furthermore, the requirement to prevent passphrases from being stored in cleartext was removed from security control 0423 due to the overlap with security control 1402.

Security Control: 0423; Revision: 4; Updated: Sep-19; Applicability: O, P, S, TS; Priority: Must
Management practices for passphrases used as the sole method of authentication:

  • ensure that passphrases are changed at least every 90 days
  • prevent passphrases from being changed more than once a day
  • prevent passphrases from being reused within eight passphrase changes
  • prevent the use of sequential passphrases where possible.

Guidelines for System Management

System patching

  • Minor change to ‘when to patch security vulnerabilities’ content.

Guidelines for System Monitoring

Vulnerability management

  • Minor change to ‘conducting vulnerability assessments and penetration tests’ content.

Guidelines for Using Cryptography

Cryptographic fundamentals

  • Minor change to ‘additional cryptographic requirements’ content.

Cyber Security Terminology

Glossary of abbreviations

  • Addition of ‘ISM’ and ‘PP’ entries.

Glossary of cyber security terms

  • Addition of ‘Certification Report’ entry.
  • Updates to ‘access control’, ‘classification’, ‘consumer guide’, ‘cyber security’, ‘cyber security event’, ‘cyber security incident’, ‘cyber threat’, ‘penetration test’, ‘protection profile’ and ‘security target’ definitions.

System Security Plan Annex

  • Incorrect section heading of ‘cryptographic key management’ was changed to ‘cryptographic system management’.

List of Security Controls

  • Incorrect topic headings of ‘cryptographic key management’ were changed to ‘cryptographic system management’.
Date
September 4th, 2019