Sorry, you need to enable JavaScript to visit this website.
Skip to main content

System Security Plan Annex

Guidelines for Cyber Security Roles

Identifier Revision Updated Applicability Security Control Description
Chief Information Security Officer
0714 4 Sep-18 O P S TS A CISO is appointed to provide cyber security leadership for their organisation.
1478 0 Sep-18 O P S TS The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation.
System owners
1071 1 Sep-18 O P S TS Each system has a designated system owner.
1525 0 Sep-18 O P S TS System owners register each system with the system’s authorising officer.
0027 3 Sep-18 O P S TS System owners obtain authorisation to operate each system from the system’s authorising officer.
1526 0 Sep-18 O P S TS System owners monitor security risks and the effectiveness of security controls for each system.

Guidelines for Cyber Security Incidents

Identifier Revision Updated Applicability Security Control Description
Detecting cyber security incidents
0576 7 Aug-19 O P S TS An intrusion detection and prevention policy is developed and implemented.
0120 4 Sep-18 O P S TS Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes.
Managing cyber security incidents
0125 4 Aug-19 O P S TS A cyber security incident register is maintained with the following information:
  • the date the cyber security incident occurred
  • the date the cyber security incident was discovered
  • a description of the cyber security incident
  • any actions taken in response to the cyber security incident
  • to whom the cyber security incident was reported.
0133 1 Sep-18 O P S TS When a data spill occurs, information owners are advised and access to the information is restricted.
0917 7 Oct-19 O P S TS When malicious code is detected, the following steps are taken to handle the infection:
  • the infected systems are isolated
  • all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary
  • antivirus software is used to remove the infection from infected systems and media
  • if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.
0137 2 Sep-18 O P S TS Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence.
1213 1 Sep-18 O P S TS Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion.
0138 3 Sep-18 O P S TS The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving.
Reporting cyber security incidents
0123 3 Sep-18 O P S TS Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.
0141 3 Sep-18 O P S TS When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.
0140 6 May-19 O P S TS Cyber security incidents are reported to the ACSC.

Guidelines for Outsourcing

Identifier Revision Updated Applicability Security Control Description
Information technology and cloud services
0100 8 Sep-18 O P - - Commercial and government gateway and cloud services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years.
1395 2 Sep-18 O P - - If using outsourced cloud services, only those listed on the ACSC’s Certified Cloud Services List are used.
1529 0 Sep-18 - - S TS If using outsourced cloud services for highly classified information, public clouds are not used.
1396 1 Sep-18 O P S TS If using an outsourced cloud service not listed on the ACSC’s Certified Cloud Services List, or for highly classified information, the ACSC is notified in writing at the earliest opportunity, and certainly before entering into or renewing a contract.
0873 5 Sep-18 O P S TS If using an outsourced information technology service, or cloud service not listed on the ACSC’s Certified Cloud Services List, a service provider whose systems are located in Australia is used.
0072 5 Sep-18 O P S TS Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties.
1073 3 Sep-18 O P S TS An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so.
1451 1 Sep-18 O P S TS When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained.
1452 1 Sep-18 O P S TS A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile.

Guidelines for Security Documentation

Identifier Revision Updated Applicability Security Control Description
Development and maintenance of security documentation
0039 4 May-19 O P S TS A cyber security strategy is developed and implemented for the organisation.
0047 4 May-19 O P S TS Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.
0888 5 May-19 O P S TS Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.
System-specific security documentation
0041 3 Aug-19 O P S TS Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system.
0043 3 Sep-18 O P S TS Systems have an IRP that covers the following:
  • guidelines on what constitutes a cyber security incident
  • the types of incidents likely to be encountered and the expected response to each type
  • how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)
  • other parties which need to be informed in the event of a cyber security incident
  • the authority, or authorities, responsible for investigating and responding to cyber security incidents
  • the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority
  • the steps necessary to ensure the integrity of evidence relating to a cyber security incident
  • system contingency measures or a reference to such details if they are located in a separate document.

Guidelines for Physical Security

Identifier Revision Updated Applicability Security Control Description
Facilities and systems
0810 4 Sep-18 O P S TS Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system.
1053 2 Sep-18 O P S TS Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification.
1530 0 Sep-18 O P S TS Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in.
0813 3 Sep-18 O P S TS Server rooms, communications rooms and security containers are not left in unsecured states.
1074 2 Sep-18 O P S TS Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled.
0157 5 Sep-18 O P S TS Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces.
1296 2 Sep-18 O P S TS Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access.
0164 2 Sep-18 O P S TS Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards.
ICT equipment and media
0336 4 Aug-19 O P S TS An ICT equipment and media register is maintained and regularly audited.
0159 4 Sep-18 O P S TS All ICT equipment and media are accounted for on a regular basis.
0161 5 Mar-19 O P S TS ICT equipment and media are secured when not in use.
Wireless devices and Radio Frequency transmitters
1543 1 Aug-19 - - S TS An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited.
0225 2 Sep-18 - - S TS Unauthorised RF devices are not brought into SECRET and TOP SECRET areas.
0829 4 Mar-19 - - S TS Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.
1058 2 Oct-19 O P S TS Bluetooth and wireless keyboards are not used unless in an RF screened building.
0222 2 Sep-18 O P - - When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space.
0223 4 Sep-18 - - S - When using infrared keyboards, the following activities are prevented:
  • line of sight and reflected communications travelling into unsecured spaces
  • multiple infrared keyboards for different systems being used in the same area
  • other infrared devices being used in the same area
  • infrared keyboards operating in areas with unprotected windows.
0224 4 Sep-18 - - - TS When using infrared keyboards, the following activities are prevented:
  • line of sight and reflected communications travelling into unsecured spaces
  • multiple infrared keyboards for different systems being used in the same area
  • other infrared devices being used in the same area
  • infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them.
0221 2 Sep-18 - - - TS Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building.

Guidelines for Personnel Security

Identifier Revision Updated Applicability Security Control Description
Cyber security awareness raising and training
0252 4 Sep-19 O P S TS Ongoing cyber security awareness raising and training is provided to personnel and includes:
  • the purpose of the cyber security awareness raising and training program
  • security appointments and contacts within the organisation
  • the authorised use of systems and their resources
  • the protection of systems and their resources
  • reporting of cyber security incidents and suspected compromises of systems and their resources.
0817 3 Sep-18 O P S TS Personnel are advised what suspicious contact is and how to report it, especially when using online services.
0820 4 Sep-18 O P S TS Personnel are advised to not post work information to non-approved online services and to report cases where such information is posted.
1146 2 Sep-18 O P S TS Personnel are advised to maintain separate work and personal accounts for online services.
0821 3 Oct-19 O P S TS Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.
0824 2 Sep-18 O P S TS Personnel are advised not to send or receive files via unauthorised online services.
Access to systems and their resources
0432 5 Aug-19 O P S TS Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources.
0434 6 Aug-19 O P S TS Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources.
0435 3 Aug-19 O P S TS Personnel receive any necessary briefings before being granted access to a system and its resources.
0414 4 Aug-19 O P S TS Personnel granted access to a system and its resources are uniquely identifiable.
0975 7 Aug-19 O P S TS Personnel who are foreign nationals are identified as such, including by their specific nationality.
0420 8 Aug-19 - - S TS Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality.
1538 1 Aug-19 - P S TS Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality.
0415 3 Aug-19 O P S TS The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.
0405 5 Sep-19 O P S TS Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
1503 1 Sep-19 O P S TS Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties.
0409 5 Aug-19 - - S TS Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them.
0411 5 Aug-19 - - S TS Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them.
0816 5 Aug-19 - P S TS Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them.
1507 1 Sep-19 O P S TS Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
1508 1 Sep-19 O P S TS Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties..
0445 6 Sep-18 O P S TS Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access.
1509 0 Sep-18 O P S TS The use of privileged accounts, and any activities undertaken with them, are monitored and audited.
1175 3 Sep-18 O P S TS Technical security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via online services.
0448 6 Sep-19 O P S TS Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories.
0446 3 Aug-19 - - S TS Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information.
0447 3 Aug-19 - - S TS Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information.
1545 0 Aug-19 - P S TS Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information.
0430 7 Sep-19 O P S TS Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.
1404 2 Sep-19 O P S TS Access to systems, applications and data repositories is removed or suspended after one month of inactivity.
0407 4 Sep-18 O P S TS A secure record is maintained for the life of each system covering:
  • all personnel authorised to access the system, and their user identification
  • who provided authorisation for access
  • when access was granted
  • the level of access that was granted
  • when access, and the level of access, was last reviewed
  • when the level of access was changed, and to what extent (if applicable)
  • when access was withdrawn (if applicable).
0441 6 Sep-19 O P S TS When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties.
0443 3 Sep-18 - - S TS Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information.
0078 4 Sep-18 - - S TS Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government.
0854 4 Sep-18 - - S TS Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented.

Guidelines for Communications Infrastructure

Identifier Revision Updated Applicability Security Control Description
Cable management
0181 2 Sep-18 O P S TS Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA).
0926 7 Oct-19 O P S TS The cable colours in the following table are used (see source document for referenced table).
0825 2 Oct-19 O P S TS Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems.
0826 2 Oct-19 O P S TS Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner.
1215 1 Sep-18 O P S - In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points.
1216 1 Sep-18 O P S TS In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points.
1112 2 Sep-18 O P S TS In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals.
1118 1 Sep-18 O P S - In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals.
1119 1 Sep-18 O P S TS In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length.
1126 1 Sep-18 O P S - In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals.
0184 2 Sep-18 O P S TS In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length.
0187 5 Sep-18 O P S TS The approved group combinations for cables in the following table are used (see source document for referenced table).
1111 2 Oct-19 O P S TS Fibre-optic cables are used for network infrastructure instead of copper cables.
0189 2 Sep-18 O P S TS With fibre-optic cables, the fibres in the sheath only carry a single group.
0190 2 Sep-18 O P S TS If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group.
1114 2 Oct-19 O P S TS Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups.
1130 3 Oct-19 O P S TS In shared non-government facilities, cables are run in an enclosed cable reticulation system.
1164 2 Oct-19 O P S TS In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic.
0195 4 Dec-19 - - - TS In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems.
0194 2 Sep-18 - - - TS In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts.
1102 1 Sep-18 O P S - In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet.
1101 1 Sep-18 O P S TS In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet.
1103 1 Sep-18 O P S TS In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet.
1098 2 Oct-19 O P S - Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications.
1100 1 Sep-18 - - - TS TOP SECRET cables are terminated in an individual TOP SECRET cabinet.
1116 3 Oct-19 O P S TS There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications.
1115 4 Dec-19 O P S TS Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.
1133 1 Sep-18 - - - TS In shared non-government facilities, cables are not run in a party wall.
1122 1 Sep-18 - - - TS In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound.
1134 1 Sep-18 - - - TS In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound.
1104 2 Dec-19 O P S - Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group.
1105 2 Dec-19 O P S TS TOP SECRET cables do not share a wall outlet box with cables of a lower classification.
1106 1 Sep-18 O P S TS The connectors for TOP SECRET systems are different from those of systems of lower classifications.
1107 3 Dec-19 O P S TS The wall outlet box colours in the following table are used (see source document for referenced table).
1109 3 Dec-19 O P S TS Wall outlet box covers are clear plastic.
0198 2 Sep-18 - - - TS When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with.
1123 2 Sep-18 - - - TS In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment.
1135 1 Sep-18 - - - TS In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment.
Cable labelling and registration
0201 2 Sep-18 - - - TS Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’.
0202 2 Sep-18 - - - TS Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background.
0203 2 Sep-18 - - - TS Conduit labels in areas that are not clearly observable have red text on a white background.
0204 2 Sep-18 O P S TS Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables.
1095 3 Dec-19 O P S TS Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier.
1096 2 Oct-19 O P S TS Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.
0206 5 Aug-19 O P S TS A cable labelling process, and supporting cable labelling procedures, is developed and implemented.
0208 3 Dec-19 O P S TS A cable register is maintained with the following information:
  • cable identifier
  • classification
  • source
  • destination
  • site/floor plan diagram
  • seal numbers (if applicable).
0211 3 Sep-18 O P S TS Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan.
Cable patching
0213 2 Sep-18 O P S TS Only approved cable groups terminate on a patch panel.
1093 2 Sep-18 O P S - In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification.
0214 3 Sep-18 O P S TS In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems.
1094 2 Oct-19 O P S TS In areas containing cables for systems of different classifications, the selection of connector types is documented.
0216 2 Sep-18 O P S TS TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets.
0217 4 Sep-18 O P S TS Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:
  • a physical barrier in the cabinet is provided to separate patch panels
  • only personnel holding a Positive Vetting security clearance have access to the cabinet
  • approval from the TOP SECRET system’s authorising officer is obtained prior to installation.
0218 4 Dec-19 - - - TS If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier.
Emanation security
0247 3 Sep-18 - - S TS System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment.
0248 5 Sep-18 O P S - System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment.
1137 2 Sep-18 - - - TS System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment.
0932 5 Sep-18 O P - - System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice.
0249 3 Sep-18 - - S TS System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment.
0246 3 Sep-18 O P S TS An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications.
0250 3 Sep-18 O P S TS ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility.

Guidelines for Communications Systems

Identifier Revision Updated Applicability Security Control Description
Telephone systems
1078 2 Aug-19 O P S TS A telephone systems usage policy is developed and implemented.
0229 3 Sep-18 O P S TS Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems.
0230 3 Sep-18 O P S TS Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.
0231 1 Sep-18 O P S TS When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made.
0232 3 Sep-18 O P S TS Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.
0233 3 Sep-18 O P S TS Cordless telephone systems are not used for sensitive or classified conversations.
0235 3 Sep-18 O P S TS Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room.
0236 4 Sep-18 O P - - In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information.
0931 4 Sep-18 O P S - In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information.
0237 3 Sep-18 O P S TS In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information.
Video conferencing and Internet Protocol telephony
1562 0 Dec-19 O P S TS Video conferencing and IP telephony infrastructure is hardened.
0546 6 Sep-18 O P S TS Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used.
0547 3 Sep-18 O P S TS Video conferencing and IP telephony signalling and data is encrypted.
0548 3 Sep-18 O P S TS Video conferencing and IP telephony functions are established using secure signalling and data protocols.
0554 1 Sep-18 O P S TS An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.
0553 3 Sep-18 O P S TS Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.
0555 3 Dec-19 O P S TS Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.
0551 6 Oct-19 O P S TS IP telephony is configured such that:
  • IP phones authenticate themselves to the call controller upon registration
  • auto-registration is disabled and only a whitelist of authorised devices is allowed to access the network
  • unauthorised devices are blocked by default
  • all unused and prohibited functionality is disabled.
1014 5 Sep-18 - - S TS Individual logins are used for IP phones.
0549 4 Oct-19 O P S TS Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.
0556 5 Oct-19 O P S TS Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.
1015 6 Dec-19 O P S TS Traditional analog phones are used in public areas.
0558 5 Dec-19 O P S TS If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented.
0559 4 Sep-18 O P S - Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.
1450 1 Sep-18 O P S TS Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.
1019 7 Sep-18 O P S TS A denial of service response plan is developed and implemented that includes:
  • how to identify signs of a denial of service
  • how to identify the source of a denial of service
  • how capabilities can be maintained during a denial of service
  • what actions can be taken to clear a denial of service.
Fax machines and multifunction devices
0588 3 Aug-19 O P S TS A fax machine and MFD usage policy is developed and implemented.
1092 2 Sep-18 O P S TS Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages.
0241 3 Sep-18 O P S TS When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN.
1075 1 Sep-18 O P S TS The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time.
0590 5 Dec-19 O P S TS Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network.
0245 5 Dec-19 O P S TS A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected.
0589 5 Dec-19 O P S TS MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network.
1036 3 Sep-18 O P S TS Fax machines and MFDs are located in areas where their use can be observed.

Guidelines for Enterprise Mobility

Identifier Revision Updated Applicability Security Control Description
Mobile device management
1533 2 Aug-19 O P S TS A mobile device management policy is developed and implemented.
1195 1 Sep-18 O P S TS A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices.
0687 5 Sep-18 - - - TS Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so.
1400 3 Oct-19 O P - - Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information.
0694 4 Sep-18 - - S TS Privately-owned mobile devices do not access highly classified systems.
1297 1 Sep-18 O P S TS Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought.
1482 2 Oct-19 O P S TS Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance.
0869 3 Sep-18 O P S TS All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm.
1085 2 Sep-18 O P S TS Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure.
1202 1 Sep-18 O P - - The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices.
0682 4 Sep-18 - - S TS Bluetooth functionality is not enabled on highly classified mobile devices.
1196 1 Sep-18 O P - - Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.
1200 3 Sep-18 O P - - Bluetooth pairing is performed using Bluetooth version 2.1 or later.
1198 1 Sep-18 O P - - Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices.
1199 1 Sep-18 O P - - Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use.
0863 3 Sep-18 O P S TS Mobile devices prevent personnel from installing or uninstalling applications once provisioned.
0864 3 Apr-19 O P S TS Mobile devices prevent personnel from disabling or modifying security functions once provisioned.
1365 1 Sep-18 O P S TS Mobile carriers that are able to provide timely security updates for mobile devices are used.
1366 1 Sep-18 O P S TS Mobile devices are able to accept security updates from mobile carriers as soon as they become available.
0874 4 Sep-18 O P - - Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the Internet.
0705 3 Sep-18 O P S TS When accessing an organisation system via a VPN connection, split tunnelling is disabled.
Mobile device usage
1082 2 Aug-19 O P S TS A mobile device usage policy is developed and implemented.
1083 2 Sep-18 O P S TS Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.
0240 5 Sep-18 O P S TS Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information.
0866 4 Apr-19 O P S TS Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed.
1145 3 Sep-18 - - S TS Privacy filters are applied to the screens of highly classified mobile devices.
0871 3 Apr-19 O P S TS Mobile devices are kept under continual direct supervision when being actively used.
0870 3 Apr-19 O P S TS Mobile devices are carried or stored in a secured state when not being actively used.
1084 2 Sep-18 O P S TS If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.
0701 4 Aug-19 O P S TS A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented.
0702 4 Aug-19 - - S TS If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process.
1298 2 Oct-19 O P S TS Personnel are advised of privacy and security risks when travelling overseas with mobile devices.
1554 0 Oct-19 O P S TS If travelling overseas with mobile devices to high/extreme risk countries, personnel are:
  • issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities
  • advised on how to apply and inspect tamper seals to key areas of devices
  • advised to avoid taking any personal devices, especially if rooted or jailbroken.
1555 0 Oct-19 O P S TS Before travelling overseas with mobile devices, personnel take the following actions:
  • record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers
  • update all applications and operating systems
  • remove all non-essential accounts, applications and data
  • apply security configuration settings, such as lock screens
  • configure remote locate and wipe functionality
  • enable encryption, including for any media used
  • backup all important data and configuration settings.
1299 2 Oct-19 O P S TS Personnel take the following precautions when travelling overseas with mobile devices:
  • never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
  • never storing credentials with devices that they grant access to, such as in laptop bags
  • never lending devices to untrusted people, even if briefly
  • never allowing untrusted people to connect other devices or media to their devices, including for charging
  • never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
  • avoiding connecting devices to open or untrusted Wi-Fi networks
  • using an approved Virtual Private Network to encrypt all device communications
  • using encrypted mobile applications for communications instead of using foreign telecommunication networks
  • disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
  • avoiding reuse of media once used with other parties’ devices or systems
  • ensuring any media used for data transfers are thoroughly checked for malicious code beforehand
  • never using any gifted devices, especially media, when travelling or upon returning from travelling.
1088 4 Oct-19 O P S TS Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:
  • provide credentials, decrypt devices or have devices taken out of sight by foreign government officials
  • have devices or media stolen that are later returned
  • loose devices or media that are later found
  • observe unusual behaviour of devices.
1300 4 Oct-19 O P S TS Upon returning from travelling overseas with mobile devices, personnel take the following actions:
  • sanitise and reset devices, including all media used with them
  • decommission any physical credentials that left their possession during their travel
  • report if significant doubt exists as to the integrity of any devices following their travel.
1556 0 Oct-19 O P S TS If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:
  • reset user credentials used with devices, including those used for remote access to their organisation’s systems
  • monitor accounts for any indicators of compromise, such as failed login attempts.

Guidelines for Evaluated Products

Identifier Revision Updated Applicability Security Control Description
Evaluated product acquisition
0280 7 Sep-19 O P S TS If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation.
0285 1 Sep-18 O P S TS Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.
0286 5 Sep-18 O P S TS When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures.
Evaluated product usage
0289 2 Sep-18 O P S TS Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation.
0290 5 Sep-18 O P S TS High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC.
0292 5 Sep-18 O P S TS High assurance ICT equipment is only operated in an evaluated configuration.

Guidelines for ICT Equipment Management

Identifier Revision Updated Applicability Security Control Description
ICT equipment usage
1551 0 Aug-19 O P S TS An ICT equipment management policy is developed and implemented.
0293 4 Sep-18 O P S TS ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating.
0294 4 Sep-18 O P S TS ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
0296 4 Sep-18 O P S TS The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment.
ICT equipment maintenance and repairs
1079 4 Sep-18 O P S TS The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment.
0305 5 Oct-19 O P S TS Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician.
0307 2 Sep-18 O P S TS If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken.
0306 4 Sep-18 O P S TS If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:
  • is appropriately cleared and briefed
  • takes due care to ensure that information is not disclosed
  • takes all responsible measures to ensure the integrity of the ICT equipment
  • has the authority to direct the technician
  • is sufficiently familiar with the ICT equipment to understand the work being performed.
0310 4 Sep-18 O P S TS ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment.
0944 4 Sep-18 O P S TS ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to.
ICT equipment sanitisation and disposal
0313 4 Aug-19 O P S TS An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented.
1550 0 Aug-19 O P S TS An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented.
0311 5 Sep-18 O P S TS When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety.
1217 1 Sep-18 O P S TS Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal.
0316 2 Sep-18 O P S TS Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain.
0315 5 Sep-18 O P S TS If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal.
1218 2 Oct-19 - - S TS ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ.
0312 4 Sep-18 - - S TS ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction.
0317 3 Sep-18 O P S TS At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum.
1219 1 Sep-18 O P S TS MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller.
1220 1 Sep-18 O P S TS Printer and MFD platens are inspected and destroyed if any images are retained on the platen.
1221 1 Sep-18 O P S TS Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam.
0318 3 Sep-18 O P S TS When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices.
1534 0 Sep-18 O P S TS Printer ribbons in printers and MFDs are removed and destroyed.
1076 2 Sep-18 O P S TS Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time.
1222 1 Sep-18 O P S TS Televisions and computer monitors that cannot be sanitised are destroyed.
1223 4 Nov-19 O P S TS Memory in network devices is sanitised using the following processes, in order of preference:
  • following device-specific guidance provided by the ACSC
  • following vendor sanitisation guidance
  • loading a dummy configuration file, performing a factory reset and then reinstalling firmware.
1225 2 Sep-18 O P S TS The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed.
1226 2 Sep-18 O P S TS Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam.

Guidelines for Media Management

Identifier Revision Updated Applicability Security Control Description
Media usage
1549 0 Aug-19 O P S TS A media management policy is developed and implemented.
1359 3 Aug-19 O P S TS A removable media usage policy is developed and implemented.
0323 5 Feb-19 O P S TS Media is classified to the highest sensitivity or classification of information stored on the media.
0325 5 Mar-19 O P S TS Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured.
0331 5 Sep-18 O P S TS Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade.
0330 3 Sep-18 O P S TS If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it.
0332 4 Sep-18 O P S TS Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
0337 4 Sep-18 O P S TS Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it.
0341 3 Sep-18 O P S TS Any automatic execution features for media are disabled in the operating system of systems.
0342 5 Sep-18 O P S TS Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means.
0343 4 Sep-18 O P S TS Media is prevented from being written to via the use of device access control software if there is no business requirement for its use.
0345 4 Sep-18 O P S TS External interface connections that allow DMA are disabled.
0831 5 Sep-18 O P S TS Media is handled in a manner suitable for its sensitivity or classification.
1059 3 Sep-18 O P S TS Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm.
0347 4 Sep-18 O P S TS When transferring data manually between two systems belonging to different security domains, write-once media is used.
Media sanitisation
0348 3 Aug-19 O P S TS A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented.
0351 5 Sep-18 O P - - Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification.
0352 3 Sep-18 - - S TS Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes.
0835 3 Sep-18 - - - TS Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time.
1065 2 Sep-18 O P S TS The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation.
0354 5 Sep-18 O P S TS Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification.
1067 3 Sep-18 O P S TS The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten.
0356 5 Sep-18 - - S TS Following sanitisation, highly classified non-volatile magnetic media retains its classification.
0357 4 Sep-18 O P S TS Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.
0836 2 Sep-18 O P S TS Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.
0358 5 Sep-18 - - S TS Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification.
0359 3 Sep-18 O P S TS Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification.
0360 5 Sep-18 - - S TS Following sanitisation, highly classified non-volatile flash memory media retains its classification.
0947 4 Sep-18 O P S TS All media is sanitised prior to reuse.
1464 1 Sep-18 O P S TS Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed.
Media destruction
0363 2 Aug-19 O P S TS A media destruction process, and supporting media destruction procedures, is developed and implemented.
0350 4 Sep-18 O P S TS The following media types are destroyed prior to disposal as they cannot be sanitised:
  • microfiche and microfilm
  • optical discs
  • programmable read-only memory
  • read-only memory
  • other types of media that cannot be sanitised
  • faulty media that cannot be successfully sanitised.
1361 1 Sep-18 O P S TS SCEC or ASIO approved equipment is used when destroying media.
1160 1 Sep-18 O P S TS If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used.
1517 0 Sep-18 O P S TS Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm.
0366 2 Sep-18 O P S TS One of the methods in the following table is used to destroy media (see source document for referenced table).
0368 6 Sep-18 O P S TS The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table).
0361 3 Sep-18 O P S TS A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals.
0838 2 Sep-18 O P S TS A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used.
0362 3 Sep-18 O P S TS Any product-specific directions provided by degausser manufacturers are followed.
0370 4 Sep-18 O P S TS The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed.
0371 3 Sep-18 O P S TS Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully.
0372 4 Sep-18 O P S TS The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed.
0373 3 Sep-18 O P S TS Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards.
0840 3 Sep-18 O P S - When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used.
0839 2 Sep-18 O P S TS The destruction of TOP SECRET media or accountable material is not outsourced.
Media disposal
0374 2 Aug-19 O P S TS A media disposal process, and supporting media disposal procedures, is developed and implemented.
0375 3 Sep-18 O P S TS Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain.
0378 3 Sep-18 O P S TS Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal.

Guidelines for System Hardening

Identifier Revision Updated Applicability Security Control Description
Operating system hardening
1407 3 Sep-18 O P S TS The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs).
1408 3 Sep-18 O P S TS When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used.
1409 1 Sep-18 O P S TS ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems.
0383 6 Sep-18 O P S TS Default operating system accounts are disabled, renamed or have their passphrase changed.
0380 7 Sep-18 O P S TS Unneeded operating system accounts, software, components, services and functionality are removed or disabled.
1491 0 Sep-18 O P S TS Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe).
1410 1 Sep-18 O P S TS Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used.
1469 1 Sep-18 O P S TS Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management.
0382 5 Sep-18 O P S TS Users do not have the ability to install, uninstall or disable software.
0843 7 Sep-18 O P S TS An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set.
1490 1 Jul-19 O P S TS An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set.
0955 5 Sep-18 O P S TS Application whitelisting is implemented using cryptographic hash rules, publisher certificate rules or path rules.
1471 1 Sep-18 O P S TS When implementing application whitelisting using publisher certificate rules, both publisher names and product names are used.
1392 1 Sep-18 O P S TS When implementing application whitelisting using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute.
1544 0 Jul-19 O P S TS Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses.
0846 6 Sep-18 O P S TS All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application whitelisting mechanisms.
0957 5 Sep-18 O P S TS Application whitelisting solutions are configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file.
1414 1 Sep-18 O P S TS If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures.
1492 0 Sep-18 O P S TS If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers.
1341 2 Sep-18 O P S TS A HIPS is implemented on workstations.
1034 6 Sep-18 O P S TS A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers.
1416 2 Sep-18 O P S TS A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections.
1417 2 Sep-18 O P S TS Antivirus software is implemented on workstations and servers and configured with:
  • signature-based detection enabled and set to a high level
  • heuristic-based detection enabled and set to a high level
  • detection signatures checked for currency and updated on at least a daily basis
  • automatic and regular scanning configured for all fixed disks and removable media.
1390 2 Sep-18 O P - - Antivirus software has reputation rating functionality enabled.
1418 1 Sep-18 O P S TS Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used.
Application hardening
0938 4 Sep-18 O P S TS Applications are chosen from vendors that have made a commitment to secure development and maintenance practices.
1467 1 Sep-18 O P S TS The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs.
1483 0 Sep-18 O P S TS The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs.
1412 2 Feb-19 O P S TS ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers.
1484 1 Jan-19 O P S TS Web browsers are configured to block or disable support for Flash content.
1485 0 Sep-18 O P S TS Web browsers are configured to block web advertisements.
1486 0 Sep-18 O P S TS Web browsers are configured to block Java from the Internet.
1541 0 Jan-19 O P S TS Microsoft Office is configured to disable support for Flash content.
1542 0 Jan-19 O P S TS Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
1470 3 Mar-19 O P S TS Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled.
1235 2 Apr-19 O P S TS The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons.
1487 0 Sep-18 O P S TS Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros.
1488 0 Sep-18 O P S TS Microsoft Office macros in documents originating from the Internet are blocked.
1489 0 Sep-18 O P S TS Microsoft Office macro security settings cannot be changed by users.
Authentication hardening
1546 0 Aug-19 O P S TS Users are authenticated before they are granted access to a system and its resources.
0974 5 Sep-18 O P S TS Multi-factor authentication is used to authenticate standard users.
1173 3 Mar-19 O P S TS Multi-factor authentication is used to authenticate all privileged users and any other positions of trust.
1504 0 Sep-18 O P S TS Multi-factor authentication is used to authenticate all users of remote access solutions.
1505 0 Sep-18 O P S TS Multi-factor authentication is used to authenticate all users when accessing important data repositories.
1401 4 Oct-19 O P S TS Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.
1559 0 Oct-19 O P - - Passwords used for multi-factor authentication are a minimum of 6 characters.
1560 0 Oct-19 - - S - Passwords used for multi-factor authentication are a minimum of 8 characters.
1561 0 Oct-19 - - - TS Passwords used for multi-factor authentication are a minimum of 10 characters.
1357 1 Sep-18 O P S TS When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system.
0417 5 Oct-19 O P S TS When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.
0421 5 Oct-19 O P - - Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words.
1557 0 Oct-19 - - S - Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words.
0422 5 Oct-19 - - - TS Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words.
1558 0 Oct-19 O P S TS Passphrases used for single-factor authentication:
  • are not constructed from song lyrics, movies, literature or any other publically available material
  • do not form a real sentence in a natural language
  • are not a list of categorised words.
1403 2 Oct-19 O P S TS Accounts are locked out after a maximum of five failed logon attempts.
0431 2 Sep-18 O P S TS Repeated account lockouts are investigated before reauthorising access.
0976 5 Oct-19 O P S TS Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset.
1227 3 Oct-19 O P S TS Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date.
1055 3 Oct-19 O P S TS LAN Manager is disabled for password/passphrase authentication.
0418 4 Oct-19 O P S TS Credentials are stored separately from systems to which they grant access.
1402 3 Dec-19 O P S TS Credentials are protected by ensuring:
  • passwords/passphrases expire every 12 months
  • passwords/passphrases are stored as salted hashes
  • password/passphrase stretching is implemented
  • passwords/passphrases appearing in breach databases are blacklisted
  • passwords/passphrases are never sent in the clear across networks.
0428 6 Sep-18 O P S TS Systems are configured with a session or screen lock that:
  • activates after a maximum of 15 minutes of user inactivity or if manually activated by the user
  • completely conceals all information on the screen
  • ensures that the screen does not enter a power saving state before the screen or session lock is activated
  • requires the user to reauthenticate to unlock the system
  • denies users the ability to disable the session or screen locking mechanism.
0408 4 Sep-18 O P S TS Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted.
0979 4 Sep-18 O P S TS Legal advice is sought on the exact wording of logon banners.

Guidelines for System Management

Identifier Revision Updated Applicability Security Control Description
System administration
0042 4 Aug-19 O P S TS A system administration process, with supporting system administration procedures, is developed and implemented.
1380 4 Oct-19 O P S TS Privileged users use a dedicated administrator workstation when performing privileged tasks.
1382 2 Sep-18 O P S TS Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations.
1381 2 Sep-18 O P S TS Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities.
1383 2 Sep-18 O P S TS All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened.
1384 2 Sep-18 O P S TS Multi-factor authentication is used to authenticate users each time they perform privileged actions.
1385 2 Sep-18 O P S TS Administrator workstations are placed into a separate network zone to user workstations.
1386 4 Oct-19 O P S TS Management traffic is only allowed to originate from network zones that are used to administer systems and applications.
1387 1 Sep-18 O P S TS All administrative actions are conducted through a jump server.
1388 1 Sep-18 O P S TS Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities.
System patching
1143 7 Aug-19 O P S TS A patch management process, and supporting patch management procedures, is developed and implemented.
1493 1 Aug-19 O P S TS A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited.
1144 9 Sep-18 O P S TS Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
0940 8 Sep-18 O P S TS Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.
1472 1 Sep-18 O P S TS Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.
1494 0 Sep-18 O P S TS Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
1495 0 Sep-18 O P S TS Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.
1496 0 Sep-18 O P S TS Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.
0300 6 Sep-18 - - S TS High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC.
0298 7 Oct-19 O P S TS A centralised and managed approach is used to patch or update applications and drivers.
0303 6 Sep-18 O P S TS An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used.
1497 0 Sep-18 O P S TS An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
1498 1 Oct-19 O P S TS A centralised and managed approach is used to patch or update operating systems and firmware.
1499 0 Sep-18 O P S TS An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used.
1500 0 Sep-18 O P S TS An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place.
0304 5 Sep-18 O P S TS Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
1501 0 Sep-18 O P S TS Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
Change management
1211 2 Aug-19 O P S TS A change management process, and supporting change management procedures, is developed and implemented covering:
  • identification and documentation of requests for change
  • approval required for changes to be made
  • implementation and testing of approved changes
  • the maintenance of system and security documentation.
Data backup and restoration
1510 1 Aug-19 O P S TS A digital preservation policy is developed and implemented.
1547 0 Aug-19 O P S TS A data backup process, and supporting data backup procedures, is developed and implemented.
1548 0 Aug-19 O P S TS A data restoration process, and supporting data restoration procedures, is developed and implemented.
1511 0 Sep-18 O P S TS Backups of important information, software and configuration settings are performed at least daily.
1512 0 Sep-18 O P S TS Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
1513 0 Sep-18 O P S TS Backups are stored at a multiple geographically-dispersed locations.
1514 0 Sep-18 O P S TS Backups are stored for three months or greater.
1515 1 Jul-19 O P S TS Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
1516 1 Jul-19 O P S TS Partial restoration of backups is tested on a quarterly or more frequent basis.

Guidelines for System Monitoring

Identifier Revision Updated Applicability Security Control Description
Event logging and auditing
0580 6 Aug-19 O P S TS An event logging policy is developed and implemented.
1405 1 Sep-18 O P S TS A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs.
0988 5 Sep-18 O P S TS An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events.
0584 2 Sep-18 O P S TS For any system requiring authentication, logon, failed logon and logoff events are logged.
0582 5 Sep-18 O P S TS The following events are logged for operating systems:
  • access to important data and processes
  • application crashes and any error messages
  • attempts to use special privileges
  • changes to accounts
  • changes to security policy
  • changes to system configurations
  • Domain Name System (DNS) and Hypertext Transfer Protocol requests
  • failed attempts to access data and system resources
  • service failures and restarts
  • system startup and shutdown
  • transfer of data to external media
  • user or group management
  • use of special privileges.
1536 0 Sep-18 O P S TS The following events are logged for web applications:
  • attempted access that is denied
  • crashes and any error messages
  • search queries initiated by users.
1537 0 Sep-18 O P S TS The following events are logged for databases:
  • access to particularly important information
  • addition of new users, especially privileged users
  • any query containing comments
  • any query containing multiple embedded queries
  • any query or database alerts or failures
  • attempts to elevate privileges
  • attempted access that is successful or unsuccessful
  • changes to the database structure
  • changes to user roles or database permissions
  • database administrator actions
  • database logons and logoffs
  • modifications to data
  • use of executable commands.
0585 4 Sep-18 O P S TS For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded.
0586 4 Sep-18 O P S TS Event logs are protected from unauthorised access, modification and deletion.
0859 2 Sep-18 O P S TS Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority publication.
0991 4 Sep-18 O P S TS DNS and proxy logs are retained for at least 18 months.
0109 6 Aug-19 O P S TS An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements.
1228 2 Sep-18 O P S TS Events are correlated across event logs to prioritise audits and focus investigations.
Vulnerability management
1163 3 Aug-19 O P S TS A vulnerability management policy is developed and implemented that includes:
  • conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities
  • analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
  • using a risk-based approach to prioritise the implementation of identified mitigations.
0911 6 Sep-18 O P S TS Vulnerability assessments and penetration tests are conducted by suitably skilled personnel before a system is deployed, after a significant change to a system, and at least annually or as specified by the system owner.

Guidelines for Software Development

Identifier Revision Updated Applicability Security Control Description
Application development
0400 4 Sep-18 O P S TS Software development, testing and production environments are segregated.
1419 1 Sep-18 O P S TS Development and modification of software only takes place in development environments.
1420 2 Sep-18 O P S TS Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments.
1422 3 Sep-18 O P S TS Unauthorised access to the authoritative source for software is prevented.
1238 3 Sep-18 O P S TS Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for.
0401 4 Oct-19 O P S TS Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications.
0402 3 Sep-18 O P S TS Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment.
Web application development
1239 3 Sep-18 O P S TS Robust web application frameworks are used to aid in the development of secure web applications.
1552 0 Oct-19 O P S TS All web application content is offered exclusively using HTTPS.
1240 2 Sep-18 O P S TS Validation and/or sanitisation is performed on all input handled by a web application.
1241 3 Sep-18 O P S TS Output encoding is performed on all output produced by a web application.
1424 3 Oct-19 O P S TS Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.
0971 7 Apr-19 O P S TS The OWASP Application Security Verification Standard is followed when developing web applications.

Guidelines for Database Systems Management

Identifier Revision Updated Applicability Security Control Description
Database servers
1425 1 Sep-18 O P S TS Hard disks of database servers are encrypted using full disk encryption.
1269 2 Sep-18 O P S TS Database servers and web servers are functionally separated, physically or virtually.
1277 2 Sep-18 O P S TS Information communicated between database servers and web applications is encrypted.
1270 2 Sep-18 O P S TS Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations.
1271 1 Sep-18 O P S TS Network access controls are implemented to restrict database servers’ communications to strictly defined network resources such as web servers, application servers and storage area networks.
1272 1 Sep-18 O P S TS If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface.
1273 2 Sep-18 O P S TS Test and development environments do not use the same database servers as production environments.
Database management system software
1245 2 Sep-18 O P S TS All temporary installation files and logs are removed after DBMS software has been installed.
1246 2 Sep-18 O P S TS DBMS software is configured according to vendor guidance.
1247 2 Sep-18 O P S TS DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed.
1249 2 Sep-18 O P S TS DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions.
1250 1 Sep-18 O P S TS The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system.
1251 2 Sep-18 O P S TS The ability of DBMS software to read local files from a server is disabled.
1260 2 Sep-18 O P S TS Default database administrator accounts are disabled, renamed or have their passphrases changed.
1262 1 Sep-18 O P S TS Database administrators have unique and identifiable accounts.
1261 2 Sep-18 O P S TS Database administrator accounts are not shared across different databases.
1263 2 Sep-18 O P S TS Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases.
1264 1 Sep-18 O P S TS Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions.
Databases
1243 4 Aug-19 O P S TS A database register is maintained and regularly audited.
1256 3 Sep-18 O P S TS File-based access controls are applied to database files.
1252 3 Jun-19 O P S TS Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm.
0393 7 Apr-19 O P S TS Databases and their contents are classified based on the sensitivity or classification of information that they contain.
1255 3 Sep-18 O P S TS Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties.
1268 1 Sep-18 O P S TS The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles.
1258 1 Sep-18 O P S TS Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented.
1274 4 Sep-18 O P S TS Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment.
1275 1 Sep-18 O P S TS All queries to databases from web applications are filtered for legitimate content and correct syntax.
1276 2 Sep-18 O P S TS Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries.
1278 2 Sep-18 O P S TS Web applications are designed to provide as little error information as possible to users about database schemas.

Guidelines for Email Management

Identifier Revision Updated Applicability Security Control Description
Email usage
0264 3 Aug-19 O P S TS An email usage policy is developed and implemented.
0267 7 Mar-19 O P S TS Access to non-approved webmail services is blocked.
0270 5 Mar-19 O P S TS Protective markings are applied to emails and reflect the information in their subject, body and attachments.
0271 3 Mar-19 O P S TS Protective marking tools do not automatically insert protective markings into emails.
0272 4 Mar-19 O P S TS Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate.
1089 4 Mar-19 O P S TS Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email.
0565 4 Mar-19 O P S TS Email servers are configured to block, log and report emails with inappropriate protective markings.
1023 5 Mar-19 O P S TS The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified.
0269 2 Sep-18 - - S TS Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed.
1539 2 Aug-19 - P S TS Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed.
Email gateways and servers
0569 3 Sep-18 O P S TS Email is routed through a centralised email gateway.
0571 5 Mar-19 O P S TS When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway.
0570 4 Sep-18 O P S TS Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway.
0567 4 Mar-19 O P S TS Email servers only relay emails destined for or originating from their domains.
0572 3 Sep-18 O P S TS Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure.
0574 4 Oct-19 O P S TS SPF is used to specify authorised email services (or lack thereof) for all domains.
1183 1 Sep-18 O P S TS A hard fail SPF record is used when specifying email servers.
1151 3 Oct-19 O P S TS SPF is used to verify the authenticity of incoming emails.
1152 3 Mar-19 O P S TS Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients.
0861 2 Mar-19 O P S TS DKIM signing is enabled on emails originating from an organisation’s domains.
1026 4 Sep-18 O P S TS DKIM signatures on received emails are verified, taking into account that email distribution list software typically invalidates DKIM signatures.
1027 4 Sep-18 O P S TS Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature.
1540 1 Oct-19 O P S TS DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks.
1234 3 Mar-19 O P S TS Email content filtering controls are implemented for email bodies and attachments.
1502 1 Mar-19 O P S TS Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway.
1024 4 Sep-18 O P S TS Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means.

Guidelines for Network Management

Identifier Revision Updated Applicability Security Control Description
Network design and configuration
0516 4 Sep-18 O P S TS Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices.
0518 4 Sep-18 O P S TS Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement.
1178 3 Sep-18 O P S TS Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.
1181 3 Sep-18 O P S TS Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services.
1532 1 Aug-19 O P S TS VLANs are not used to separate network traffic between official or classified networks and public network infrastructure.
0529 5 Sep-18 O P S TS VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications.
1364 2 Sep-18 O P S TS VLANs belonging to different security domains are terminated on separate physical network interfaces.
0535 5 Sep-18 O P S TS VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks.
0530 5 Sep-18 O P S TS Network devices implementing VLANs are managed from the most trusted network.
0521 5 Sep-18 O P S TS IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used.
1186 3 Sep-18 O P S TS IPv6 capable network security devices are used on IPv6 and dual-stack networks.
1428 1 Sep-18 O P S TS Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment.
1429 1 Sep-18 O P S TS IPv6 tunnelling is blocked by network security devices at externally connected network boundaries.
1430 1 Sep-18 O P S TS Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility.
0520 6 Sep-18 O P S TS Network access controls are implemented on networks to prevent the connection of unauthorised network devices.
1182 3 Sep-18 O P S TS Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes.
1301 2 Aug-19 O P S TS A network device register is maintained and regularly audited.
1304 2 Sep-18 O P S TS Default accounts for network devices are disabled, renamed or have their passphrase changed.
0534 2 Sep-18 O P S TS Unused physical ports on network devices are disabled.
0385 6 Sep-18 O P S TS Servers maintain effective functional separation with other servers allowing them to operate independently.
1479 0 Sep-18 O P S TS Servers minimise communications with other servers at both the network and file system level.
1460 1 Sep-18 O P S TS When using a software-based isolation mechanism to share a physical server’s hardware:
  • the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner
  • the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism
  • the underlying operating system running on the server is hardened
  • patches are applied to the isolation mechanism and underlying operating system in a timely manner
  • integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.
1462 1 Jul-19 - P - - When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification.
1461 2 Jul-19 - - S TS When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain.
1006 6 Sep-18 O P S TS Security measures are implemented to prevent unauthorised access to network management traffic.
1311 2 Sep-18 O P S TS SNMP version 1 and 2 are not used on networks.
1312 2 Sep-18 O P S TS All default SNMP community strings on network devices are changed and have write access disabled.
1028 6 Sep-18 O P S TS NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure.
1030 6 Sep-18 O P S TS NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets.
1185 3 Sep-18 O P S TS When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures.
Wireless networks
1314 1 Sep-18 O P S TS All wireless access points are Wi-Fi Alliance certified.
0536 6 Sep-18 O P S TS Wireless networks provided for the general public to access are segregated from all other networks.
1315 2 Sep-18 O P S TS The administrative interface on wireless access points is disabled for wireless network connections.
1316 2 Sep-18 O P S TS The default SSID of wireless access points is changed.
1317 2 Sep-18 O P S TS The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network.
1318 2 Sep-18 O P S TS SSID broadcasting is enabled on wireless networks.
1319 2 Sep-18 O P S TS Static addressing is not used for assigning IP addresses on wireless networks.
1320 2 Sep-18 O P S TS MAC address filtering is not used to restrict which devices can connect to wireless networks.
1321 1 Sep-18 O P S TS WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks.
1322 3 Aug-19 O P S TS Evaluated supplicants, authenticators and authentication servers are used in wireless networks.
1324 3 Aug-19 O P S TS Certificates are generated using an evaluated certificate authority solution or hardware security module.
1323 2 Sep-18 O P S TS Both device and user certificates are required for accessing wireless networks.
1325 1 Sep-18 O P S TS Both device and user certificates for accessing wireless networks are not stored on the same device.
1326 2 Sep-18 O P S TS User certificates for accessing wireless networks are issued on smart cards with access PINs.
1327 1 Sep-18 O P S TS User or device certificates stored on devices accessing wireless networks are protected by encryption.
1330 1 Sep-18 O P S TS The PMK caching period is not set to greater than 1440 minutes (24 hours).
1454 1 Sep-18 O P S TS Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption.
1332 2 Aug-19 O P S TS ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic.
1334 2 Sep-18 O P S TS Wireless networks implement sufficient frequency separation from other wireless networks.
1335 1 Sep-18 O P S TS Wireless access points enable the use of the 802.11w amendment to protect management frames.
1338 1 Sep-18 O P S TS Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint.
1013 5 Sep-18 - - S TS The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used.
Service continuity for online services
1458 1 Sep-18 O P - - The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented.
1431 1 Sep-18 O P - - Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:
  • their capacity to withstand denial-of-service attacks
  • any costs likely to be incurred by customers resulting from denial-of-service attacks
  • thresholds for notifying customers or turning off their online services during denial-of-service attacks
  • pre-approved actions that can be undertaken during denial-of-service attacks
  • denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible.
1432 1 Sep-18 O P - - Domain names for online services are protected via registrar locking and confirming domain registration details are correct.
1433 1 Sep-18 O P - - 24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers.
1434 1 Sep-18 O P - - Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail.
1435 1 Sep-18 O P - - Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact.
1436 1 Sep-18 O P - - Critical online services are segregated from other online services that are more likely to be targeted.
1518 0 Sep-18 O P - - A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack.
1437 2 Sep-18 O P - - A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services.
1438 1 Sep-18 O P - - Where a high availability requirement exists for website hosting, CDNs that cache websites are used.
1439 1 Sep-18 O P - - If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network.
1441 1 Sep-18 O P - - Where a requirement for high availability exists for online services, a denial of service mitigation service is used.

Guidelines for Using Cryptography

Identifier Revision Updated Applicability Security Control Description
Cryptographic fundamentals
1161 4 Sep-18 O - - - Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information.
0457 5 Sep-18 - P - - Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information.
0460 8 Sep-18 - - S TS HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information.
0459 3 Sep-18 O P - - Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition.
0461 5 Sep-18 - - S TS HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition.
1080 2 Sep-18 - - S TS In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system.
0455 2 Sep-18 O P S TS Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
0462 5 Sep-18 O P S TS When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality.
1162 3 Sep-18 O - - - Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces.
0465 6 Sep-18 - P - - Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces.
0467 8 Sep-18 - - S TS HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces.
0469 3 Sep-18 - - S TS In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure.
ASD Approved Cryptographic Algorithms
0471 5 Sep-18 O P - - If using cryptographic equipment or software that implements an AACA, only AACAs can be used.
0994 5 Sep-18 O P - - ECDH and ECDSA are used in preference to DH and DSA.
0472 4 Sep-18 O P - - When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used.
0473 4 Sep-18 O P - - When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used.
1446 1 Sep-18 O P - - When using elliptic curve cryptography, a curve from FIPS 186-4 is used.
0474 4 Sep-18 O P - - When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used.
0475 4 Sep-18 O P - - When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used.
0476 5 Sep-18 O P - - When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used.
0477 6 Sep-18 O P - - When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used.
1054 4 Sep-18 O P - - A hashing algorithm from the SHA-2 family is used instead of SHA-1.
0479 4 Sep-18 O P - - Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
0480 6 Sep-18 O P - - 3DES is used with three distinct keys.
1232 5 May-19 - - S TS AACAs are used in an evaluated implementation.
1468 5 Oct-19 - - S TS Preference is given to using the CNSA Suite algorithms and key sizes.
ASD Approved Cryptographic Protocols
0481 4 Sep-18 O P S TS If using cryptographic equipment or software that implements an AACP, only AACAs can be used.
Transport Layer Security
1139 5 Oct-19 O P S TS Only the latest version of TLS is used.
1369 2 Oct-19 O P S TS AES in Galois Counter Mode is used for symmetric encryption.
1370 2 Oct-19 O P S TS Only sever-initiated secure renegotiation is used.
1372 2 Sep-18 O P S TS DH or ECDH is used for key establishment.
1448 1 Sep-18 O P S TS When using DH or ECDH for key establishment, the ephemeral variant is used.
1373 1 Sep-18 O P S TS Anonymous DH is not used.
1374 2 Oct-19 O P S TS SHA-2-based certificates are used.
1375 3 Oct-19 O P S TS Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function.
1553 0 Oct-19 O P S TS TLS compression is disabled.
1453 1 Sep-18 O P S TS PFS is used for TLS connections.
Secure Shell
1506 0 Sep-18 O P S TS The use of SSH version 1 is disabled.
0484 4 Sep-18 O P S TS The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table).
0485 3 Sep-18 O P S TS Public key-based authentication is used for SSH connections.
1449 1 Sep-18 O P S TS SSH private keys are protected with a passphrase or a key encryption key.
0487 3 Sep-18 O P S TS When using logins without a passphrase for automated purposes, the following are disabled:
  • access from IP addresses that do not require access
  • port forwarding
  • agent credential forwarding
  • X11 display remoting
  • console access.
0488 3 Sep-18 O P S TS If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled.
0489 4 Sep-18 O P S TS When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required.
Secure/Multipurpose Internet Mail Extension
0490 3 Sep-18 O P S TS Versions of S/MIME earlier than 3.0 are not used.
Internet Protocol Security
0494 3 Sep-18 O P S TS Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.
0496 4 Sep-18 O P S TS The ESP protocol is used for IPsec connections.
1233 1 Sep-18 O P S TS IKE is used for key exchange when establishing an IPsec connection.
0497 5 Sep-18 O P S TS If using ISAKMP in IKE version 1, aggressive mode is disabled.
0498 3 Sep-18 O P S TS A security association lifetime of less than four hours, or 14400 seconds, is used.
0998 4 Sep-18 O P S TS HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm.
0999 5 Sep-18 O P S TS The largest modulus size possible for all relevant components in the network is used when conducting a key exchange.
1000 4 Sep-18 O P S TS PFS is used for IPsec connections.
1001 4 Sep-18 O P S TS The use of XAuth is disabled for IPsec connections using IKE version 1.
Cryptographic system management
0501 4 Sep-18 O P - - Keyed CGCE is transported based on the sensitivity or classification of the keying material in it.
0142 3 Jun-19 O P - - The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.
1091 5 Jun-19 O P - - Keying material is changed when compromised or suspected of being compromised.
0499 8 Apr-19 - - S TS ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE.
0505 5 Sep-18 O P S TS Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes.
0506 3 Sep-18 - - S TS Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area.

Guidelines for Gateway Management

Identifier Revision Updated Applicability Security Control Description
Gateways
0628 5 Mar-19 O P S TS All systems are protected from systems in other security domains by one or more gateways.
1192 2 Sep-18 O P S TS All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.
0631 5 Jun-19 O P S TS Gateways:
  • are the only communications paths into and out of internal networks
  • allow only explicitly authorised connections
  • are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
  • are protected by authentication, logging and auditing of all physical and logical access to gateway components
  • have all security controls tested to verify their effectiveness after any changes to their configuration.
1427 2 Jun-19 O P S TS Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing.
0634 7 Jun-19 O P S TS All gateways connecting networks in different security domains are operated such that they:
  • log network traffic permitted through the gateway
  • log network traffic attempting to leave the gateway
  • are configured to save event logs to a secure logging facility
  • provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns.
0637 5 Sep-18 O P S TS Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones.
0598 3 Sep-18 O P S TS A security risk assessment is performed on gateways and their configuration before their implementation.
1519 0 Sep-18 O P S TS A security risk assessment is performed on all systems before they are connected to a gateway.
0605 3 Sep-18 O P S TS All system owners of systems connected via a gateway understand and accept security risks associated with the gateway and any connected security domains, including those connected via a cascaded connection.
1041 4 Sep-18 O P S TS The security architecture of a gateway, and security risks associated with all connected security domains, including those connected via a cascaded connection, is reviewed at least annually.
0624 4 Sep-18 O P S TS Any associated security risk assessments are updated before changes are made to a gateway to ensure all relevant security risks have been documented and accepted.
0625 5 Aug-19 O P S TS All changes to a gateway architecture are considered prior to implementation, documented and assessed in accordance with the organisation’s change management process and supporting change management procedures.
1037 4 Sep-18 O P S TS Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls.
0611 4 Mar-19 O P S TS Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely.
0612 4 Sep-18 O P S TS System administrators are formally trained to manage gateways.
1520 0 Sep-18 O P S TS All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway.
0613 4 Sep-18 - - S TS All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals.
0616 4 Oct-19 O P S TS Roles for the administration of gateways are separated.
0629 3 Sep-18 O P S TS For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party.
0607 3 Oct-19 O P S TS Once connectivity is established, system owners become information stakeholders for all connected security domains.
0619 5 Sep-18 O P S TS Users and services accessing networks through gateways are authenticated.
0620 4 Sep-18 O P S TS Only users and services authenticated and authorised to a gateway can use the gateway.
1039 4 Sep-18 O P S TS Multi-factor authentication is used for access to gateways.
0622 5 Sep-18 O P S TS ICT equipment accessing networks through gateways is authenticated.
Cross Domain Solutions
0626 4 Sep-18 - - S TS When connecting a highly classified network to any other network from a different security domain, a CDS is implemented.
0597 6 Sep-18 - - S TS When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with.
0627 5 Sep-18 - - S TS When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with.
0635 5 Dec-19 - - S TS A CDS between a highly classified network and any other network implements isolated upward and downward network paths.
1521 1 Dec-19 - - S TS A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model.
1522 1 Dec-19 - - S TS A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows.
0670 4 Sep-18 - - S TS All security-relevant events generated by a CDS are logged and regularly analysed.
1523 0 Sep-18 - - S TS A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains.
0610 6 Apr-19 O P S TS Users are trained on the secure use of a CDS before access to the CDS is granted.
Firewalls
1528 1 Apr-19 O P S TS An evaluated firewall is used between official or classified networks and public network infrastructure.
0639 8 Apr-19 O P S TS An evaluated firewall is used between networks belonging to different security domains.
1194 2 Sep-18 O P S TS The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties.
0641 7 Sep-18 - - S TS In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network.
0642 7 Sep-18 - - S TS In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network.
Diodes
0643 5 Sep-18 O P - - An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure.
0645 5 Sep-18 - - S TS A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure.
1157 3 Sep-18 O P - - An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks.
1158 4 Sep-18 O P S TS A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above.
0646 4 Sep-18 - - S TS An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification.
0647 6 Sep-18 - - S TS An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification.
0648 3 Sep-18 O P S TS A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred.
Web content and connections
0258 3 Aug-19 O P S TS A web usage policy is developed and implemented.
0260 2 Sep-18 O P S TS All web access, including that by internal servers, is conducted through a web proxy.
0261 4 Sep-18 O P S TS A web proxy authenticates users and provides logging that includes the following details about websites accessed:
  • address (uniform resource locator)
  • time/date
  • user
  • amount of data uploaded and downloaded
  • internal and external IP addresses.
0263 5 Sep-18 O P S TS If permitting TLS through internet gateways, either of the following approaches is implemented:
  • a solution that decrypts and inspects TLS traffic as per content filtering security controls
  • a whitelist specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked or decrypted and inspected as per content filtering security controls.
0996 5 Sep-18 O P S TS Legal advice is sought regarding the inspection of TLS traffic by internet gateways.
0958 5 Sep-18 O P S TS Whitelisting is implemented for all Hypertext Transfer Protocol (HTTP) traffic communicated through internet gateways.
0995 4 Sep-18 O P S TS If using a whitelist on internet gateways to specify the external addresses to which connections are permitted, it specifies whitelisted addresses by domain name or IP address.
1170 1 Sep-18 O P S TS If websites are not whitelisted, categories are implemented for all websites and prohibited and uncategorised websites are blocked.
0959 4 Sep-18 O P S TS If whitelisting of websites is not implemented, blacklisting of websites is implemented to prevent access to known malicious websites.
0960 4 Sep-18 O P S TS If blacklisting websites, the blacklist is updated on a daily basis to ensure that it remains effective.
1171 1 Sep-18 O P S TS Attempts to access a website through its IP address instead of through its domain name are blocked.
1236 1 Sep-18 O P S TS Dynamic domains and other domains where domain names can be registered anonymously for free are blocked.
0963 5 Sep-18 O P S TS A web content filter is used to filter potentially harmful web-based content.
0961 5 Sep-18 O P S TS Client-side active content, such as Java, is restricted to a whitelist of approved websites which may be the same as the HTTP whitelist or a separate active content whitelist.
1237 1 Sep-18 O P S TS Web content filtering controls are applied to outbound web traffic where appropriate.
Peripheral switches
0591 6 Sep-18 O P - - An evaluated peripheral switch is used when sharing peripherals between official and classified systems.
1480 0 Sep-18 O P S TS A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems.
1457 2 Sep-18 - - S TS An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications.
0593 9 Apr-19 O P S TS An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains.
0594 4 Sep-18 - - S TS An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat.

Guidelines for Data Transfers and Content Filtering

Identifier Revision Updated Applicability Security Control Description
Data transfers
0663 5 Aug-19 O P S TS A data transfer process, and supporting data transfer procedures, is developed and implemented.
0661 7 Apr-19 O P S TS Users transferring data to and from a system are held accountable for the data they transfer.
0665 4 May-19 - - S TS Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO.
0675 3 Sep-18 - - S TS A trusted source makes an informed decision to sign all data authorised for export from a security domain.
0664 5 Sep-18 - - S TS All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source.
0657 4 Sep-18 O P - - Data imported to a system is scanned for malicious and active content.
0658 4 Sep-18 - - S TS Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns.
1187 1 Sep-18 O P - - When exporting data, protective marking checks are undertaken.
0669 3 Sep-18 - - S TS When exporting data, the following activities are undertaken:
  • protective marking checks
  • data format checks and logging
  • monitoring to detect overuse/unusual usage patterns
  • limitations on data types and sizes
  • keyword searches on all textual data.
1535 1 Aug-19 - - S TS A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems.
0678 2 Sep-18 - - S TS When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator.
0667 4 Sep-18 O P S TS Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check.
0660 5 Sep-18 - - S TS When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly.
0673 5 Sep-18 - - S TS When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly.
1294 1 Sep-18 O P S TS When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed.
1295 1 Sep-18 O P S TS When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed.
Content filtering
0659 4 Sep-18 O P S TS When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose.
1524 1 Dec-19 - - S TS Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed.
0651 4 Sep-18 O P S TS All suspicious, malicious and active content is blocked from entering a security domain.
0652 2 Sep-18 O P S TS Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator.
1389 1 Sep-18 O P S TS Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour.
1284 2 Oct-19 O P S TS Content validation is performed on all data passing through a content filter with content which fails content validation blocked.
1286 1 Sep-18 O P S TS Content conversion is performed for all ingress or egress data transiting a security domain boundary.
1287 1 Sep-18 O P S TS Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary.
1288 1 Sep-18 O P S TS Antivirus scanning, using multiple different scanning engines, is performed on all content.
1289 1 Sep-18 O P S TS The contents from archive/container files are extracted and subjected to content filter checks.
1290 1 Sep-18 O P S TS Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected.
1291 1 Sep-18 O P S TS Files that cannot be inspected are blocked and generate an alert or notification.
0649 5 Dec-19 O P S TS A whitelist of permitted content types is created and enforced based on business requirements and the results of a risk assessment.
1292 1 Sep-18 O P S TS The integrity of content is verified where applicable and blocked if verification fails.
0677 4 Sep-18 - - S TS If data is signed, the signature is validated before the data is exported.
1293 1 Sep-18 O P S TS All encrypted content, traffic and data is decrypted and inspected to allow content filtering.
Date
December 4th, 2019