| Ctl | Rev | Update | Auth | Comply | Classification | Details |
---|
1 | 1203 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must identify and analyse security risks to their information and systems. |
---|
2 | 1204 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | Security risks deemed unacceptable must be treated. |
---|
3 | 1205 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must incorporate the controls contained in the Australian Government Information Security Manual in their security risk management processes. |
---|
4 | 1206 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | Security risks deemed acceptable must be formally accepted by the responsible authority, as indicated for each control in this manual, and continually monitored by the agency. |
---|
5 | 1207 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should mitigate residual security risks through the implementation of alternative security measures. |
---|
6 | 0009 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must determine system specific security risks that could warrant additional controls to those specified in this manual. |
---|
7 | 1208 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must document identified information security risks, as well as the evaluation of those risks and mitigation strategies, in their Security Risk Management Plan. |
---|
8 | 0007 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies undertaking system design activities for in-house or outsourced projects must use the latest release of this manual for security requirements. |
---|
9 | 0008 | 4 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must comply with additional or alternative controls as stipulated in device and scenario-specific guidance issued by ASD. |
---|
10 | 0001 | 5 | Feb-14 | ASD | must | UD, P, C, S, TS | For any control where the authority field is 'ASD', system owners must seek and be granted approval for non-compliance from the Director ASD in consultation with their accreditation authority. |
---|
11 | 1061 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | System owners seeking approval for non-compliance with any control in this manual must be granted non-compliance from their accreditation authority. |
---|
12 | 1379 | 0 | Feb-14 | N/A | must | UD, P, C, S, TS | In circumstances where the agency head and accreditation authority roles are separate, the accreditation authority must ensure the agency head has appropriate oversight of the security risks being accepted on behalf of the agency. |
---|
13 | 0710 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | System owners seeking approval for non-compliance with any control must document:
- the justification for non-compliance
- a security risk assessment
- the alternative mitigation measures to be implemented, if any.
|
---|
14 | 0711 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | If a system processes, stores or communicates information from another agency, that agency should be consulted as part of seeking non-compliance with any control. |
---|
15 | 0713 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should provide a copy of their compliance and non-compliance reports to ASD. |
---|
16 | 0876 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must review decisions to grant non-compliance with any control, including the justification, any mitigation measures and security risks, at least every two years or when significant changes occur to ensure its continuing relevance, adequacy and effectiveness. |
---|
17 | 0003 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must retain a copy of decisions to grant non-compliance with any control from this manual. |
---|
18 | 0879 | 4 | Apr-15 | AA | should | UD, P, C, S, TS | Security personnel should familiarise themselves with the information security roles and services provided by Australian government agencies and bodies. |
---|
19 | 0873 | 4 | May-16 | AA | must | UD, P, C, S, TS | Agencies intending to use service providers not on ASD's Certified Cloud Services List (CCSL) must ensure that service providers are located in Australia. |
---|
20 | 1073 | 2 | Apr-15 | AA | must not | UD, P, C, S, TS | Agency data and computing environments must not be accessed, configured or administered from outside Australian borders by a service provider unless a contractual arrangement exists between the service provider and customer to do so. |
---|
21 | 1210 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | The risks of using outsourced cloud services, including those in ASD's cloud computing advice, must be assessed and documented. |
---|
22 | 1395 | 1 | Sep-17 | AA | must | UD, P | Agencies must only use outsourced cloud services listed on ASD’s CCSL. |
---|
23 | 1396 | 0 | Apr-15 | ASD | must | UD, P | Agencies proposing to use outsourced cloud services not listed on ASD's CCSL must notify ASD in writing at the earliest opportunity and certainly before entering into or renewing a contract with a cloud service provider. |
---|
24 | 1397 | 0 | Apr-15 | ASD | must | C, S, TS | Agencies must notify ASD in writing at the earliest opportunity during the initial stages of considering using a cloud service and certainly prior to entering or renewing a contract with a cloud service provider. |
---|
25 | 0872 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Service providers' systems that are used to provide information technology services, including outsourced cloud services, must be accredited prior to handling government information. |
---|
26 | 0072 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Any measures associated with the protection of information entrusted to another party must be documented in contract provisions, a memorandum of understanding or equivalent formal agreement between parties. |
---|
27 | 1451 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | When entering into a contract or other agreement for information technology services, agencies should explicitly retain contractual ownership over their data. |
---|
28 | 1452 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should perform a due diligence review of suppliers, including their country of origin, before obtaining software, hardware or services, to assess the potential increase to agency security risk profiles. |
---|
29 | 0714 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must appoint a senior executive, commonly referred to as the CISO, who is responsible for coordinating communication between security and business functions, as well as manage and understand the application of controls and security risk management processes. |
---|
30 | 0013 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must designate an ITSM as the ITSA, to have responsibility for information technology security management across the agency. |
---|
31 | 0025 | 3 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should maintain an email address for their ITSA in the form of [email protected] |
---|
32 | 0741 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must appoint at least one executive, commonly referred to as an ITSM, to manage the day-to-day operations of information security within the agency, in line with the strategic directions provided by the CISO or equivalent. |
---|
33 | 0768 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must appoint at least one officer, commonly referred to as an ITSO, who is expert in administering and configuring a broad range of systems as well as analysing and reporting on information security issues. |
---|
34 | 1071 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | Each system must have a system owner who is responsible for the operation of the system. |
---|
35 | 1072 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | System owners should be a member of the Senior Executive Service or in an equivalent management position. |
---|
36 | 0027 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | System owners must obtain and maintain accreditation for their systems. |
---|
37 | 0039 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must have a document that fulfils the purpose of an ISP. |
---|
38 | 0040 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Every system must be covered by a document that fulfils the purpose of an SRMP. |
---|
39 | 0041 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Every system must be covered by a document that fulfils the purpose of an SSP. |
---|
40 | 0042 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | SOPs should be developed for systems. |
---|
41 | 0043 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must develop, maintain and implement a document that fulfils the purpose of an IRP and any required supporting procedures. |
---|
42 | 0886 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | Information security documentation should be developed by personnel with a good understanding of both the subject matter and the business requirements. |
---|
43 | 0044 | 3 | Sep-17 | AA | should | UD, P, C, S, TS | SRMP, SSP, SOPs and IRP should be logically connected and consistent for each system and with the ISP. |
---|
44 | 0787 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should create and maintain a document framework including a hierarchical listing of all information security documentation and their relationships. |
---|
45 | 0885 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should adopt the naming conventions provided in this manual for their information security documentation. |
---|
46 | 0046 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | When information security documentation development is outsourced, agencies should:
- review the documents for suitability
- retain control over the content
- ensure that all policy requirements are met.
|
---|
47 | 0047 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | All information security documentation should be formally approved by a person with an appropriate level of seniority and authority. |
---|
48 | 0887 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should ensure that:
- all high-level information security documentation is approved by the agency head or their delegate
- all system-specific documentation is approved by the system owner and an ITSM.
|
---|
49 | 1153 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Once information security documentation has been approved it should be published and communicated to all stakeholders. |
---|
50 | 0888 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should review information security documentation:
- at least annually
- in response to significant changes in the environment, business or system.
|
---|
51 | 1154 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should record the date of the most recent review on each information security document. |
---|
52 | 0049 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | The ISP should describe information security policies, standards and responsibilities. |
---|
53 | 0890 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | The ISP should cover topics such as:
- accreditation processes
- personnel responsibilities
- configuration control
- access control
- networking and connections with other systems
- physical security and media control
- emergency procedures and cyber security incident management
- change management
- information security awareness and training.
|
---|
54 | 0788 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | The SRMP should contain a security risk assessment and a corresponding risk treatment strategy. |
---|
55 | 0893 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should incorporate their SRMP into their wider agency risk management plan. |
---|
56 | 0894 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should develop their SRMP in accordance with Australian or international standards for risk management. |
---|
57 | 0895 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must select controls from this manual to be included in the SSP based on the scope of the system with additional system specific controls being included as a result of the associated SRMP or higher level SSP. |
---|
58 | 0067 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must use the latest release of this manual when developing, and updating, their SSPs as part of accreditation and reaccreditation of their systems. |
---|
59 | 0051 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should develop SOPs for each of the following roles:
- ITSM
- ITSO
- system administrator
- user.
|
---|
60 | 0789 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | The following procedures should be documented in the ITSM's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Cyber security incidents[/cell][cell]Reporting and managing cyber security incidents[/cell][/row][/table] |
---|
61 | 0790 | 2 | Sep-12 | AA | should | UD, P, C, S, TS | The following procedures should be documented in the ITSO's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Access control[/cell][cell]Authorising access rights to applications and data[/cell][/row][row][cell]Asset musters[/cell][cell]Labelling, registering and mustering assets, including media[/cell][/row][row][cell]Audit logs[/cell][cell]Reviewing system audit trails and manual logs, particularly for privileged users[/cell][/row][row][cell]Configuration control[/cell][cell]Approving and releasing changes to the system software or configurations[/cell][/row][row][cell v=3]Cyber security incidents[/cell][cell]Detecting potential cyber security incidents[/cell][/row][row][cell]Establishing the cause of any cyber security incident, whether accidental or deliberate[/cell][/row][row][cell]Actions to be taken to recover and minimise the exposure from a cyber security incident[/cell][/row][row][cell v=2]Data transfers[/cell][cell]Managing the review of media containing information that is to be transferred off-site[/cell][/row][row][cell]Managing the review of incoming media for viruses or unapproved software[/cell][/row][row][cell]ICT equipment[/cell][cell]Managing the destruction of unserviceable ICT equipment and media[/cell][/row][row][cell v=4]System integrity audit[/cell][cell]Reviewing user accounts, system parameters and access controls to ensure that the system is secure[/cell][/row][row][cell]Checking the integrity of system software[/cell][/row][row][cell]Testing access controls[/cell][/row][row][cell]Inspecting ICT equipment and cables[/cell][/row][row][cell]System maintenance[/cell][cell]Managing the ongoing security and functionality of system software, including: maintaining awareness of current software vulnerabilities, testing and applying software patches/updates/signatures, and applying appropriate hardening techniques[/cell][/row][row][cell]User account management[/cell][cell]Authorising new users[/cell][/row][/table] |
---|
62 | 0055 | 2 | Sep-12 | AA | should | UD, P, C, S, TS | The following procedures should be documented in the system administrator's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Access control[/cell][cell]Implementing access rights to applications and data[/cell][/row][row][cell]Configuration control[/cell][cell]Implementing changes to the system software or configurations[/cell][/row][row][cell v=3]System backup and recovery[/cell][cell]Backing up data, including audit logs[/cell][/row][row][cell]Securing backup tapes[/cell][/row][row][cell]Recovering from system failures[/cell][/row][row][cell v=3]User account management[/cell][cell]Adding and removing users[/cell][/row][row][cell]Setting user privileges[/cell][/row][row][cell]Cleaning up directories and files when a user departs or changes roles[/cell][/row][/table] |
---|
63 | 0056 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | The following procedures should be documented in the user's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Cyber security incidents[/cell][cell]What to do in the case of a suspected or actual cyber security incident[/cell][/row][row][cell]End of day[/cell][cell]How to secure systems at the end of the day[/cell][/row][row][cell]Media control[/cell][cell]Procedures for handling and using media[/cell][/row][row][cell]Passphrases[/cell][cell]Choosing and protecting passphrases[/cell][/row][row][cell]Temporary absence[/cell][cell]How to secure systems when temporarily absent[/cell][/row][/table] |
---|
64 | 0057 | 2 | Sep-12 | AA | should | UD, P, C, S, TS | ITSMs, ITSOs, system administrators and users should sign a statement that they have read and agree to abide by their respective SOPs. |
---|
65 | 0058 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must include, as a minimum, the following content in their IRP:
- broad guidelines on what constitutes a cyber security incident
- the minimum level of cyber security incident response and investigation training for users and system administrators
- the authority responsible for initiating investigations of a cyber security incident
- the steps necessary to ensure the integrity of evidence supporting a cyber security incident
- the steps necessary to ensure that critical systems remain operational
- how to formally report cyber security incidents.
|
---|
66 | 0059 | 3 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should include the following content in their IRP:
- clear definitions of the types of cyber security incidents that are likely to be encountered
- the expected response to each cyber security incident type
- the authority responsible for responding to cyber security incidents
- the criteria by which the responsible authority would initiate or request a formal investigation of a cyber security incident by a law enforcement agency, the Australian Cyber Security Centre or other relevant authority
- other authorities which need to be informed in the event of an investigation being undertaken
- the details of the system contingency measures or a reference to these details if they are located in a separate document.
|
---|
67 | 0062 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must include in evacuation procedures the requirement to secure information and systems before the evacuation; unless the chief warden, to avoid serious injury or loss of life, authorises personnel to evacuate immediately without securing information and systems. |
---|
68 | 1159 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should include in evacuation procedures the requirement to secure information and systems during the warning phase before the evacuation. |
---|
69 | 0118 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must determine availability requirements for their systems and implement appropriate security measures to support these requirements. |
---|
70 | 0119 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must:
- back up all information identified as critical to their business
- store backups of critical information, with associated documented recovery procedures, at a remote location secured in accordance with the requirements for the sensitivity or classification of the information
- test backup and restoration processes regularly to confirm their effectiveness
- ensure that backups cannot be maliciously modified/corrupted or deleted without appropriate authorisation.
|
---|
71 | 0913 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must develop a business continuity plan. |
---|
72 | 0914 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should develop a disaster recovery plan. |
---|
73 | 0791 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | An accreditation framework must be developed and implemented. |
---|
74 | 0064 | 6 | Apr-15 | AA | must | UD, P, C, S, TS | Systems must be awarded accreditation before they are used to process, store or communicate sensitive or classified information. |
---|
75 | 0076 | 4 | Sep-17 | AA | must not | UD, P, C, S, TS | Systems must not process, store or communicate information above the sensitivity or classification for which the system has received accreditation. |
---|
76 | 0077 | 2 | Apr-15 | AA | must not | UD, P, C, S, TS | Systems must not process, store or communicate caveated or compartmented information unless specifically accredited for such purposes. |
---|
77 | 0793 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | For multinational and multi-agency systems, the certification and accreditation authorities should be determined by a formal agreement between the parties involved. |
---|
78 | 1229 | 0 | Sep-12 | AA | must | UD, P, C, S | An agency's accreditation authority must be at least a senior executive with an appropriate level of understanding of the security risks they are accepting on behalf of the agency. |
---|
79 | 1230 | 1 | Feb-14 | ASD | must | TS | For TOP SECRET systems, the accreditation authority must be ASD. |
---|
80 | 0082 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Before beginning the accreditation process, the system owner should advise the certification and accreditation authorities of their intent to seek certification and accreditation for their system. |
---|
81 | 0795 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | All systems must undergo certification as part of the accreditation process; unless the accreditation authority is satisfied that if the system is not immediately operational it would have a devastating and potentially long-lasting effect on operations. |
---|
82 | 0808 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | The accreditation authority must accept the residual security risk to a system and the information it processes, stores or communicates in order to award accreditation. |
---|
83 | 0069 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should ensure that the period between accreditations of systems does not exceed two years. |
---|
84 | 0070 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must ensure that the period between accreditations of systems does not exceed three years. |
---|
85 | 1141 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | All systems must undergo a security assessment as part of the certification process. |
---|
86 | 1142 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | The certification authority must accept the effectiveness of security measures for the system in order to award certification. |
---|
87 | 0807 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | The certification authority should produce a certification report for the accreditation authority outlining the security measures that have been implemented for a system and an assessment of the residual security risk relating to the system and the information that it processes, stores or communicates. |
---|
88 | 0100 | 7 | Sep-17 | AA | must | UD, P | Commercial or government-provided gateway services intended for use by multiple agencies must undergo an Information Security Registered Assessor Program (IRAP) security assessment and be awarded certification by ASD at least every two years. |
---|
89 | 1459 | 1 | Sep-17 | AA | must | UD, P | Cloud services storing, processing or communicating Australian government information must undergo an Information Security Registered Assessor Program security assessment and be awarded certification by ASD at least every two years. |
---|
90 | 0902 | 4 | Apr-15 | AA | should not | UD, P, C, S, TS | Assessors of systems should not also be the system owner or certification authority. |
---|
91 | 0797 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Before undertaking the security assessment, the system owner must approve the system architecture and associated documentation. |
---|
92 | 0904 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | Before undertaking a security assessment the system owner should provide a statement of applicability for the system which includes:
- the version of this manual, and any complementary publications, used for determining security measures
- controls from this manual that are, and are not, applicable to the system
- controls from this manual that are applicable but are not being implemented (including the rationale behind these decisions)
- any additional security measures being implemented.
|
---|
93 | 0798 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | The system architecture, including associated documentation, must be reviewed by the assessor to determine whether it is based on sound security principles.This includes:
- determining whether appropriate policies have been developed to protect information that is processed, stored or communicated by the system
- determining whether the SRMP, SSP, SOPs and IRP are comprehensive and appropriate for the environment the system is to operate in
- determining whether all relevant controls specified in this manual and supplementary publications are addressed.
|
---|
94 | 0805 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | The security measures for the system must be reviewed by the assessor to determine whether they have been implemented and are operating effectively. |
---|
95 | 0806 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | The assessor must ensure that, where applicable, a currently valid physical security certification has been awarded by an appropriate physical security certification authority. |
---|
96 | 1140 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | The assessor must produce a report for the certification authority outlining areas of non-compliance for a system and any suggested remediation actions. |
---|
97 | 1163 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should implement a vulnerability management strategy by:
- conducting vulnerability assessments on systems throughout their life cycle to identify vulnerabilities
- analysing identified vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations or treatments
- monitoring information on new or updated vulnerabilities in operating systems, software and devices as well as other elements which may adversely impact on the security of a system.
|
---|
98 | 0909 | 5 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should have vulnerability assessments conducted by suitably skilled personnel independent of the target of the assessment or by an independent third party. |
---|
99 | 0911 | 5 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should conduct vulnerability assessments on systems:
- before the system is deployed, including conducting assessments during the system design and development stages
- after a significant change to the system
- after significant changes to the threats or risks faced by a system – for example, a software vendor announces a critical vulnerability in a product used by the agency at least annually, or as specified by an ITSM or the system owner.
|
---|
100 | 0112 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must analyse any vulnerabilities to determine their potential impact on the agency and determine appropriate mitigations or other treatments. |
---|
101 | 0113 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must mitigate or otherwise treat identified vulnerabilities as soon as possible. |
---|
102 | 1211 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must have a formal change management process in place. |
---|
103 | 0912 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should ensure their change management process includes:
- a policy which identifies which changes need to go through the formal change management process
- documenting the changes to be implemented
- formal approval of the change request
- maintaining and auditing logs of all changes
- conducting vulnerability management activities when significant changes have been made to the system
- testing and implementing the approved changes
- updating the relevant information security documentation including the SRMP, SSP and SOPs
- notifying and educating users of the changes that have been implemented as close as possible to the time the change is applied
- continually educating users in regard to changes.
|
---|
104 | 0115 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must ensure that for routine and urgent changes:
- the change management process, as defined in the relevant information security documentation, is followed
- the proposed change is approved by the relevant authority
- any proposed change that could impact the security of a system is submitted to the accreditation authority for approval
- all associated information security documentation is updated to reflect the change.
|
---|
105 | 0117 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | The change management process must define appropriate actions to be followed before and after urgent changes are implemented. |
---|
106 | 0809 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | When a configuration change impacts the security of a system, and is subsequently assessed as having changed the overall security risk for the system, the system must undergo reaccreditation. |
---|
107 | 0120 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must develop, implement and maintain data sources, procedures and tools to ensure that:
- any security alerts generated by systems are investigated
- systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes.
|
---|
108 | 0121 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should use the results of the security risk assessment to determine the appropriate balance of resources allocated to prevention as opposed to detection of cyber security incidents. |
---|
109 | 0123 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must direct personnel to report cyber security incidents to an ITSM as soon as possible after the cyber security incident is discovered. |
---|
110 | 0124 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should:
- encourage personnel to note and report any observed or suspected security weaknesses in, or threats to, systems or services
- establish and follow procedures for reporting software malfunctions
- put mechanisms in place to enable the types, volumes and costs of cyber security incidents and malfunctions to be quantified and monitored
- manage the violation of information security policies and procedures by personnel through a formal disciplinary process.
|
---|
111 | 0139 | 5 | Sep-17 | ASD | must | UD, P, C, S, TS | Agencies must report cyber security incidents to ASD. |
---|
112 | 0140 | 4 | Sep-17 | ASD | must | UD, P, C, S, TS | Agencies must formally report cyber security incidents using the CSIR scheme. |
---|
113 | 0141 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies that outsource their information technology services and functions must ensure that the service provider consults with the agency when a cyber security incident occurs. |
---|
114 | 0142 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must notify all communications security custodians of any suspected loss or compromise of keying material. |
---|
115 | 0143 | 6 | May-16 | ASD | must | UD, P, C, S, TS | Agencies must notify ASD of any suspected loss or compromise of High Assurance Cryptographic Equipment or keying material associated with High Assurance Cryptographic Equipment in accordance with ACSI 107. |
---|
116 | 0122 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must detail cyber security incident responsibilities and procedures for each system in the relevant SSP, SOPs and IRP. |
---|
117 | 0125 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should ensure that all cyber security incidents are recorded in a register. |
---|
118 | 0126 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should include, at a minimum, the following information in their register:
- the date the cyber security incident was discovered
- the date the cyber security incident occurred
- a description of the cyber security incident, including the personnel and locations involved
- the action taken
- to whom the cyber security incident was reported
- the file reference.
|
---|
119 | 0916 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use their register as a reference for future security risk assessments. |
---|
120 | 0129 | 1 | Sep-09 | AA | must | UD, P, C, S, TS | When a data spill occurs agencies must assume that the information has been compromised. |
---|
121 | 0130 | 1 | Sep-09 | AA | must | UD, P, C, S, TS | Agencies must include in standard procedures for all personnel with access to systems a requirement that they notify an ITSM of any data spillage and access to any data which they are not authorised to access. |
---|
122 | 0131 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must document procedures for managing data spills in their IRP. |
---|
123 | 0132 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must treat any data spill as a cyber security incident and follow the IRP to manage it. |
---|
124 | 0133 | 0 | Sep-08 | AA | must | UD, P, C, S, TS | When a data spill occurs, agencies must report the details of the data spill to the information owner. |
---|
125 | 0134 | 1 | Nov-10 | AA | must not | UD, P, C, S, TS | When information is introduced onto a system not accredited to handle the information, personnel must not delete the information until advice is sought from an ITSM. |
---|
126 | 0135 | 3 | Feb-14 | AA | should not | UD, P, C, S, TS | When information is introduced onto a system not accredited to handle the information, personnel should not copy, print or email the information. |
---|
127 | 0136 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | When information is introduced onto a system not accredited to handle the information, agencies should segregate the affected system from the network. |
---|
128 | 0917 | 5 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should follow the steps described below when malicious code is detected:
- Isolate the infected system.
- Decide whether to request assistance from ASD, and if such assistance is requested and agreed to, delay any further action until advised by ASD to continue.
- Scan all previously connected systems, and any media used in a set period leading up to the cyber security incident, for malicious code.
- Isolate all infected systems and media to prevent reinfecting the system.
- Change all passwords and key material stored or potentially accessed from compromised systems.
- Advise users of any relevant aspects of the compromise, including changing all passphrases on the compromised systems and any other system that uses the same passphrase.
- Use current antivirus or other internet security software to remove the infection from the systems or media.
- Report the cyber security incident and perform any other activities specified in the IRP.
- Where possible, restore a compromised system from a known good backup or rebuild the affected machine.
|
---|
129 | 1212 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies considering allowing intrusion activity to continue under controlled conditions for the purpose of scoping the intrusion should inform their accreditation authority. |
---|
130 | 0137 | 1 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies considering allowing intrusion activity to continue under controlled conditions for the purpose of seeking further information or evidence must seek legal advice. |
---|
131 | 0138 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should:
- transfer a copy of raw audit trails onto media for secure archiving, as well as securing manual log records for retention
- ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation.
|
---|
132 | 0915 | 4 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should ensure that any requests for ASD assistance are made as soon as possible after the cyber security incident is detected and that no actions, which could affect the integrity of the evidence, are carried out before ASD's involvement. |
---|
133 | 1213 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should perform a post-incident analysis of successful intrusions, storing network traffic for at least seven days after the incident. |
---|
134 | 1214 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies operating sites in posts or missions located outside of Australia should contact the Department of Foreign Affairs and Trade to determine requirements. |
---|
135 | 0810 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure that any facility containing a system, including deployable systems, is certified and accredited in accordance with the requirements of the Australian Government Physical Security Management Protocol. |
---|
136 | 0157 | 4 | Feb-14 | AA | must | UD, P, C, S | Agencies communicating sensitive or classified information over public network infrastructure or over infrastructure in unsecured spaces (Zone One security areas) must use encryption approved for communicating such information over public network infrastructure. |
---|
137 | 1358 | 1 | Apr-15 | ASD | must | TS | Agencies communicating TOP SECRET or codeword information outside a Zone Five security area boundary must encrypt information using High Assurance Cryptographic Equipment. |
---|
138 | 0164 | 1 | Sep-09 | AA | should | UD, P, C, S, TS | Agencies should prevent unauthorised people from observing systems, in particular, displays and keyboards. |
---|
139 | 1296 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must implement physical security measures to protect network devices, especially those in public areas, from physical damage or unauthorised access. |
---|
140 | 1053 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that servers and network devices are secured in either security containers or rooms as specified in the Australian Government Physical Security Management Protocol. |
---|
141 | 0813 | 2 | Sep-11 | AA | must not | UD, P, C, S, TS | Agencies must not leave server rooms, communications rooms and security containers or rooms in an unsecured state. |
---|
142 | 1074 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that keys or equivalent access mechanisms to server rooms, communications rooms and security containers or rooms are appropriately controlled. |
---|
143 | 0150 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies operating no-lone zones must suitably signpost the area and have all entry and exit points appropriately secured. |
---|
144 | 0159 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must account for all sensitive and classified ICT equipment and media. |
---|
145 | 0336 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must register all ICT equipment and media with a unique identifier in an appropriate register. |
---|
146 | 0161 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that ICT equipment and media with sensitive or classified information is secured in accordance with the requirements for storing sensitive or classified information in the Australian Government Physical Security Management Protocol. |
---|
147 | 0162 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies preventing the storage of sensitive or classified information on hard drives and enforcing scrubbing of the operating system's swap files and other temporary data at logoff or shutdown should:
- assess the security risks associated with such a practice
- in the SSP specify the processes and conditions for their application.
|
---|
148 | 0252 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must provide ongoing information security awareness and training for personnel on information security policies including topics such as responsibilities, consequences of non-compliance, and potential security risks and counter-measures. |
---|
149 | 0251 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must ensure that all personnel who have access to a system have sufficient information security awareness and training. |
---|
150 | 0253 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should align the exact degree and content of information security awareness and training to a person's roles and responsibilities. |
---|
151 | 0922 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should ensure that information security awareness and training includes:
- the purpose of the training or awareness program
- security appointments and contacts
- the legitimate use of system accounts, software and information
- the security of accounts, including shared passphrases
- security risks associated with unnecessarily exposing email addresses and other personal details
- authorisation requirements for applications, databases and data
- the security risks associated with non-agency systems, particularly the Internet
- reporting any suspected compromises or anomalies
- reporting requirements for cyber security incidents, suspected compromises or anomalies
- classifying, marking, controlling, storing and sanitising media
- protecting workstations from unauthorised access
- informing the support section when access to a system is no longer needed
- observing rules and regulations governing the secure operation and authorised use of systems.
|
---|
152 | 0255 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should ensure that information security awareness and training includes advice to personnel not to attempt to:
- physically damage systems
- bypass, strain or test security measures
- introduce or use unauthorised ICT equipment or software on a system
- assume the roles and privileges of others
- attempt to gain access to information for which they have no authorisation
- relocate ICT equipment without proper authorisation.
|
---|
153 | 0256 | 2 | Sep-12 | AA | must | TS | Agencies must provide all users with familiarisation training on the information security policies and procedures and the secure operation of the system before being granted unsupervised access to the system. |
---|
154 | 0432 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must specify in the SSP any authorisations, security clearances and briefings necessary for system access. |
---|
155 | 0405 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must:
- limit system access on a need-to-know basis
- have any requests for access to a system authorised by the person's manager
- provide personnel with the least amount of privileges needed to undertake their duties
- review system access and privileges at least annually and when personnel change roles
- when reviewing access, ensure a response from the person's manager confirming the need to access the system is still valid, otherwise access will be removed.
|
---|
156 | 0407 | 3 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should:
- maintain a secure record of:[ul][li]all personnel authorised to access a system
- their user identification
- who provided the authorisation to access the system
- when the authorisation was granted
- when the access was last reviewed
- when the access was removed.
[/li]maintain the record for the life of the system to which access is granted.[/ul] |
---|
157 | 0434 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure that personnel undergo an appropriate employment screening, and where necessary hold an appropriate security clearance, according to the requirements in the Australian Government Personnel Security Management Protocol before being granted access to a system. |
---|
158 | 0435 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | All personnel must have received any necessary briefings before being granted access to a system. |
---|
159 | 0440 | 4 | Sep-17 | AA | must | P, C, S, TS | Agencies must follow the requirements for temporary access to classified information in the Australian Government Personnel Security Management Protocol before granting personnel temporary access to a system. |
---|
160 | 0441 | 4 | Sep-12 | AA | must | P, C, S, TS | Agencies granting personnel temporary access to a system must ensure that either:
- effective controls are in place to restrict access to only information that is necessary to undertake their duties
- they are continually supervised by another user who has the appropriate security clearances to access the system.
|
---|
161 | 0442 | 4 | Sep-17 | AA | must | P, C, S, TS | Agencies must follow the requirements for temporary access to classified information in the Australian Government Personnel Security Management Protocol before granting personnel emergency access to a system. |
---|
162 | 0443 | 2 | Sep-11 | AA | must not | P, C, S, TS | Agencies must not grant personnel temporary access or emergency access to systems that process, store or communicate caveated or compartmented information. |
---|
163 | 0817 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure personnel know how to report any suspicious contact and what suspicious contact is, especially contact from external sources using online services. |
---|
164 | 0818 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must make personnel aware of their online services and usages policies. |
---|
165 | 0819 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should implement measures to monitor their personnel’s compliance with the agency’s online services usage policies. |
---|
166 | 0820 | 3 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure personnel are instructed to take special care not to post sensitive or classified information to public online services and how to report cases where such information is posted. |
---|
167 | 1146 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure personnel posting information to online services maintain separate professional accounts from any personal accounts they have for online services. |
---|
168 | 1147 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should ensure personnel are aware of the approved online services where information authorised for release to the public domain can be posted. |
---|
169 | 0821 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should ensure that personnel are informed of the security risks associated with posting personal information on websites, especially for those personnel holding higher level security clearances. |
---|
170 | 1148 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Personnel should use the privacy settings on online services to restrict access to personal information they post to only those they authorise to view it. |
---|
171 | 0823 | 0 | Sep-09 | AA | should not | UD, P, C, S, TS | Agencies should not allow personnel to use peer-to-peer applications over the Internet. |
---|
172 | 0824 | 1 | Sep-11 | AA | should not | UD, P, C, S, TS | Agencies should not allow personnel to send or receive files via peer-to-peer applications. |
---|
173 | 0181 | 1 | Sep-09 | AA | must | UD, P, C, S, TS | Agencies must install all cables in accordance with the relevant Australian Standards as directed by the Australian Communications and Media Authority. |
---|
174 | 0926 | 4 | Sep-12 | AA | should | UD, P, C, S | Agencies should comply with the cable colours specified in the following table.[table][head][cell]System[/cell][cell]Cable Colour[/cell][/head][row][cell]SECRET[/cell][cell]Pink[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Green[/cell][/row][row][cell]PROTECTED[/cell][cell]Blue[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Black or Grey[/cell][/row][/table] |
---|
175 | 0186 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, agencies must comply with the cable colours specified in the following table.[table][head][cell]System[/cell][cell]Cable Colour[/cell][/head][row][cell]TOP SECRET[/cell][cell]Red[/cell][/row][row][cell]SECRET[/cell][cell]Pink[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Green[/cell][/row][row][cell]PROTECTED[/cell][cell]Blue[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Black or Grey[/cell][/row][/table] |
---|
176 | 0825 | 0 | Sep-09 | AA | should not | UD, P, C, S | Agencies should not allow cable colours for foreign systems installed in Australian facilities to be the same colour as cables used for Australian systems. |
---|
177 | 0827 | 0 | Sep-09 | AA | must not | TS | Agencies must not allow cable colours for foreign systems installed in Australian facilities to be the same colour as cables used for Australian systems. |
---|
178 | 0826 | 0 | Sep-09 | AA | should | UD, P, C, S | The cable colour to be used for foreign systems should be agreed between the host agency, the foreign system owner and the accreditation authority. |
---|
179 | 0828 | 0 | Sep-09 | AA | must | TS | The cable colour to be used for foreign systems must be agreed between the host agency, the foreign system owner and the accreditation authority. |
---|
180 | 1215 | 0 | Sep-12 | AA | must | UD, P, C, S | Agencies that are non-compliant with cable colouring must band cables with the classification colour at the inspection points. |
---|
181 | 1216 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, no matter the classification of the system, agencies that are non-compliant with cable colouring must band and label the cables with the classification at the inspection points. |
---|
182 | 0187 | 4 | Sep-12 | AA | must not | UD, P, C, S, TS | Agencies must not deviate from the approved group combinations for cables as indicated below.[table][head][cell]Group[/cell][cell]Approved Combination[/cell][/head][row][cell v=2]1[/cell][cell]Unclassified (DLM)[/cell][/row][row][cell]PROTECTED[/cell][/row][row][cell v=2]2[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]SECRET[/cell][/row][row][cell]3[/cell][cell]TOP SECRET[/cell][/row][/table] |
---|
183 | 0189 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | With fibre optic cables the fibres in the sheath, as shown below, must only carry a single group.[IMG-0] |
---|
184 | 0190 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | If a fibre optic cable contains subunits, as shown below, each subunit must only carry a single group; however, each subunit in the cable can carry a different group.[IMG-1] |
---|
185 | 1098 | 0 | Nov-10 | AA | should | UD, P, C, S | Cables should terminate in either:
- individual cabinets
- one cabinet with a division plate to delineate classifications for small systems.
|
---|
186 | 1099 | 0 | Nov-10 | AA | must | UD, P, C, S | In TOP SECRET areas, cables must terminate in either:
- individual cabinets
- one cabinet with a division plate to delineate classifications for small systems.
|
---|
187 | 1100 | 0 | Nov-10 | AA | must | TS | TOP SECRET cables must terminate in an individual TOP SECRET cabinet. |
---|
188 | 1101 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Reticulation systems leading into cabinets in secured communications and server rooms should terminate as close as possible to the cabinet. |
---|
189 | 1102 | 0 | Nov-10 | AA | should | UD, P, C, S | Reticulation systems leading into cabinets not in a secure communications or server room should terminate as close as possible to the cabinet. |
---|
190 | 1103 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room must terminate at the boundary of the cabinet. |
---|
191 | 0198 | 1 | Nov-10 | AA | must | TS | When penetrating an audio secured space, agencies must consult with ASIO and comply with all directions provided. |
---|
192 | 1104 | 0 | Nov-10 | AA | must | UD, P, C, S | Cable groups sharing a wall outlet must:
- use fibre optic cables
- use different connectors on opposite sides of the wall outlet for each group.
|
---|
193 | 1105 | 0 | Nov-10 | AA | must not | TS | TOP SECRET cables must not share a wall outlet with another classification. |
---|
194 | 1106 | 0 | Nov-10 | AA | must | TS | In areas containing outlets for both TOP SECRET systems and systems of other classifications, agencies must ensure that the connectors for the TOP SECRET systems are different from those of the other systems. |
---|
195 | 1107 | 0 | Nov-10 | AA | must not | UD, P, C, S | Wall outlets must not be coloured red. |
---|
196 | 1108 | 0 | Nov-10 | AA | must | TS | Wall outlets must be coloured red. |
---|
197 | 1109 | 0 | Nov-10 | AA | should | UD, P, C, S | Faceplates on wall outlets should be clear plastic. |
---|
198 | 1110 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, faceplates on wall outlets must be clear plastic. |
---|
199 | 1111 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should use fibre optic cables |
---|
200 | 1112 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Agency cables should be inspectable at a minimum of five-metre intervals. |
---|
201 | 1114 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Approved cable groups can share a common reticulation system but should have either a dividing partition or a visible gap between the differing cable groups. |
---|
202 | 1115 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use flexible or plastic conduit in walls to run cables from cable trays to wall outlets. |
---|
203 | 1116 | 1 | Sep-11 | AA | should | TS | Agencies should ensure there is a visible gap between TOP SECRET cabinets and cabinets of a lower classification. |
---|
204 | 1117 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should use fibre optic cables |
---|
205 | 1118 | 0 | Nov-10 | AA | should | UD, P, C, S | Cables should be inspectable at a minimum of five-metre intervals. |
---|
206 | 1119 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | In TOP SECRET areas, cables should be fully inspectable for their entire length. |
---|
207 | 1120 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Approved cable groups can share a common reticulation system but should have either a dividing partition or a visible gap between the individual cable groups. |
---|
208 | 1121 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Cables from cable trays to wall outlets should run in flexible or plastic conduit. |
---|
209 | 1122 | 0 | Nov-10 | AA | should | TS | For wall penetrations that exit into a lower classified space, cables should be encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound. |
---|
210 | 1123 | 1 | Sep-12 | AA | should | TS | TOP SECRET facilities should have a power distribution board located in the TOP SECRET area with a feed from an Uninterruptible Power Supply (UPS) to power all ICT equipment. |
---|
211 | 1124 | 1 | Sep-11 | AA | should | TS | Agencies should ensure there is a visible gap between TOP SECRET cabinets and cabinets of a lower classification. |
---|
212 | 1125 | 0 | Nov-10 | AA | should | UD, P, C, S | Agencies should use fibre optic cables |
---|
213 | 0182 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, agencies must use fibre optic cables |
---|
214 | 1126 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | Cables should be inspectable at a minimum of five-metre intervals. |
---|
215 | 0184 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, cables must be fully inspectable for their entire length. |
---|
216 | 1127 | 0 | Nov-10 | AA | should | UD, P, C, S | Approved cable groups can share a common reticulation system but should have either a dividing partition or a visible gap between the differing cable groups. |
---|
217 | 1128 | 0 | Nov-10 | AA | must | UD, P, C, S | In TOP SECRET areas, approved cable groups can share a common reticulation system but must have either a dividing partition or a visible gap between the differing cable groups. |
---|
218 | 1129 | 1 | Sep-11 | AA | must not | TS | TOP SECRET cables must not share a common reticulation system, unless it is in an enclosed reticulation system and has dividing partitions or visible gaps between the differing cable groups. |
---|
219 | 1130 | 1 | Sep-11 | AA | should | UD, P, C, S | Cables should be run in an enclosed cable reticulation system. |
---|
220 | 1131 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, cables must be run in an enclosed cable reticulation system. |
---|
221 | 1164 | 0 | Sep-11 | AA | should | UD, P, C, S | Conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings should be clear plastic. |
---|
222 | 1165 | 1 | Sep-12 | AA | must | UD, P, C, S, TS | In TOP SECRET areas, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings must be clear plastic. |
---|
223 | 1132 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | Cables from cable trays to wall outlets must run in flexible or plastic conduit. |
---|
224 | 1133 | 0 | Nov-10 | AA | must not | TS | Cables must not run in a party wall. |
---|
225 | 0194 | 1 | Nov-10 | AA | must | TS | Agencies must use a visible smear of conduit glue to seal:
- all plastic conduit joints
- conduit runs connected by threaded lock nuts.
|
---|
226 | 0195 | 2 | Sep-11 | AA | must | TS | Agencies must use SCEC endorsed tamper evident seals to seal all removable covers on reticulation systems, including:
- box section front covers
- conduit inspection boxes
- outlet and junction boxes
- T-pieces.
|
---|
227 | 0196 | 1 | Nov-10 | AA | must | TS | Tamper evident seals must be uniquely identifiable. |
---|
228 | 1134 | 0 | Nov-10 | AA | must | TS | For wall penetrations that exit into a lower classified space, cables must be encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound. |
---|
229 | 1135 | 0 | Nov-10 | AA | must | TS | TOP SECRET facilities must have a power distribution board located in the TOP SECRET area with a feed from a UPS to power all ICT equipment. |
---|
230 | 1136 | 1 | Sep-11 | AA | must | TS | Agencies must ensure there is a visible gap between TOP SECRET cabinets and cabinets of a lower classification. |
---|
231 | 0201 | 1 | Nov-10 | AA | must | TS | Labels for TOP SECRET conduits must be:
- a minimum size of 2.5cm x 1cm
- attached at 5m intervals
- marked as 'TS RUN'.
|
---|
232 | 0202 | 1 | Nov-10 | AA | must | TS | Conduit labels in areas where uncleared personnel could frequently visit must have red text on a clear background. |
---|
233 | 0203 | 1 | Nov-10 | AA | must | TS | Conduit labels in areas that are not clearly observable must have red text on a white background. |
---|
234 | 0204 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | Conduit labels installed in public or visitor areas should not draw undue attention from people who do not have a need-to-know of the existence of such cables. |
---|
235 | 1095 | 0 | Nov-10 | AA | should | UD, P, C, S | Wall outlet boxes should denote the classification, cable number and outlet number. |
---|
236 | 0205 | 1 | Nov-10 | AA | must | TS | Wall outlet boxes must denote the classification, cable number and outlet number. |
---|
237 | 0206 | 3 | Feb-14 | AA | should | UD, P, C, S, TS | Site conventions for labelling and registration should be documented in an agency's SOPs. |
---|
238 | 1096 | 0 | Nov-10 | AA | should | UD, P, C, S | Agencies should label cables at each end, with sufficient source and destination details to enable the physical identification and inspection of the cable. |
---|
239 | 0207 | 1 | Nov-10 | AA | must | TS | Agencies must label cables at each end, with sufficient source and destination details to enable the physical identification and inspection of the cable. |
---|
240 | 0208 | 0 | Sep-08 | AA | should | UD, P, C, S | Agencies should maintain a register of cables. |
---|
241 | 0210 | 1 | Nov-10 | AA | must | TS | Agencies must maintain a register of cables. |
---|
242 | 0209 | 2 | Nov-10 | AA | should | UD, P, C, S | The cable register should record at least the following information:
- cable identification number
- classification
- source
- destination
- site/floor plan diagram
- seal numbers if applicable.
|
---|
243 | 1097 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | For cables in TOP SECRET areas, the cable register must record at least the following information:
- cable identification number
- classification
- source
- destination
- site/floor plan diagram
- seal numbers if applicable.
|
---|
244 | 0211 | 2 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the SSP. |
---|
245 | 0213 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must ensure that only approved cable groups terminate on a patch panel. |
---|
246 | 1093 | 1 | Sep-17 | AA | should | UD, P, C, S | In areas containing cables for systems of different classifications, connectors for each system should be different from those of the other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification. |
---|
247 | 0214 | 2 | Nov-10 | AA | must | TS | In areas containing cables for both TOP SECRET systems and systems of other classifications, agencies must ensure that the connectors for the TOP SECRET systems are different from those of the other systems. |
---|
248 | 1094 | 0 | Nov-10 | AA | should | UD, P, C, S | In areas containing cables for systems of different classifications, agencies should document the selection of connector types. |
---|
249 | 0215 | 2 | Nov-10 | AA | must | TS | In areas containing cables for both TOP SECRET systems and systems of other classifications, agencies must document the selection of connector types for TOP SECRET systems. |
---|
250 | 0216 | 1 | Nov-10 | AA | should | TS | Agencies should physically separate TOP SECRET and non-TOP SECRET patch panels by installing them in separate cabinets. |
---|
251 | 0217 | 3 | Sep-12 | AA | must | TS | Where spatial constraints demand patch panels of a lower classification than TOP SECRET be located in the same cabinet, agencies must:
- provide a physical barrier in the cabinet to separate patch panels
- ensure that only personnel holding a TOP SECRET security clearance have access to the cabinet
- obtain approval from the relevant accreditation authority prior to installation.
|
---|
252 | 0218 | 2 | Sep-17 | AA | should | TS | Agencies should ensure that the fibre optic fly leads used to connect wall outlets to ICT equipment either:
- do not exceed 5m in length, or
- if they exceed 5m in length, they:[ul][li]are run in the facility's fixed infrastructure in a protective and easily inspected pathway
- are clearly labelled at the equipment end with the wall outlet designator
- are approved by the accreditation authority.
[/li][/ul] |
---|
253 | 0247 | 2 | Feb-14 | AA | must | C, S, TS | Agencies designing and installing systems with Radio Frequency (RF) transmitters inside or co-located with their facility must:
- contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
- install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
|
---|
254 | 0248 | 4 | Sep-17 | AA | must | UD, P, C, S | Agencies designing and installing systems with RF transmitters that will be co-located with systems of a higher classification must:
- contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
- install cables and ICT equipment in accordance with this manual, plus any specific installation criteria derived from the emanation security threat assessment.
|
---|
255 | 1137 | 1 | Feb-14 | AA | must | TS | Agencies designing and installing systems in shared facilities with non-Australian government entities must:
- contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
- install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
|
---|
256 | 0932 | 4 | Feb-14 | AA | should | UD, P | Agencies deploying systems overseas should:
- contact ASD for emanation security threat advice
- install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
|
---|
257 | 0249 | 2 | Feb-14 | AA | must | C, S, TS | Agencies deploying systems overseas in military and fixed locations must:
- contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
- install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
|
---|
258 | 0246 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies needing an emanation security threat assessment should seek one as early as possible in project life cycles as emanation security controls can have significant cost implications. |
---|
259 | 0250 | 2 | Nov-10 | AA | must | TS | Agencies must ensure that ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility. |
---|
260 | 0221 | 1 | Nov-10 | AA | must not | TS | Wireless RF pointing devices must not be used in TOP SECRET areas unless used in an RF screened building. |
---|
261 | 0222 | 1 | Sep-09 | AA | should | UD, P | Agencies using infrared keyboards should ensure that infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space. |
---|
262 | 0223 | 3 | Sep-11 | AA | must not | C, S | Agencies using infrared keyboards must not allow:
- line of sight and reflected communications travelling into an unsecured space
- multiple infrared keyboards for different systems in the same area
- other infrared devices in the same area
- infrared keyboards to be operated in areas with unprotected windows.
|
---|
263 | 0224 | 3 | Sep-11 | AA | must not | TS | Agencies using infrared keyboards must not allow:
- line of sight and reflected communications travelling into an unsecured space
- multiple infrared keyboards for different systems in the same area
- other infrared devices in the same area
- infrared keyboards in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them.
|
---|
264 | 1058 | 0 | Nov-10 | AA | should not | UD, P | Agencies should not use Bluetooth and wireless keyboards unless in an RF screened building. |
---|
265 | 1155 | 0 | Nov-10 | AA | must not | C, S, TS | Agencies must not use Bluetooth and wireless keyboards unless in an RF screened building. |
---|
266 | 1166 | 0 | Sep-11 | AA | must | UD, P | Agencies must use Bluetooth version 2.1 or later if Bluetooth keyboards are used. |
---|
267 | 1167 | 0 | Sep-11 | AA | should | UD, P | Agencies should restrict the range of Bluetooth keyboards to less than 10 metres by only using class 2 or class 3 devices. |
---|
268 | 0830 | 0 | Sep-09 | AA | should | P, C, S | Agencies should prevent RF devices from being brought into secured spaces unless authorised by the accreditation authority. |
---|
269 | 0225 | 1 | Sep-09 | AA | must | TS | Agencies must prevent RF devices from being brought into TOP SECRET areas unless authorised by the accreditation authority. |
---|
270 | 0829 | 2 | Sep-11 | AA | should | C, S, TS | Agencies should deploy security measures to detect and respond to active RF devices in secured spaces. |
---|
271 | 0929 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should limit the effective range of communications outside their area of control by either:
- minimising the output power level of wireless devices
- RF shielding.
|
---|
272 | 0588 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must develop a policy governing the use of fax machines and MFDs. |
---|
273 | 1092 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must have separate fax machines or MFDs for sending classified and unclassified fax messages. |
---|
274 | 0241 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies sending sensitive or classified fax messages must ensure that the fax message is encrypted to an appropriate level when communicated over unsecured telecommunications infrastructure or the PSTN. |
---|
275 | 0242 | 4 | Feb-14 | ASD | must | C, S, TS | Agencies intending to use fax machines or MFDs to send classified information must comply with additional requirements in ACSI 129 and ACSI 131. |
---|
276 | 1075 | 0 | Nov-10 | AA | should | UD, P, C, S, TS | The sender of a fax message should make arrangements for the receiver to:
- collect the fax message as soon as possible after it is received
- notify the sender if the fax message does not arrive in an agreed amount of time.
|
---|
277 | 0244 | 3 | Sep-11 | AA | should not | UD | Agencies should not enable a direct connection from a MFD to a digital telephone network unless the telephone network is accredited to at least the same level as the computer network to which the device is connected. |
---|
278 | 0245 | 3 | Sep-11 | AA | must not | P, C, S, TS | Agencies must not enable a direct connection from a MFD to a digital telephone network unless the telephone network is accredited to at least the same level as the computer network to which the device is connected. |
---|
279 | 0590 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | Where MFDs connected to computer networks have the ability to communicate via a gateway to another network, agencies should ensure that:
- each MFD applies user identification, authentication and audit functions for all information communicated by that device
- these mechanisms are of similar strength to those specified for workstations on that network
- each gateway can identify and filter the information in accordance with the requirements for the export of data via a gateway.
|
---|
280 | 0589 | 3 | Sep-11 | AA | must not | UD, P, C, S, TS | Agencies must not permit MFDs connected to computer networks to be used to copy documents above the sensitivity or classification of the connected network. |
---|
281 | 1036 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should ensure that fax machines and MFDs are located in an area where their use can be observed. |
---|
282 | 1078 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must develop a policy governing the use of telephones and telephone systems. |
---|
283 | 0229 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must advise personnel of the permitted sensitive or classified information that can be discussed on both internal and external telephone connections. |
---|
284 | 0230 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should advise personnel of the audio security risk posed by using telephones in areas where sensitive or classified conversations can occur. |
---|
285 | 0231 | 0 | Sep-08 | AA | should | UD, P, C, S, TS | Agencies permitting different levels of conversation for different kinds of connections should use telephones that give a visual indication of what kind of connection has been made. |
---|
286 | 0232 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies intending to use telephone systems for the transmission of sensitive or classified information must ensure that:
- the system has been accredited for the purpose
- all sensitive or classified traffic that passes over external systems is appropriately encrypted.
|
---|
287 | 0233 | 2 | Nov-10 | AA | must not | UD, P, C, S, TS | Agencies must not use cordless telephones for sensitive or classified conversations. |
---|
288 | 0234 | 0 | Sep-08 | AA | must not | UD, P, C, S, TS | Agencies must not use cordless telephones in conjunction with secure telephony devices. |
---|
289 | 0235 | 2 | Nov-10 | AA | must not | TS | Agencies must not use speakerphones on telephones in TOP SECRET areas unless:
- it is located in a room rated as audio secure
- the room is audio secure during any conversations
- only personnel involved in discussions are present in the room.
|
---|
290 | 0236 | 3 | Sep-11 | AA | should | UD, P, C, S | Agencies should ensure that off-hook audio protection features are used on all telephones that are not accredited for the transmission of sensitive or classified information in areas where such information could be discussed. |
---|
291 | 0931 | 3 | Sep-11 | AA | should | S | Agencies should use push-to-talk handsets in open areas, and where telephones are shared. |
---|
292 | 0237 | 2 | Nov-10 | AA | must | TS | Agencies must ensure that off-hook audio protection features are used on all telephones that are not accredited for the transmission of classified information in areas where such information could be discussed. |
---|
293 | 0238 | 0 | Sep-08 | AA | should | TS | Agencies should use push-to-talk handsets to meet the requirement for off-hook audio protection. |
---|
294 | 1353 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies, at a minimum, must implement the controls indicated in the following table on all systems able to receive emails or browse web content originating in a different security domain.[table][head][cell h=3]TOP 4 MITIGATION STRATEGIES[/cell][/head][head][cell]Mitigation strategy[/cell][cell]Chapter and section of ISM[/cell][cell]Control numbers[/cell][/head][row][cell]Application whitelisting[/cell][cell]Software Security - Standard operating environments[/cell][cell]0843, 0846, 0955, 1391, 1392[/cell][/row][row][cell]Patch applications[/cell][cell]Software Security - Software Patching[/cell][cell]0300, 0303, 0304, 0940, 0941, 1143, 1144[/cell][/row][row][cell]Patch operating systems[/cell][cell]Software Security - Software Patching[/cell][cell]0300, 0303, 0304, 0940, 0941, 1143, 1144[/cell][/row][row][cell v=2]Restrict administrative privileges[/cell][cell]Access Control - Privileged Access[/cell][cell]0445, 0985, 1175[/cell][/row][row][cell]Personnel Security for Systems - Authorisations, Security Clearances and Briefings[/cell][cell]0405[/cell][/row][/table] |
---|
295 | 1354 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must adopt a risk management approach and implement alternative security controls for:
- technologies that lack available software to enforce the mandatory controls
- scenarios or circumstances that prevent enforcement of the mandatory controls.
|
---|
296 | 1355 | 2 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must provide information relating to implementation of the mandatory ISM controls upon request from ASD |
---|
297 | 0279 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should select products that have their desired security functionality in the scope of the product's evaluation and are applicable to the intended environment. |
---|
298 | 0280 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must select a product with the required security functionality that has completed a Protection Profile evaluation in preference to one that has completed an EAL-based evaluation. |
---|
299 | 0282 | 5 | Apr-15 | AA | must not | UD, P, C, S, TS | Agencies must not use unevaluated products, unless the risks have been appropriately accepted and documented. |
---|
300 | 0463 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must check product evaluation documentation, where available, to determine any product specific requirements. |
---|
301 | 0464 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must comply with all product specific requirements outlined in product evaluation documentation. |
---|
302 | 0283 | 6 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies selecting High Assurance products must contact ASD and comply with any product specific requirements. |
---|
303 | 1342 | 2 | Apr-15 | AA | must | C, S, TS | Agencies must comply with specific guidance on High Assurance products for handling information classified CONFIDENTIAL and above. |
---|
304 | 1343 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | When using products with converged elements, agencies must apply the relevant sections of this manual for each discrete element. |
---|
305 | 0285 | 0 | Sep-08 | AA | should | UD, P, C, S, TS | Agencies should ensure that products are delivered in a manner consistent with any delivery procedures defined in associated documentation. |
---|
306 | 0286 | 4 | Feb-14 | ASD | must | UD, P, C, S, TS | Agencies procuring High Assurance products must contact ASD and comply with any product specific delivery procedures. |
---|
307 | 0937 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should ensure that products purchased, without the delivery assurances provided through the use of formally evaluated procedures, are delivered in a manner that provides confidence that they receive the product that they expected to receive - and in an unaltered state. |
---|
308 | 0284 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should:
- verify the integrity of software using vendor supplied checksums when available
- validate the software's interaction with the operating system and network in a test environment prior to use on operational systems.
|
---|
309 | 0287 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should ensure that leasing agreements for products take into account the:
- difficulties that could be encountered when the product needs maintenance
- difficulties that could be encountered in sanitising a product before returning it
- the possible requirement for destruction if sanitisation cannot be performed.
|
---|
310 | 0938 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should choose products from developers that have made a commitment to the continuing maintenance of the assurance of their product. |
---|
311 | 0289 | 1 | Sep-09 | AA | should | UD, P, C, S, TS | Agencies should install, configure, operate and administer evaluated products in accordance with available documentation resulting from the product's evaluation. |
---|
312 | 0290 | 4 | Feb-14 | ASD | must | UD, P, C, S, TS | Agencies must ensure that High Assurance products are installed, configured, operated and administered in accordance with all product specific guidance produced by ASD. |
---|
313 | 0291 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies wishing to use an evaluated product in an unevaluated configuration must undertake a security risk assessment including:
- the necessity for the unevaluated configuration
- testing of the unevaluated configuration in the agency's environment
- documentation of any new vulnerabilities introduced due to the product being used outside of its evaluated configuration.
|
---|
314 | 0292 | 4 | Feb-14 | ASD | must not | UD, P, C, S, TS | High Assurance products must not be used in an unevaluated configuration. |
---|
315 | 0293 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must classify ICT equipment based on the sensitivity or classification of information for which the equipment and any associated media in the equipment are approved for processing, storing or communicating. |
---|
316 | 0294 | 3 | Apr-13 | AA | must | UD, P, C, S, TS | Agencies must clearly label all ICT equipment capable of storing information, with the exception of High Assurance products, with the appropriate protective marking. |
---|
317 | 1168 | 0 | Sep-11 | AA | must | UD, P, C, S, TS | When using non-textual protective markings for ICT equipment due to operational security reasons, agencies must document the labelling scheme and train personnel appropriately. |
---|
318 | 0296 | 3 | Feb-14 | ASD | must | UD, P, C, S, TS | Agencies must seek ASD authorisation before applying labels to external surfaces of High Assurance products. |
---|
319 | 1079 | 3 | Feb-14 | ASD | must | UD, P, C, S, TS | Agencies must have ASD approval before undertaking any repairs to High Assurance products. |
---|
320 | 0305 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Where possible, maintenance and repairs for ICT equipment should be carried out on-site by an appropriately cleared technician. |
---|
321 | 0307 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, agencies should sanitise and reclassify or declassify the equipment and associated media before maintenance or repair work is undertaken. |
---|
322 | 0306 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician must be escorted by someone who:
- is appropriately cleared and briefed
- takes due care to ensure that sensitive or classified information is not disclosed
- takes all responsible measures to ensure the integrity of the equipment
- has the authority to direct the technician.
|
---|
323 | 0308 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should ensure that the ratio of escorts to uncleared technicians allows for appropriate oversight of all activities. |
---|
324 | 0943 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician should be escorted by someone who is sufficiently familiar with the equipment to understand the work being performed. |
---|
325 | 0310 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies having ICT equipment maintained or repaired off-site must ensure that the physical transfer, processing and storage requirements are appropriate for the sensitivity or classification of the equipment and that procedures are complied with at all times. |
---|
326 | 0944 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies having ICT equipment maintained or repaired off-site should treat the equipment as per the requirements for the highest classification processed, stored or communicated in the area that the equipment will be returned to. |
---|
327 | 0313 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must have a documented process for the sanitisation and disposal of ICT equipment. |
---|
328 | 0311 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | When disposing of ICT equipment containing sensitive or classified media, agencies must sanitise the equipment by either:
- sanitising the media within the equipment
- removing the media from the equipment, then sanitising or destroying the media individually and disposing of it separately
- destroying the equipment in its entirety.
|
---|
329 | 1217 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | When disposing of ICT equipment, agencies must remove labels and markings indicating the classification, code words, caveats, owner, system or network name, or any other marking that can associate the equipment with its original use. |
---|
330 | 0315 | 4 | Feb-14 | ASD | must | UD, P, C, S, TS | Agencies must contact ASD and comply with any requirements for the disposal of High Assurance products. |
---|
331 | 0321 | 2 | Feb-14 | ASD | must | UD, P, C, S, TS | Agencies must contact ASD and comply with any requirements for disposing of TEMPEST rated ICT equipment. |
---|
332 | 1218 | 0 | Sep-12 | AA | should | P, C, S, TS | ICT equipment and associated media that is located overseas and has processed or stored AUSTEO or AGAO information should be sanitised in situ where possible. |
---|
333 | 0312 | 3 | Sep-12 | AA | must | P, C, S, TS | ICT equipment and associated media that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised must be returned to Australia for destruction. |
---|
334 | 0316 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must formally authorise the disposal of ICT equipment, or waste, into the public domain. |
---|
335 | 1455 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must inspect printers and MFDs for the presence of memory devices and sanitise or destroy them. |
---|
336 | 0317 | 2 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must print at least three pages of random text with no blank areas on each colour printer cartridge or MFD print drum. |
---|
337 | 1219 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should inspect MFD print drums and image transfer rollers and:
- remove any remnant toner with a soft cloth
- destroy if there is remnant toner which cannot be removed
- destroy if a print is visible on the image transfer roller.
|
---|
338 | 1220 | 0 | Sep-12 | AA | must | P, C, S, TS | Agencies must inspect photocopier or MFD platens and destroy them if any images are retained on the platen. |
---|
339 | 1221 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must inspect all paper paths and remove all paper from the printer or MFD, including paper that may have jammed inside the unit. |
---|
340 | 0318 | 2 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies unable to sanitise printer cartridges or MFD print drums must destroy the cartridge or MFD print drum in accordance with the requirements for electrostatic memory devices. |
---|
341 | 0319 | 2 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must visually inspect televisions and computer monitors by turning up the brightness and contrast to the maximum level to determine if any information has been burnt into or persists on the screen. |
---|
342 | 1076 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must attempt to sanitise televisions and computer monitors with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time. |
---|
343 | 1222 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must destroy televisions and computer monitors that cannot be sanitised. |
---|
344 | 1223 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | To sanitise network devices, agencies must sanitise the memory according to any available guidance provided by ASD or vendors. Agencies should use available guidance in the order of preference below:
- ASD EPL Consumer Guide
- any other ASD advice specific to the device
- vendor sanitisation guidance
- if guidance is unavailable, perform a full reset and loading of a dummy configuration file.
|
---|
345 | 1224 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must sanitise or destroy memory (such as phone number directories and pages stored for transmission) from the fax machine. |
---|
346 | 1225 | 1 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should remove the paper tray of the fax machine and transmit an unclassified fax with a minimum length of four pages. The paper tray should then be re-installed to allow the fax summary page to be printed. |
---|
347 | 1226 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must check fax machines to ensure no pages are trapped in the paper path due to a paper jam. |
---|
348 | 1359 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should have a removable media policy that includes:
- details of the authority for removable media within an agency
- media registration and accounting requirements
- media classification requirements
- the types of media permitted within the agency
- explicit cases where removable media is approved for use
- requirements for the use of media
- requirements for disposal of media.
|
---|
349 | 0322 | 0 | Sep-08 | AA | must | UD, P, C, S, TS | Agencies must document procedures for the reclassification and declassification of media. |
---|
350 | 0323 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must classify media to the highest sensitivity or classification stored on the media since any previous reclassification. |
---|
351 | 0325 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must classify any media connected to a system the same sensitivity or classification as the system, unless either:
- the media is read-only
- the media is inserted into a read-only device
- the system has a mechanism through which read-only access can be assured.
|
---|
352 | 0330 | 2 | Nov-10 | AA | must | P, C, S, TS | Agencies wishing to reclassify media to a lower classification must ensure that:
- the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised or destroyed
- a formal administrative decision is made to reclassify the media.
|
---|
353 | 0331 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must reclassify media if either:
- information copied onto the media is of a higher classification than the sensitivity or classification of the information already on the media, or
- information contained on the media is subjected to a classification upgrade.
|
---|
354 | 0332 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should label media with a marking that indicates the sensitivity or classification applicable to the information it stores; unless it is internally mounted fixed media and the ICT equipment containing the media is labelled. |
---|
355 | 0333 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that the sensitivity or classification of all media is easily visually identifiable. |
---|
356 | 0334 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | When using non-textual protective markings for media due to operational security reasons, agencies must document the labelling scheme and train personnel appropriately. |
---|
357 | 0335 | 3 | Sep-11 | AA | must | S | Agencies must label non-volatile media that has been sanitised and reclassified with a notice similar to: 'Warning: media has been sanitised and reclassified from SECRET to CONFIDENTIAL. Further lowering of classification only via destruction.' |
---|
358 | 0337 | 3 | Sep-11 | AA | must not | UD, P, C, S, TS | Agencies must not use media with a system that is not accredited to process, store or communicate the information on the media. |
---|
359 | 0338 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure that sensitive or classified media meet the minimum physical security storage requirements in the Australian Government Protective Security Policy Framework. |
---|
360 | 0341 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must disable any automatic execution features in operating systems for connectable media. |
---|
361 | 0342 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must prevent unauthorised media from connecting to a system via the use of either:
- device access control or data loss prevention software, or
- physical means.
|
---|
362 | 0343 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should prevent media being written to, via the use of device access control or data loss prevention software, if there is no business need. |
---|
363 | 0344 | 3 | Sep-11 | AA | should | UD, P | Agencies should disable external interfaces on a system that allows DMA, if there is no business need. |
---|
364 | 0345 | 3 | Sep-11 | AA | must | C, S, TS | Agencies must disable external interfaces on a system that allows DMA, if there is no business need. |
---|
365 | 0831 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure that media containing sensitive or classified information meet the minimum physical transfer requirements as specified in the Australian Government Protective Security Policy Framework. |
---|
366 | 0832 | 4 | May-16 | AA | must | UD, P, C, S, TS | Agencies must encrypt media with at least an ASD Approved Cryptographic Algorithm (AACA) if it is to be transferred through an area not certified and accredited to process the sensitivity or classification of the information on the media. |
---|
367 | 1059 | 3 | May-16 | AA | should | UD, P, C, S, TS | Agencies should encrypt media with at least an AACA even if being transferred through an area certified and accredited to process the sensitivity or classification of the information on the media. |
---|
368 | 0347 | 3 | Sep-11 | AA | should not | UD, P, C, S, TS | Agencies transferring data manually between two systems of different security domains, sensitivities or classifications should not use rewriteable media. |
---|
369 | 1169 | 0 | Sep-11 | AA | should not | S | Agencies should not permit any media that uses external interface connections in a SECRET area without prior written approval from the accreditation authority. |
---|
370 | 0346 | 3 | Sep-17 | AA | must not | TS | Agencies must not permit any media that use external interface connections in a TOP SECRET area without prior written approval from the accreditation authority. |
---|
371 | 0348 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must document procedures for the sanitisation of media including the verification approach taken. |
---|
372 | 0351 | 4 | Sep-17 | AA | must | UD, P | Agencies must sanitise volatile media by either:
- removing power from the media for at least 10 minutes
- overwriting all locations on the media with a random pattern followed by a read back for verification.
|
---|
373 | 0352 | 2 | Sep-11 | AA | must | C, S, TS | Agencies must sanitise volatile media by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, followed by removing power from the media for at least 10 minutes. |
---|
374 | 0353 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Following sanitisation, volatile media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]Unclassified (under certain circumstances)[/cell][/row][row][cell]SECRET[/cell][cell]Unclassified[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table] |
---|
375 | 0835 | 2 | Sep-17 | AA | must not | TS | Volatile media must not be reclassified below TOP SECRET if the volatile media is either:
- stored sensitive, static data for an extended period of time, or
- had sensitive data repeatedly stored on or written to the same memory location for an extended period of time.
|
---|
376 | 0354 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must sanitise non-volatile magnetic media by:
- if pre-2001 or under 15 Gigabytes: overwriting the media at least three times in its entirety with a random pattern followed by a read back for verification.
- if post-2001 or over 15 Gigabytes: overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.
|
---|
377 | 1065 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should reset the host protected area and device configuration overlay table of non-volatile magnetic hard disks prior to overwriting the media. |
---|
378 | 1066 | 2 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should overwrite the growth defects table (g-list) on non-volatile magnetic hard disks. |
---|
379 | 1067 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should use the ATA secure erase command, where available, for sanitising non-volatile magnetic hard disks in addition to using block overwriting software. |
---|
380 | 1068 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must boot from separate media to the media being sanitised to undertake the sanitisation process. |
---|
381 | 0356 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Following sanitisation, non-volatile magnetic media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]TOP SECRET[/cell][/row][row][cell]SECRET[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table] |
---|
382 | 0357 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must sanitise non-volatile EPROM media by erasing in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification. |
---|
383 | 0836 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must sanitise non-volatile EEPROM media by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification. |
---|
384 | 0358 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Following sanitisation, non-volatile EPROM and EEPROM media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]TOP SECRET[/cell][/row][row][cell]SECRET[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table] |
---|
385 | 0359 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must sanitise non-volatile flash memory media by overwriting the media at least twice in its entirety with a random pattern, followed by a read back for verification. |
---|
386 | 0360 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Following sanitisation, non-volatile flash memory media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]TOP SECRET[/cell][/row][row][cell]SECRET[/cell][cell]SECRET[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table] |
---|
387 | 0947 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should sanitise all media prior to reuse. |
---|
388 | 1464 | 0 | May-16 | AA | must | UD, P, C, S, TS | Agencies using cryptography suitable for reducing the handling requirements of media to unclassified, must follow the sanitisation and post-sanitisation requirements stated in the product guide for the cryptography used. |
---|
389 | 1465 | 0 | May-16 | AA | must | UD, P, C, S, TS | Agencies using cryptography suitable for reducing the handling requirements of media to unclassified, must follow vendor issued instructions for sanitising the encrypted media when a product guide is not available. Sanitisation and post-handling requirements for non-encrypted media must then be followed. |
---|
390 | 1466 | 0 | May-16 | AA | must | UD, P, C, S, TS | Agencies using cryptography not suitable for reducing the handling requirements of media to unclassified, must follow sanitisation processes and handling requirements for non-encrypted media. |
---|
391 | 0350 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must destroy the following media types prior to disposal, as they cannot be sanitised:
- microform (i.e. microfiche and microfilm)
- optical discs
- printer ribbons and the impact surface facing the platen
- programmable read-only memory
- read-only memory
- faulty or other types of media that cannot be successfully sanitised.
|
---|
392 | 1347 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Where volatile media has undergone sanitisation but verification has failed and sensitive or classified information persists on the media, agencies must destroy the media, and handle the media at the sensitivity or classification of the information it contains until it is destroyed. |
---|
393 | 0363 | 0 | Sep-08 | AA | must | UD, P, C, S, TS | Agencies must document procedures for the destruction of media. |
---|
394 | 0364 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | To destroy media, agencies must either:
- break up the media
- heat the media until it has either burnt to ash or melted
- degauss the media.
|
---|
395 | 0366 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must use one of the methods shown in the table below.[table][head][cell v=2]Item[/cell][cell h=6]Destruction Methods[/cell][/head][head][cell]Furnace / Incinerator[/cell][cell]Hammer Mill[/cell][cell]Disintegrator[/cell][cell]Grinder / Sander[/cell][cell]Cutting[/cell][cell]Degausser[/cell][/head][row][cell]Electrostatic memory devices[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]No[/cell][/row][row][cell]Magnetic floppy disks[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]Yes[/cell][cell]Yes[/cell][/row][row][cell]Magnetic hard disks[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]Yes[/cell][/row][row][cell]Magnetic tapes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]Yes[/cell][cell]Yes[/cell][/row][row][cell]Optical disks[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][/row][row][cell]Semiconductor memory[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]No[/cell][cell]No[/cell][/row][/table] |
---|
396 | 1160 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must employ degaussers certified by the National Security Agency/Central Security Service or the Government Communications Headquarters/Communications-Electronics Security Group for the purpose of degaussing media. |
---|
397 | 1360 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should check the field strength of the degausser at regular intervals when destroying media. |
---|
398 | 1361 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should use approved equipment when destroying media. |
---|
399 | 0368 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must, at minimum, store and handle the resulting media waste for all methods, except for furnace/incinerator and degausser, as indicated below.[table][head][cell v=2]Initial media handing[/cell][cell h=4]Screen aperture size particles can pass through[/cell][/head][head][cell]Less than or equal to 3mm[/cell][cell]Less than or equal to 6mm[/cell][cell]Less than or equal to 9mm[/cell][/head][row][cell]TOP SECRET[/cell][cell]Unclassified[/cell][cell]CONFIDENTIAL[/cell][cell]SECRET[/cell][/row][row][cell]SECRET[/cell][cell]Unclassified[/cell][cell]PROTECTED[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][cell]PROTECTED[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][/row][/table] |
---|
400 | 0361 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must use a degausser of sufficient field strength for the coercivity of the media. |
---|
401 | 0838 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must use a degausser capable of the magnetic orientation (longitudinal or perpendicular) of the media. |
---|
402 | 0362 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must comply with any product specific directions provided by product manufacturers and certification authorities. |
---|
403 | 0370 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must perform the destruction of media under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed. |
---|
404 | 0371 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Personnel supervising the destruction of media must:
- supervise the handling of the media to the point of destruction
- ensure that the destruction is completed successfully.
|
---|
405 | 0372 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must perform the destruction of accountable material under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed. |
---|
406 | 0373 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Personnel supervising the destruction of accountable media must:
- supervise the handling of the material to the point of destruction
- ensure that the destruction is completed successfully
- sign a destruction certificate.
|
---|
407 | 0839 | 1 | Nov-10 | AA | should not | UD, P, C, S, TS | Agencies should not outsource the destruction of TOP SECRET media or accountable material. |
---|
408 | 0840 | 2 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies outsourcing the destruction of media to an external destruction service must use a service that has been approved by ASIO-T4 Protective Security. |
---|
409 | 1069 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should sanitise media, if possible, prior to transporting it to an off-site location for destruction. |
---|
410 | 0374 | 0 | Sep-08 | AA | must | UD, P, C, S, TS | Agencies must document procedures for the disposal of media. |
---|
411 | 0329 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies declassifying media must ensure that:
- the media has been reclassified to an unclassified level either through an administrative decision, sanitisation or destruction
- a formal administrative decision is made to release the unclassified media, or its waste, into the public domain.
|
---|
412 | 0375 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must declassify all media prior to disposing of it into the public domain. |
---|
413 | 0378 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must dispose of media in a manner that does not draw undue attention to its previous sensitivity or classification. |
---|
414 | 1406 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | When developing a workstation SOE, the Common Operating Environment Policy produced by the Department of Finance must be used. |
---|
415 | 1407 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | The latest release of an operating system should be used for SOEs. |
---|
416 | 1408 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | When developing a Microsoft Windows SOE, the 64-bit version of the operating system should be used. |
---|
417 | 1409 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | When using a Microsoft Windows operating system, to harden its configuration agencies should use the applicable SOE Build Guideline from the Common Operating Environment Policy produced by the Department of Finance. |
---|
418 | 1467 | 0 | May-16 | AA | should | UD, P, C, S, TS | The latest releases of key business applications such as office productivity suites (e.g Microsoft Office), PDF readers (e.g. Adobe Reader). web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (Microsoft outlook) and software platforms (e.g. oracle Java Platform and Microsoft .NET Framework) should be used within SOEs. |
---|
419 | 0383 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Default operating system accounts must be disabled, renamed or have their passphrase changed. |
---|
420 | 0380 | 6 | Sep-17 | AA | should | UD, P, C, S, TS | Unneeded operating system accounts, software, components, services and functionality should be removed or disabled |
---|
421 | 1410 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Local administrator accounts must be disabled. |
---|
422 | 1469 | 0 | Sep-17 | AA | must | UD, P, C, S, TS | Unique domain accounts with local administrative privileges, but without domain administrative privileges, should be used for workstation and server management. |
---|
423 | 0382 | 4 | Apr-15 | AA | must not | UD, P, C, S, TS | Users must not have the ability to install, uninstall or disable software. |
---|
424 | 1345 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | Devices must be prevented from simultaneously connecting to two different networks. |
---|
425 | 1411 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | Any security functionality in applications should be enabled and configured for maximum security. |
---|
426 | 1470 | 0 | Sep-17 | AA | should | UD, P, C, S, TS | Any unrequired functionality in applications should be disabled. |
---|
427 | 1412 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Vendor guidance should be followed to assist in securely configuring their products. |
---|
428 | 0843 | 6 | Sep-17 | AA | must | UD, P, C, S, TS | An application whitelisting solution must be used within SOEs to restrict the execution of programs and DLLs to an approved set. |
---|
429 | 1413 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | An application whitelisting solution should be used within SOEs to restrict the execution of scripts and installers to an approved set. |
---|
430 | 0845 | 6 | Sep-17 | AA | should | UD, P, C, S, TS | Users and system administrators should be restricted to executing a subset of approved programs, DLLs, scripts and installers based on their specific duties. |
---|
431 | 0846 | 5 | Apr-15 | AA | must not | UD, P, C, S, TS | Users and system administrators must not be allowed to temporarily or permanently disable, bypass or be exempt from application whitelisting mechanisms. |
---|
432 | 0955 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Application whitelisting must be implemented using at least one of the following methods:
- cryptographic hashes
- publisher certificates
- absolute paths
- parent folders.
|
---|
433 | 1471 | 0 | Sep-17 | AA | must | UD, P, C, S, TS | When implementing application whitelisting using publisher certificates, both publisher names and product names must be used for application whitelisting rules. |
---|
434 | 1392 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | When implementing application whitelisting using absolute path rules, file system permissions must be configured to prevent users and system administrators from modifying files that are permitted to run. |
---|
435 | 1391 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | When implementing application whitelisting using parent folder rules, file system permissions must be configured to prevent users and system administrators from adding or modifying files in authorised parent folders. |
---|
436 | 0957 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | Application whitelisting solutions should be configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file. |
---|
437 | 1414 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | The latest supported version of Microsoft's EMET must be used within Microsoft Windows SOEs. |
---|
438 | 1415 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Microsoft's EMET should be configured with both operating system mitigation measures and application-specific mitigation measures e.g. using the Microsoft supplied recommended and popular software templates. |
---|
439 | 1341 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | HIPS should be used within SOEs. |
---|
440 | 1034 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | HIPS must be used on high value servers, such as authentication servers (e.g. Active Directory Domain Controllers and RADIUS servers), DNS servers, web servers, file servers and email servers. |
---|
441 | 1416 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Software-based application firewalls must be used within SOEs to limit both inbound and outbound network connections. |
---|
442 | 1417 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Antivirus or internet security software must be used within SOEs. |
---|
443 | 1033 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Antivirus or internet security software must have:
- signature-based detection enabled and set to a high level
- heuristic-based detection enabled and set to a high level
- detection signatures checked for currency and updated on at least a daily basis
- automatic and regular scanning configured for all fixed disks and removable media.
|
---|
444 | 1390 | 1 | Apr-15 | AA | should | UD, P | Antivirus or internet security software should have reputation ratings enabled. |
---|
445 | 1418 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Endpoint device control software must be used within SOEs to prevent unauthorised removable media and devices from being used with workstations and servers. |
---|
446 | 1143 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | A patch management strategy must be developed and implemented covering the patching of security vulnerabilities in operating systems, applications, drivers and hardware devices. |
---|
447 | 0297 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | Relevant sources should be monitored for information about new security vulnerabilities and associated patches for operating systems, applications, drivers and hardware devices. |
---|
448 | 1144 | 8 | Sep-17 | AA | must | UD, P, C, S, TS | Security vulnerabilities in operating systems, applications, drivers and hardware devices assessed as extreme risk must be patched or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent 3rd parties, system owners or users. |
---|
449 | 0940 | 7 | Sep-17 | AA | must | UD, P, C, S, TS | Security vulnerabilities in operating systems, applications, drivers and hardware devices assessed as high risk must be patched or mitigated within two weeks of the security vulnerability being identified by vendors, independent 3rd parties, system owners or users. |
---|
450 | 1472 | 0 | Sep-17 | AA | must | UD, P, C, S, TS | Security vulnerabilities in operating systems, applications, drivers and hardware devices assessed as moderate or low risk must be patched or mitigated within one month of the security vulnerability being identified by vendors, independent 3rd parties, system owners or users. |
---|
451 | 0300 | 5 | Apr-15 | ASD | must | C, S, TS | High Assurance products must only be patched with ASD approved patches using methods and timeframes prescribed by ASD. |
---|
452 | 0298 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | Where possible, a centralised and managed approach should be used to patch operating systems, applications, drivers and hardware devices. |
---|
453 | 0303 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | An approach for patching operating systems, applications, drivers and hardware devices that ensures the integrity and authenticity of patches, as well as the processes used to apply them, must be used. |
---|
454 | 0941 | 7 | Sep-17 | AA | must | UD, P, C, S, TS | When patches are not available for security vulnerabilities, one or more of the following approaches must be implemented:
- resolve the security vulnerability by either:[ul][li]disabling the functionality associated with the security vulnerability
- asking the vendor for an alternative method of managing the security vulnerability
- moving to a different product with a more responsive vendor
- engaging a software developer to resolve the security vulnerability.
[/li]prevent exploitation of the security vulnerability by either:[li]applying external input sanitisation (if an input triggers the exploit) applying filtering or verification on output (if the exploit relates to an information disclosure)applying additional access controls that prevent access to the security vulnerabilityconfiguring firewall rules to limit access to the security vulnerability.[/li]contain exploitation of the security vulnerability by either:[li]applying firewall rules limiting outward traffic that is likely in the event of an exploitation applying mandatory access control preventing the execution of exploitation codesetting file system permissions preventing exploitation code from being written to disk.[/li]detect exploitation of the security vulnerability by either:[li]deploying an intrusion detection system monitoring logging alertsusing other mechanisms for the detection of exploits using the known security vulnerability.[/li][/ul] |
---|
455 | 0304 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Operating systems, applications and hardware devices that are no longer supported by their vendors must be updated to a vendor supported version or replaced with an alternative vendor supported version. |
---|
456 | 0400 | 3 | Sep-17 | AA | should | UD, P, C, S, TS | Software development environments should be configured such that there are at least three environments covering development, testing and production. |
---|
457 | 1419 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | New development and modifications of software should only take place in the development environment. |
---|
458 | 1420 | 1 | Sep-17 | AA | must not | UD, P, C, S, TS | Information in production environments must not be used in testing or development environments unless the testing or development environments are secured to the same security standard as the production environment. |
---|
459 | 1421 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | The ability to transfer information between development, test and production environments should be strictly limited according to a defined and documented policy, with access granted only to users with a clear business requirement. |
---|
460 | 1422 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Unauthorised access to the authoritative source for software should be prevented. |
---|
461 | 1238 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Threat modelling and other secure design techniques should be used to ensure that threats to software and mitigations to these threats are identified. |
---|
462 | 0401 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Software developers should use secure programming practices when developing software, including:
- designing software to use the lowest privilege level needed to achieve its task
- denying access by default
- checking return values of all system calls
- validating all inputs
- following secure coding standards.
|
---|
463 | 1423 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Software developers should use platform-specific secure programming practices published by vendors when developing software. |
---|
464 | 0402 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Software should be tested for security vulnerabilities by an independent party as well as the software developer before it is used in a production environment. |
---|
465 | 1239 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Robust web application frameworks should be used to aid in the development of secure web applications. |
---|
466 | 1240 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Validation and/or sanitisation must be performed on all input handled by a web application. |
---|
467 | 1241 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | Output encoding must be performed on all output produced by a web application. |
---|
468 | 1424 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | Web browser-based security controls should be implemented for web applications in order to help protect the web application and its users. |
---|
469 | 0971 | 5 | Sep-17 | AA | should | UD, P, C, S, TS | For web application development, the Open Web Application Security Project guides to building secure web applications should be followed. |
---|
470 | 1243 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | An accurate inventory of all deployed databases and their contents should be maintained and regularly audited. |
---|
471 | 1245 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | All temporary installation files and logs should be removed after DBMS software has been installed. |
---|
472 | 1246 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | DBMS software should be configured according to vendor guidance. |
---|
473 | 1247 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | DBMS software features and stored procedures that are not required should be disabled or removed. |
---|
474 | 1248 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | All sample databases should be removed from database servers. |
---|
475 | 1249 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | DBMS software must be configured to run as a separate account with the minimum privileges needed to perform its functions. |
---|
476 | 1250 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | The account under which DBMS software runs must have limited access to non-essential areas of the database server's file system. |
---|
477 | 1251 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | The ability of DBMS software to read local files from a server should be disabled. |
---|
478 | 1252 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Passphrases stored in databases must be hashed with a strong hashing algorithm which is uniquely salted. |
---|
479 | 1256 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | File-based access controls must be applied to database files. |
---|
480 | 1425 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Hard disks of database servers should be encrypted using full disk encryption. |
---|
481 | 0393 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Databases or their contents must be associated with protective markings. |
---|
482 | 1255 | 2 | Sep-17 | AA | should | UD, P, C, S, TS | Database users’ ability to access, insert, modify and remove content in databases should be restricted based on their work duties. |
---|
483 | 1258 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more highly classified information, database views in combination with database user access roles should be implemented. |
---|
484 | 1260 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Default database administrator accounts must be disabled, renamed or have their passphrases changed. |
---|
485 | 1262 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Database administrators must have unique and identifiable accounts. |
---|
486 | 1261 | 1 | Apr-15 | AA | should not | UD, P, C, S, TS | Database administrator accounts should not be shared across different databases. |
---|
487 | 1263 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Database administrator accounts must be used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases. |
---|
488 | 1264 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Database administrator access should be restricted to defined roles rather than accounts with default administrative permissions, or all permissions. |
---|
489 | 1266 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Anonymous database accounts must be removed. |
---|
490 | 1268 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | The need-to-know principle should be enforced through the application of minimum privileges, database views and database roles. |
---|
491 | 1269 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Database servers and web servers should be functionally separated, either physically or virtually. |
---|
492 | 1270 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Database servers that require network connectivity should be placed on a different network segment to an agency's workstations. |
---|
493 | 1271 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Network access controls should be implemented to restrict database servers' communications to strictly defined network resources such as web servers, application servers and storage area networks. |
---|
494 | 1272 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | If only local access to a database system is required, networking functionality of DBMS software should be disabled or directed to listen solely to the localhost interface. |
---|
495 | 1273 | 1 | Apr-15 | AA | must not | UD, P, C, S, TS | Test and development environments must not use the same database servers as production environments. |
---|
496 | 1274 | 3 | Sep-17 | AA | must not | UD, P, C, S, TS | Information in production databases must not be used in testing or development databases unless the testing or development environments are secured to the same security standard as the production environment. |
---|
497 | 1275 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | All queries to database systems from web applications must be filtered for legitimate content and correct syntax. |
---|
498 | 1276 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Parameterised queries or stored procedures should be used for database interaction instead of dynamically generated queries. |
---|
499 | 1277 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Sensitive or classified information communicated between database systems and web applications must be encrypted. |
---|
500 | 1278 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Web applications should be designed to provide as little error information as possible to users about DBMS software and database schemas. |
---|
501 | 0264 | 1 | Sep-09 | AA | must | UD, P, C, S, TS | Agencies must have a policy governing the use of email. |
---|
502 | 0266 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must make personnel aware of their email usage policies. |
---|
503 | 0822 | 0 | Sep-09 | AA | should | UD, P, C, S, TS | Agencies should implement measures to monitor their personnel's compliance with email usage policies. |
---|
504 | 0267 | 5 | Apr-15 | AA | must not | UD, P, C, S, TS | Agencies must not allow personnel to access non-agency approved web-based email services from agency systems. |
---|
505 | 1340 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must ensure users are made aware of the social engineering threat, as well as methods to detect suspicious emails in their environment and processes to report these events. |
---|
506 | 0273 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | All official emails must have a protective marking. |
---|
507 | 0275 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Email protective markings must accurately reflect each element of an email, including attachments. |
---|
508 | 0278 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Where an unmarked email has originated outside the government, users must assess the information and determine how it is to be handled. |
---|
509 | 0852 | 1 | Nov-10 | AA | should not | UD, P, C, S, TS | Where an email is of a personal nature and does not contain government information, protective markings for official information should not be used. |
---|
510 | 0967 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Where an unmarked email has originated from an Australian or overseas government agency, users should contact the originator to determine how it is to be handled. |
---|
511 | 0968 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Where an email is received with an unknown protective marking from an Australian or overseas government agency, users should contact the originator to determine appropriate security measures. |
---|
512 | 1368 | 0 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must prevent unmarked emails or emails marked with an unrecognised or invalid protective marking from being sent to the intended recipients by blocking the email at the email server. |
---|
513 | 1022 | 3 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should prevent unmarked emails or emails marked with an unrecognised or invalid protective marking from being sent to intended recipients by blocking the email at the workstation. |
---|
514 | 0565 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must configure email systems to reject, log and report inbound emails with protective markings indicating that the content of the email exceeds the sensitivity or classification of the receiving system. |
---|
515 | 1023 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should notify the intended recipient of any blocked emails. |
---|
516 | 0563 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must configure systems to block any outbound emails with a protective marking indicating that the content of the email exceeds the sensitivity or classification of the path over which the email would be communicated. |
---|
517 | 0564 | 1 | Sep-09 | AA | should | UD, P, C, S, TS | Agencies should configure systems to log every occurrence of a blocked email. |
---|
518 | 0270 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must comply with the current standard for the application of protective markings to emails as promulgated by the Department of Finance. |
---|
519 | 0969 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should configure systems so that the protective markings appear at the top and bottom of every page when the email is printed. |
---|
520 | 0271 | 1 | Sep-12 | AA | should not | UD, P, C, S, TS | Agencies should not allow a protective marking to be inserted into user generated emails without their intervention. |
---|
521 | 0272 | 2 | Sep-12 | AA | should not | UD, P, C, S, TS | Agencies providing a marking tool should not allow users to select protective markings that the system has not been accredited to process, store or communicate. |
---|
522 | 1089 | 2 | Sep-12 | AA | should not | UD, P, C, S, TS | Agencies providing a marking tool should not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email. |
---|
523 | 0269 | 1 | Sep-09 | AA | should | P, C, S, TS | Agencies should ensure that emails containing AUSTEO, AGAO or other nationality releasability marked information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed. |
---|
524 | 1024 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should only send notification of undeliverable, bounced or blocked emails to senders that can be verified via SPF or other trusted means. |
---|
525 | 0566 | 0 | Sep-08 | AA | must | UD, P, C, S, TS | Agencies must ensure that the requirements for blocking unmarked and outbound emails are also applied to automatically forwarded emails. |
---|
526 | 0567 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must disable open email relaying so that email servers will only relay messages destined for their domains and those originating from inside the domain. |
---|
527 | 0568 | 0 | Sep-08 | AA | should | UD, P, C, S, TS | Agencies should perform regular email server auditing, security reviews and vulnerability analysis activities. |
---|
528 | 0569 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should route email through a centralised email gateway. |
---|
529 | 0570 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Where backup or alternative email gateways are in place, additional email gateways must be maintained at the same standard as the primary email gateway. |
---|
530 | 0571 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Where users send email from outside their network, an authenticated and encrypted channel must be configured to allow email to be sent via the centralised email gateway. |
---|
531 | 0572 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must enable opportunistic TLS encryption as defined in IETF RFC 3207 on email servers that make incoming or outgoing email connections over public network infrastructure. |
---|
532 | 1234 | 1 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must implement applicable content filtering controls on email attachments, as recommended in the Data Transfers and Content Filtering chapter of this manual. |
---|
533 | 0561 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must block at the gateway:
- emails addressed to internal email aliases with source addresses located from outside the domain
- all emails arriving via an external connection where the source address uses an internal domain name.
|
---|
534 | 1057 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Email servers should strip active web addresses from emails and replace them with non-active versions. |
---|
535 | 0574 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must specify their mail servers using SPF or Sender ID. |
---|
536 | 1183 | 0 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use a hard fail SPF record when specifying their mail servers. |
---|
537 | 1151 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use SPF or Sender ID to verify the authenticity of incoming emails. |
---|
538 | 1152 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must block, mark or identify incoming emails that fail SPF checks in a manner that is visible to the email recipient. |
---|
539 | 0861 | 0 | Sep-08 | AA | should | UD, P, C, S, TS | Agencies should enable DKIM signing on all email originating from their domain. |
---|
540 | 1025 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use DKIM in conjunction with SPF. |
---|
541 | 1026 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should verify DKIM signatures on emails received, taking into account that email distribution list software typically invalidates DKIM signatures. |
---|
542 | 1027 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies operating email distribution list software used by external senders should configure the software so that it does not break the validity of the sender's DKIM signature. |
---|
543 | 0413 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | A set of policies and procedures covering user identification, authentication and authorisation must be developed and maintained, as well as communicated to and understood by users. |
---|
544 | 0414 | 2 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must ensure that all users are:
- uniquely identifiable
- authenticated on each occasion that access is granted to a system.
|
---|
545 | 0420 | 6 | Sep-17 | AA | must | P, C, S, TS | Where systems contain AUSTEO, AGAO or other nationality-based releasability marked information, agencies must ensure all users who are foreign nationals, including seconded foreign nationals, are uniquely identifiable. |
---|
546 | 0975 | 5 | Sep-17 | AA | should | P, C, S, TS | Agencies implementing security measures to identify users who are foreign nationals, including seconded foreign nationals, should ensure that identification measures include their specific nationality. |
---|
547 | 0973 | 4 | Sep-17 | AA | should not | UD, P, C, S | Agencies should not use shared non-user specific accounts. |
---|
548 | 0415 | 1 | Nov-10 | AA | must not | TS | Agencies must not use shared non user-specific accounts. |
---|
549 | 0416 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | If agencies choose to allow shared non-user specific accounts, another method of attributing actions undertaken by such accounts to specific personnel must be implemented. |
---|
550 | 0417 | 3 | Sep-12 | AA | must not | UD, P, C, S, TS | Agencies must not use a numerical password (or personal identification number) as the sole method of authenticating a user. |
---|
551 | 0421 | 4 | Apr-15 | AA | must | UD, P, C, S | Agencies using passphrases as the sole method of authentication must enforce the following passphrase policy:
- a minimum length of 13 alphabetic characters with no complexity requirement; or
- a minimum length of 10 characters, consisting of at least three of the following character sets:[ul][li]lowercase alphabetic characters (a-z)
- uppercase alphabetic characters (A-Z)
- numeric characters (0-9)
- special characters.
[/li][/ul] |
---|
552 | 0422 | 4 | Apr-15 | AA | must | TS | Agencies using passphrases as the sole method of authentication must enforce the following passphrase policy:
- a minimum length of 15 alphabetic characters with no complexity requirement; or
- a minimum length of 11 characters, consisting of at least three of the following character sets:[ul][li]lowercase alphabetic characters (a-z)
- uppercase alphabetic characters (A-Z)
- numeric characters (0-9)
- special characters.
[/li][/ul] |
---|
553 | 1426 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | When systems cannot be configured to enforce passphrase complexity requirements, passphrases must be checked by alternative means for compliance with passphrase policies. |
---|
554 | 0974 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should use multi-factor authentication for all users. |
---|
555 | 1173 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must use multi-factor authentication for:
- system administrators
- database administrators
- privileged users
- positions of trust
- remote access.
|
---|
556 | 1401 | 1 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies using passphrases as part of multi-factor authentication must ensure a minimum length of six alphabetic characters with no complexity requirement. |
---|
557 | 1357 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Where multi-factor authentication is implemented, none of the factors on their own should be useful for authentication on another system. |
---|
558 | 0423 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must:
- ensure that passphrases are changed at least every 90 days
- prevent passphrases from being changed by the user more than once a day
- prevent passphrases from being reused within eight passphrase changes
- prevent the use of sequential passphrases where possible
- prevent passphrases being stored in cleartext.
|
---|
559 | 1403 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure accounts are locked after a maximum of five failed logon attempts. |
---|
560 | 0976 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must ensure users provide sufficient evidence to verify their identity when requesting a passphrase reset for their system account. |
---|
561 | 1227 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure reset passphrases are:
- random for each individual reset
- not reused when resetting multiple accounts
- not based on a single dictionary word
- not based on another identifying factor, such as the user's name or the date.
|
---|
562 | 1055 | 1 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must disable LAN Manager for passphrase authentication on workstations and servers. |
---|
563 | 0418 | 2 | Sep-17 | AA | must | UD, P, C, S, TS | Authentication information must be stored separately from a system to which it grants access. |
---|
564 | 1402 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Authentication information stored on a system must be protected. |
---|
565 | 0419 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Authentication information must be protected when communicated across networks. |
---|
566 | 0428 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must configure systems with a session or screen lock that:
- activates either after a maximum of 15 minutes of user inactivity or if manually activated by the user
- completely conceals all information on the screen
- ensures that the screen does not enter a power saving state before the screen or session lock is activated
- requires the user to reauthenticate to unlock the system
- denies users the ability to disable the session or screen locking mechanism.
|
---|
567 | 0430 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must remove or suspend accounts on the same day a user no longer has a legitimate business requirement for its use. |
---|
568 | 1404 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should remove or suspend accounts after one month of inactivity. |
---|
569 | 0431 | 1 | Nov-10 | AA | should | C, S, TS | Agencies should ensure that repeated account lockouts are investigated before reauthorising access. |
---|
570 | 0408 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | Systems should have a logon banner that requires a user to acknowledge and accept their security responsibilities before access to the system is granted. |
---|
571 | 0979 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should seek legal advice on the exact wording of logon banners. |
---|
572 | 0980 | 5 | Feb-14 | AA | should | UD, P, C, S, TS | Logon banners should explicitly state conditions of access to a system, including:
- access is restricted to authorised users
- acceptable usage and information security policies
- the user's agreement to abide by above-mentioned policies
- informing the user of activity monitoring and auditing
- legal ramifications of violating the relevant policies
- a point of contact for questions on these conditions.
|
---|
573 | 0078 | 3 | Apr-15 | AA | must | P, C, S, TS | Systems processing, storing or communicating AUSTEO or AGAO information must remain at all times under the control of an Australian national working for or on behalf of the Australian Government. |
---|
574 | 0854 | 3 | Apr-15 | AA | must not | P, C, S, TS | Agencies must not allow access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government. |
---|
575 | 0409 | 3 | Apr-15 | AA | must not | P, C, S, TS | Foreign nationals, including seconded foreign nationals, must not have access to systems that process, store or communicate AUSTEO information unless effective controls and procedures are in place to ensure AUSTEO information is not accessible to them. |
---|
576 | 0411 | 3 | Apr-15 | AA | must not | P, C, S, TS | Foreign nationals, excluding seconded foreign nationals, must not have access to systems that process, store or communicate AGAO information unless effective controls and procedures are in place to ensure AGAO information is not accessible to them. |
---|
577 | 0816 | 2 | Apr-15 | AA | must not | UD, P, C, S, TS | Foreign nationals, including seconded foreign nationals, must not have access to systems that process, store or communicate information with national releasability markings unless effective controls and procedures are put in place to ensure information that is not marked as releasable to their nation is not accessible to them. |
---|
578 | 0856 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Users' authorisations must be enforced by access controls. |
---|
579 | 1175 | 2 | May-16 | AA | must | UD, P, C, S, TS | Agencies must prevent users from using privileged accounts to read emails, open attachments, browse the Web or obtain files via internet services such as instant messaging or social media. |
---|
580 | 0445 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must restrict the use of privileged accounts by ensuring that:
- the use of privileged accounts are controlled and auditable
- system administrators are assigned a dedicated account to be used solely for the performance of their administration tasks
- privileged accounts are kept to a minimum
- privileged accounts are used for administrative work only
- passphrases for privileged accounts are regularly audited to check they meet passphrase selection requirements
- passphrases for privileged accounts are regularly audited to check the same passphrase is not being reused over time or for multiple accounts (particularly between privileged and unprivileged accounts)
- privileges allocated to privileged accounts are regularly reviewed.
|
---|
581 | 0446 | 1 | Sep-09 | AA | must not | P, C, S, TS | Agencies must not allow foreign nationals, including seconded foreign nationals, to have privileged access to systems that process, store or communicate AUSTEO information. |
---|
582 | 0447 | 1 | Sep-09 | AA | must not | P, C, S, TS | Agencies must not allow foreign nationals, excluding seconded foreign nationals, to have privileged access to systems that process, store or communicate AGAO information. |
---|
583 | 0448 | 4 | Apr-15 | AA | should not | UD, P, C, S, TS | Agencies should not allow foreign nationals, excluding seconded foreign nationals, to have privileged access to systems that process, store or communicate sensitive or classified information. |
---|
584 | 0985 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must conduct the remote administration of systems, including the use of privileged accounts, over a secure communications medium from secure devices. |
---|
585 | 0580 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must develop an event logging strategy covering:
- logging facilities, including availability requirements and the reliable delivery of event logs to logging facilities
- the list of events associated with a system or software component to be logged
- event log protection and retention requirements.
|
---|
586 | 1405 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must implement a secure centralised logging facility. |
---|
587 | 1344 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure systems are configured to save event logs to the secure centralised logging facility. |
---|
588 | 0587 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should save event logs to the secure centralised logging facility as soon as possible after each event occurs. |
---|
589 | 0988 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must establish an accurate time source, and use it consistently across systems to assist with the correlation of events. |
---|
590 | 0582 | 4 | Apr-15 | AA | should | UD, P, C, S | Agencies should log, at minimum, the following events for all software components:
- all privileged operations
- successful and failed elevation of privileges
- security related system alerts and failures
- user and group additions, deletions and modification to permissions
- unauthorised access attempts to critical systems and files.
|
---|
591 | 0583 | 3 | Apr-15 | AA | must | TS | Agencies must log, at minimum, the following events for all software components
- all privileged operations
- successful and failed elevation of privileges
- security related system alerts and failures
- user and group additions, deletions and modification to permissions
- unauthorised access attempts to critical systems and files.
|
---|
592 | 1176 | 1 | Sep-12 | AA | should | UD, P | Agencies should log the following events for any system requiring authentication:
- logons
- failed logon attempts
- logoffs.
|
---|
593 | 0584 | 1 | Sep-12 | AA | must | C, S, TS | Agencies must log the following events for any system requiring authentication:
- logons
- failed logon attempts
- logoffs.
|
---|
594 | 0987 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | The events listed below should be logged.[table][head][cell]Software Component[/cell][cell]Events To Log[/cell][/head][row][cell v=13]Database[/cell][cell]Access to particularly sensitive information[/cell][/row][row][cell]Addition of new users, especially privileged users[/cell][/row][row][cell]Any query containing comments[/cell][/row][row][cell]Any query containing multiple embedded queries[/cell][/row][row][cell]Any query or database alerts or failures[/cell][/row][row][cell]Attempts to elevate privileges[/cell][/row][row][cell]Attempted access that is successful or unsuccessful[/cell][/row][row][cell]Changes to the database structure[/cell][/row][row][cell]Changes to user roles or database permissions[/cell][/row][row][cell]Database administrator actions[/cell][/row][row][cell]Database logons and logoffs[/cell][/row][row][cell]Modifications to data[/cell][/row][row][cell]Use of executable commands e.g. xp_cmdshell[/cell][/row][row][cell v=14]Operating system[/cell][cell]Access to sensitive data and processes[/cell][/row][row][cell]Application crashes including any error messages[/cell][/row][row][cell]Attempts to use special privileges[/cell][/row][row][cell]Changes to accounts[/cell][/row][row][cell]Changes to security policy[/cell][/row][row][cell]Changes to system configuration data[/cell][/row][row][cell]DNS and HTTP requests[/cell][/row][row][cell]Failed attempts to access data and system resources[/cell][/row][row][cell]Service failures and restarts[/cell][/row][row][cell]Successful and failed attempts to logon and logoff[/cell][/row][row][cell]System startup and shutdown[/cell][/row][row][cell]Transfer of data to external media[/cell][/row][row][cell]User or group management[/cell][/row][row][cell]Use of special privileges[/cell][/row][row][cell v=4]Web application[/cell][cell]Attempted access that is denied[/cell][/row][row][cell]Search queries initiated by users[/cell][/row][row][cell]User access to a web application[/cell][/row][row][cell]Web application crashes including any error messages[/cell][/row][/table] |
---|
595 | 0585 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | For each event logged, agencies must ensure that the logging facility records the following details, where applicable:
- date and time of the event
- relevant users or process
- event description
- success or failure of the event
- event source e.g. application name
- ICT equipment location/identification.
|
---|
596 | 0586 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Event logs must be protected from modification and unauthorised access, and whole or partial loss within the defined retention period. |
---|
597 | 0989 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should ensure that event log data is archived in a manner that maintains its integrity. |
---|
598 | 0859 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must retain event logs for a minimum of 7 years after action is completed in accordance with the NAA's Administrative Functions Disposal Authority. |
---|
599 | 0991 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should retain DNS and proxy logs for at least 18 months. |
---|
600 | 0109 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must develop, document and implement event log auditing requirements covering:
- the scope of audits
- the audit schedule
- what constitutes a violation of information security policy
- action to be taken when violations are detected
- reporting requirements
- specific responsibilities.
|
---|
601 | 1228 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should correlate events across event logs to prioritise audits and focus investigations. |
---|
602 | 1380 | 2 | Sep-17 | AA | should | UD, P | Privileged users should use a dedicated workstation when performing privileged tasks. |
---|
603 | 1473 | 0 | Sep-17 | AA | must | C, S, TS | Privileged users must use a dedicated workstation when performing privileged tasks. |
---|
604 | 1381 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure that dedicated workstations used for privileged tasks are prevented from communicating to assets and sending and receiving traffic not related to administrative purposes. |
---|
605 | 1382 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should ensure that privileged users are assigned an unprivileged administration account for authenticating to their dedicated workstations. |
---|
606 | 1383 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure that all administrative infrastructure including, but not limited to, privileged workstations and jump servers are hardened appropriately as per the recommendations in the Software Security chapter. |
---|
607 | 1442 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Where virtualisation is used to separate the administrative environment from the regular unprivileged user environment on the same physical workstation, the unprivileged user environment should be the 'guest' and the administrative environment the 'host'. |
---|
608 | 1384 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must ensure that all privileged actions must pass through at least one multi-factor authentication process. |
---|
609 | 1385 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should place the workstations used for privileged activities into a separate privileged network zone as outlined in the Network Design and Configuration section of the Network Security chapter. |
---|
610 | 1386 | 2 | Sep-17 | AA | should | UD, P | Agencies should only allow management traffic to originate from network zones that are used to administer systems and applications. |
---|
611 | 1474 | 0 | Sep-17 | AA | must | C, S, TS | Agencies must only allow management traffic to originate from network zones that are used to administer systems and applications. |
---|
612 | 1387 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should ensure that all administrative actions are conducted through a jump server. |
---|
613 | 1388 | 0 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must ensure that jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative purposes. |
---|
614 | 0513 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Network management should be kept under the control of a central network management authority. |
---|
615 | 0514 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | All changes to a network's configuration should be documented and approved through a formal change management process. |
---|
616 | 0515 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Network configurations should be regularly reviewed to ensure that they conform to documented network configurations. |
---|
617 | 0516 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Network documentation must include:
- a high-level network diagram showing all connections into the network
- a logical network diagram showing all network devices, critical servers and services
- the configuration of network devices.
|
---|
618 | 0518 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Network documentation must be updated as network configuration changes are made and include a 'current as at [date]' or equivalent statement. |
---|
619 | 1177 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Network documentation in aggregate should be classified to at least the same level as the network. |
---|
620 | 1178 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Network documentation provided to a third party, such as to a commercial provider, must only contain details necessary for them to undertake their contractual services and functions. |
---|
621 | 1180 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Network documentation must be sanitised before being published in public tender documentation. |
---|
622 | 1301 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | An inventory of authorised network devices should be maintained and audited on a regular basis. |
---|
623 | 1303 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Networks should be scanned on a regular basis to detect the presence of any network devices not on an inventory of authorised network devices; this includes network devices attached directly to workstations e.g. a 3G dongle attached to a workstation via a USB port. |
---|
624 | 1181 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Networks should be divided into multiple functional zones according to the sensitivity or criticality of information or services in that zone. |
---|
625 | 0385 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | Servers should maintain effective functional separation with other servers allowing them to operate independently and minimise communications with other servers at both the network and file system level. |
---|
626 | 1460 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | When using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that:
- the isolation mechanism is from a vendor that uses secure programming practices and, when vulnerabilities have been identified, the vendor has developed and distributed patches in a timely manner
- the configuration of the isolation mechanism is hardened, including removing support for unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism, with the configuration performed and reviewed by subject matter experts
- the underlying operating system running on the server is hardened
- security patches are applied to both the isolation mechanism and operating system in a timely manner
- integrity and log monitoring is performed for the isolation mechanism and underlying operating system in a timely manner.
|
---|
627 | 1461 | 0 | Apr-15 | AA | must | C, S, TS | When using a software-based isolation mechanism to share a physical server's hardware, agencies must control all of the computing environments running on the physical server. |
---|
628 | 1462 | 0 | Apr-15 | AA | must | P, C, S, TS | When using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that the physical server and all of the computing environments running on the physical server are at the same security classification. |
---|
629 | 1463 | 0 | Apr-15 | AA | must | C, S, TS | When using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that the physical server and all of the computing environments running on the physical server are within the same agency-owned security domain. |
---|
630 | 1006 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | Security measures should be implemented to minimise the risk of unauthorised access to network management traffic on a network. |
---|
631 | 0520 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | Network access controls should be implemented on networks. |
---|
632 | 1182 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Network access controls should be implemented to limit traffic within and between network segments to only those that are required for business operations. |
---|
633 | 1427 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Internet Best Current Practice 38 (BCP38) should be implemented on networks. |
---|
634 | 0071 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | If information is processed, stored or communicated by a system not under an agency's control, the agency must ensure that the other party's system has appropriate security measures in place to protect the agency's information. |
---|
635 | 0533 | 1 | Sep-12 | AA | should | UD, P, C, S | Unused physical ports on network devices should be disabled. |
---|
636 | 0534 | 1 | Sep-12 | AA | must | TS | Unused physical ports on network devices must be disabled. |
---|
637 | 1304 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | Default network device accounts must be disabled, renamed or have their passphrase changed. |
---|
638 | 1305 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | All clocks should be synchronised between network devices. |
---|
639 | 1307 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Network access control should be used to validate devices as compliant with agency security policies before granting access to networks. |
---|
640 | 0576 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must develop, implement and maintain an intrusion detection and prevention strategy that includes:
- network-based intrusion detection and prevention systems
- procedures and resources for maintaining detection signatures
- procedures and resources for the analysis of event logs and real-time alerts
- procedures and resources for responding to detected cyber security incidents
- the frequency for review of intrusion detection and prevention procedures and resourcing.
|
---|
641 | 0577 | 5 | Apr-15 | AA | should | UD, P | NIDS/NIPS should be deployed in all gateways between an agency's networks and public networks. |
---|
642 | 1028 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | NIDS/NIPS should be deployed in all gateways between agency networks and other networks they do not manage. |
---|
643 | 1029 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | NIDS/NIPS in gateways should be located immediately inside the outermost firewall. |
---|
644 | 1030 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | NIDS/NIPS located behind a firewall should be configured to generate a log entry, and an alert, for any information flows that contravene any rule in the firewall rule set. |
---|
645 | 1185 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | When deploying NIDS/NIPS in non-internet gateways, they must be configured to monitor unusual patterns of behaviours or traffic flows, rather than detect specific internet-based communication protocol signatures. |
---|
646 | 1310 | 2 | Apr-15 | AA | should not | UD | VLANs should not be used to separate network traffic between networks as indicated in the table below.[table][head][cell] [/cell][cell]Public[/cell][cell]Unclassified (DLM)[/cell][cell]Protected[/cell][cell]Confidential[/cell][cell]Secret[/cell][cell]Top Secret[/cell][/head][row][cell]Public[/cell][cell] [/cell][cell]X[/cell][cell h=4][/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]X[/cell][cell] [/cell][cell h=4][/cell][/row][row][cell]PROTECTED[/cell][cell h=6] [/cell][/row][row][cell]CONFIDENTIAL[/cell][cell h=6] [/cell][/row][row][cell]SECRET[/cell][cell h=6] [/cell][/row][row][cell]TOP SECRET[/cell][cell h=6] [/cell][/row][/table] |
---|
647 | 0529 | 4 | Apr-15 | AA | must not | P, C, S, TS | VLANs must not be used to separate network traffic between networks as indicated in the table below.[table][head][cell] [/cell][cell]Public[/cell][cell]Unclassified (DLM)[/cell][cell]Protected[/cell][cell]Confidential[/cell][cell]Secret[/cell][cell]Top Secret[/cell][/head][row][cell]Public[/cell][cell h=2][/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell h=2][/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]PROTECTED[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]SECRET[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][cell]X[/cell][/row][row][cell]TOP SECRET[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][/row][/table] |
---|
648 | 1364 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | VLANs from different security domains must be terminated on separate physical network interfaces. |
---|
649 | 0535 | 4 | Apr-15 | AA | must not | UD, P, C, S, TS | VLANs with different classifications must not share VLAN trunks. |
---|
650 | 0530 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Network devices implementing VLANs must only be managed from the most trusted network. |
---|
651 | 0521 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | Dual-stack network devices and ICT equipment that support IPv6 must disable the functionality unless it is being used. |
---|
652 | 1186 | 2 | Apr-15 | AA | must | UD, P, C, S, TS | Network security devices on IPv6 or dual-stack networks must be IPv6 capable. |
---|
653 | 1428 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Unless explicitly required, IPv6 tunnelling must be disabled on all network devices and ICT equipment. |
---|
654 | 1429 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | IPv6 tunnelling must be blocked by network security devices at externally connected network boundaries. |
---|
655 | 1430 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Dynamically assigned IPv6 addresses should be configured with DHCPv6 in a stateful manner with lease information stored in a centralised logging facility. |
---|
656 | 0525 | 4 | Apr-15 | AA | must | UD, P, C, S, TS | When enabling a dual-stack environment or a wholly IPv6 environment the network must be reaccredited. |
---|
657 | 1311 | 1 | Apr-15 | AA | must not | UD, P, C, S, TS | SNMPv1 and SNMPv2 must not be used on networks. |
---|
658 | 1312 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | All default SNMP community strings on network devices should be changed and have write access disabled. |
---|
659 | 1458 | 0 | Apr-15 | AA | should | UD, P | Agencies should determine the functionality and quality of services acceptable to legitimate users of online services, how to maintain such functionality, and what functionality can be lived without during a denial of service. |
---|
660 | 1431 | 0 | Apr-15 | AA | should | UD, P | Agencies should discuss denial of service prevention and mitigation strategies with service providers, specifically:
- their capacity to withstand a denial of service
- any costs likely to be incurred by customers resulting from a denial of service
- thresholds for notifying customers or turning off their online services during a denial of service
- pre-approved actions that can be undertaken during a denial of service.
|
---|
661 | 1432 | 0 | Apr-15 | AA | should | UD, P | Domain names for online services should be protected by ensuring registrar locking and confirming domain registration details (e.g. contact details) are correct. |
---|
662 | 1433 | 0 | Apr-15 | AA | should | UD, P | Agencies should maintain 24x7 contact details for service providers and service providers should maintain 24x7 contact details for their customers. |
---|
663 | 1434 | 0 | Apr-15 | AA | should | UD, P | Agencies and service providers should provide each other with additional out-of-band contact details (e.g. mobile phone number and non-corporate email) for use when normal communication channels fail. |
---|
664 | 1435 | 0 | Apr-15 | AA | should | UD, P | Availability monitoring with real-time alerting should be implemented to detect an attempted denial of service and measure its impact. |
---|
665 | 1436 | 0 | Apr-15 | AA | should | UD, P | Critical online services (e.g. email services) should be segregated from other online services that are more likely to be targeted (e.g. web hosting services). |
---|
666 | 1190 | 1 | Apr-15 | AA | should | UD, P | Agencies should use multiple Internet links provided by different Internet Service Providers. |
---|
667 | 1437 | 1 | Sep-17 | AA | should | UD, P | A cloud service provider, preferably multiple different cloud service providers, should be used for hosting online services. |
---|
668 | 1438 | 0 | Apr-15 | AA | should | UD, P | Where a requirement for high availability exists for website hosting, content delivery networks that cache websites should be used. |
---|
669 | 1439 | 0 | Apr-15 | AA | should | UD, P | If using a content delivery network, disclosing the IP address of the web server under the agency's control (referred to as the origin server) should be avoided. |
---|
670 | 1440 | 0 | Apr-15 | AA | should | UD, P | If using a content delivery network, access to the origin server should be restricted to the content delivery network and an authorised management network. |
---|
671 | 1441 | 0 | Apr-15 | AA | should | UD, P | A denial of service mitigation service should be used. |
---|
672 | 0536 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Wireless networks deployed for the general public to access must be segregated from all other agency networks. |
---|
673 | 1314 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | All wireless access points used for wireless networks must be Wi-Fi Alliance certified. |
---|
674 | 1315 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | The administrative interface on wireless access points should be disabled for wireless connections. |
---|
675 | 1316 | 1 | Apr-15 | AA | must | UD, P, C, S, TS | The default SSID of wireless access points must be changed. |
---|
676 | 1317 | 1 | Apr-15 | AA | should not | UD, P, C, S, TS | The SSID of a wireless network should not be readily associated with an agency, the location of their premises, or the functionality of the wireless network. |
---|
677 | 1318 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | SSID broadcasting should be enabled on wireless networks. |
---|
678 | 1319 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | The dynamic host configuration protocol should be used for assigning IP addresses on wireless networks. |
---|
679 | 1320 | 1 | Feb-14 | AA | should not | UD, P, C, S, TS | MAC address filtering should not be used as a security mechanism to restrict which devices can connect to a wireless network. |
---|
680 | 1321 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | WPA2-Enterprise with EAP-TLS must be used on wireless networks to perform mutual authentication. |
---|
681 | 1322 | 1 | Apr-15 | AA | must | P | Supplicants, authenticators and the authentication server used in wireless networks must have completed a Common Criteria evaluation, an ACE and be listed on ASD's EPL. |
---|
682 | 1443 | 0 | Apr-15 | AA | must | C, S, TS | Supplicants, authenticators and the authentication server used in wireless networks must have completed an evaluation endorsed by ASD. |
---|
683 | 1323 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Unique certificates should be used for both devices and users accessing a wireless network. |
---|
684 | 1324 | 1 | Apr-15 | AA | must | P | Certificates must be generated using a certificate authority product or hardware security module that has completed a Common Criteria evaluation, an ACE and is listed on ASD's EPL. |
---|
685 | 1444 | 0 | Apr-15 | AA | must | C, S, TS | Certificates must be generated using a certificate authority product or hardware security module that has completed an evaluation endorsed by ASD. |
---|
686 | 1325 | 0 | Sep-12 | AA | must not | UD, P, C, S, TS | The certificates for both a device and user accessing a wireless network must not be stored on the same device. |
---|
687 | 1326 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Certificates for users accessing wireless networks should be issued on smart cards with access PINs and stored separately from devices when not in use. |
---|
688 | 1327 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Certificates stored on devices accessing wireless networks should be protected by implementing full disk encryption on the devices. |
---|
689 | 1328 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Devices must be configured to validate the server certificate, disable any trust for certificates generated by commercial certificate authorities that are not trusted and disable the ability to prompt users to authorise new servers or commercial certification authorities. |
---|
690 | 1329 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Devices should be set to enable identity privacy. |
---|
691 | 1330 | 0 | Sep-12 | AA | should not | UD, P, C, S, TS | The PMK caching period should not be set to greater than 1440 minutes (24 hours). |
---|
692 | 1454 | 0 | Apr-15 | AA | should | UD, P | Communications between wireless access points and a RADIUS server should be encapsulated with an additional layer of encryption. |
---|
693 | 1331 | 1 | Apr-15 | AA | must | C, S, TS | Communications between wireless access points and a RADIUS server must be encapsulated with an additional layer of encryption. |
---|
694 | 1332 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | CCMP must be used to protect the confidentiality and integrity of all wireless network traffic. |
---|
695 | 0543 | 5 | Apr-15 | AA | must | P | Classified information must be encrypted with an encryption product that has completed a Common Criteria evaluation, an ACE and be listed on ASD's EPL before being communicated over a wireless network. |
---|
696 | 1445 | 0 | Apr-15 | AA | must | C, S, TS | Classified information must be encrypted with an encryption product that has completed an evaluation endorsed by ASD before being communicated over a wireless network. |
---|
697 | 1333 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | TKIP and WEP support must be disabled or removed from wireless access points. |
---|
698 | 1334 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Wireless networks should implement sufficient frequency separation from other wireless networks |
---|
699 | 1335 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Wireless access points and devices should be upgraded to support the 802.11w amendment. |
---|
700 | 1336 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Wireless functionality on devices should be disabled, preferably by a hardware switch, whenever connected to a fixed network. |
---|
701 | 1337 | 0 | Sep-12 | AA | must not | UD, P, C, S, TS | Devices must not be configured to remember and automatically connect to open wireless networks that they have previously connected to. |
---|
702 | 1338 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Instead of deploying a small number of wireless access points that broadcast on high power, more wireless access points that use minimal broadcast power should be deployed to achieve the desired wireless network footprint. |
---|
703 | 1013 | 4 | Sep-12 | AA | should | C, S, TS | The effective range of wireless communications outside an agency's area of control should be limited by implementing RF shielding on buildings in which wireless networks are used. |
---|
704 | 0546 | 5 | Apr-15 | AA | should | UD, P, C, S, TS | Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall should be used. |
---|
705 | 0547 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Video conferencing and IP telephony signalling and data should be encrypted. |
---|
706 | 0548 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Video conferencing and IP telephony functions should only be established using the secure signalling and data protocols. |
---|
707 | 0554 | 0 | Sep-08 | AA | should | UD, P, C, S, TS | An encrypted and non-replayable two-way authentication scheme should be used for call authentication and authorisation. |
---|
708 | 0553 | 2 | Apr-15 | AA | should | UD, P, C, S, TS | Authentication and authorisation should be used for all actions on the video conferencing network, including call setup and changing settings. |
---|
709 | 0555 | 1 | Sep-11 | AA | should | UD, P, C, S, TS | Authentication and authorisation should be used for all actions on the IP telephony network, including:
- registering a new IP phone
- changing phone users
- changing settings
- accessing voice mail.
|
---|
710 | 0551 | 4 | Apr-15 | AA | should | UD, P | IP telephony should be configured such that:
- IP phones authenticate themselves to the call controller upon registration
- auto-registration is disabled and only a whitelist of authorised devices are allowed to access the network
- unauthorised devices are blocked by default
- all unused and prohibited functionality is disabled.
|
---|
711 | 0552 | 4 | Apr-15 | AA | must | C, S, TS | IP telephony must be configured such that:
- IP phones authenticate themselves to the call controller upon registration
- auto-registration is disabled and only a whitelist of authorised devices are allowed to access the network
- unauthorised devices are blocked by default
- all unused and prohibited functionality is disabled.
|
---|
712 | 1014 | 4 | Apr-15 | AA | should | C, S, TS | Individual logins should be used for IP phones. |
---|
713 | 0549 | 2 | Sep-12 | AA | should | UD, P | Video conferencing and IP telephony traffic should be separated either physically or logically from other data traffic. |
---|
714 | 0550 | 2 | Sep-12 | AA | must | C, S, TS | Video conferencing and IP telephony traffic must be separated either physically or logically from other data traffic. |
---|
715 | 0556 | 3 | Sep-12 | AA | should not | UD, P | Workstations should not be connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic. |
---|
716 | 0557 | 3 | Sep-12 | AA | must not | C, S, TS | Workstations must not be connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic. |
---|
717 | 1015 | 4 | Apr-15 | AA | should | UD, P, C, S, TS | Traditional analog phones should be used in lobby and shared areas. |
---|
718 | 0558 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | If IP phones are used in lobby and shared areas, their ability to access data networks and functionality for voice mail and directory services should be limited. |
---|
719 | 0559 | 3 | Apr-15 | AA | should not | UD, P | Microphones (including headsets and USB handsets) and webcams should not be used with Unclassified (DLM) or PROTECTED workstations in CONFIDENTIAL or SECRET areas. |
---|
720 | 1450 | 0 | Apr-15 | AA | must not | UD, P, C, S | Microphones (including headsets and USB handsets) and webcams must not be used with Unclassified (DLM), PROTECTED, CONFIDENTIAL or SECRET workstations in TOP SECRET areas. |
---|
721 | 1019 | 6 | Sep-17 | AA | should | UD, P, C, S, TS | Agencies should develop a denial of service response plan that includes:
- how to identify signs of a denial of service
- how to identify the source of a denial of service, either internal or external
- how capabilities can be maintained during a denial of service e.g. personal mobile phones that have been identified for use in case of an emergency
- what actions can be taken to clear a denial of service e.g. banning certain devices/IPs at the call controller and firewalls, implementing quality of service, changing authentication, changing dial-in authentication.
|
---|
722 | 1161 | 3 | Apr-15 | AA | must | UD | Agencies must use an encryption product that implements an ASD Approved Cryptographic Algorithm (AACA) if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains sensitive information to an unclassified level. |
---|
723 | 0457 | 4 | Feb-14 | AA | must | P | Agencies must use a Common Criteria-evaluated encryption product that has completed an ACE if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains classified information to an unclassified level. |
---|
724 | 0460 | 7 | Apr-15 | ASD | must | C, S, TS | Agencies must use HACE products if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains classified information to that of a lower classification. |
---|
725 | 0459 | 2 | Nov-10 | AA | should | UD, P | Agencies using encryption to secure data at rest should use either:
- full disk encryption
- partial encryption where the access control will only allow writing to the encrypted partition.
|
---|
726 | 0461 | 4 | Feb-14 | ASD | must | C, S, TS | Agencies using encryption to secure data at rest must use either:
- full disk encryption
- partial encryption where the access control will only allow writing to the encrypted partition.
|
---|
727 | 1080 | 1 | Feb-14 | AA | must | P, C, S, TS | In addition to any encryption already in place, agencies must, at minimum, use an AACA to protect AUSTEO and AGAO information when at rest on a system. |
---|
728 | 0455 | 1 | Nov-10 | AA | must | UD, P | Where practical, cryptographic products must provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure. |
---|
729 | 0456 | 1 | Sep-11 | ASD | must | C, S, TS | Where practical, cryptographic products must provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure. |
---|
730 | 0462 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | When a user authenticates to ICT equipment storing encrypted information, it must be treated in accordance with the original sensitivity or classification of the equipment. |
---|
731 | 1162 | 2 | Feb-14 | AA | must | UD | Agencies must use an encryption product that implements an AACP if they wish to communicate sensitive information over public network infrastructure. |
---|
732 | 0465 | 5 | Feb-14 | AA | must | P | Agencies must use a Common Criteria-evaluated encryption product that has completed an ACE if they wish to communicate classified information over public network infrastructure. |
---|
733 | 0467 | 7 | Apr-15 | ASD | must | C, S, TS | Agencies must use HACE products if they wish to communicate classified information over networks of a lower classification or public network infrastructure. |
---|
734 | 0469 | 2 | Feb-14 | AA | must | P, C, S, TS | In addition to any encryption already in place for communication mediums, agencies must, at minimum, use an AACP to protect AUSTEO and AGAO information when in transit. |
---|
735 | 0471 | 4 | Feb-14 | AA | must | UD, P | Agencies using an unevaluated product that implements an AACA must ensure that only AACAs can be used. |
---|
736 | 0994 | 4 | Sep-12 | AA | should | UD, P | Agencies should use ECDH and ECDSA in preference to DH and DSA. |
---|
737 | 0472 | 3 | Sep-12 | AA | must | UD, P | Agencies using DH for the approved use of agreeing on encryption session keys must use a modulus of at least 1024 bits. |
---|
738 | 1475 | 0 | Sep-17 | AA | must | UD, P | Agencies using DH for the approved use of agreeing on encryption session keys should use a modulus of at least 2048 bits. |
---|
739 | 0473 | 3 | Sep-12 | AA | must | UD, P | Agencies using DSA for the approved use of digital signatures must use a modulus of at least 1024 bits. |
---|
740 | 1476 | 0 | Sep-17 | AA | must | UD, P | Agencies using DSA for the approved use of digital signatures should use a modulus of at least 2048 bits. |
---|
741 | 1446 | 0 | Apr-15 | AA | must | UD, P | Agencies using elliptic curve cryptography must select a curve from the NIST standard, FIPS 186-4. |
---|
742 | 0474 | 3 | Sep-12 | AA | must | UD, P | Agencies using ECDH for the approved use of agreeing on encryption session keys must use a field/key size of at least 160 bits. |
---|
743 | 0475 | 3 | Sep-12 | AA | must | UD, P | Agencies using ECDSA for the approved use of digital signatures must use a field/key size of at least 160 bits. |
---|
744 | 0476 | 4 | Apr-15 | AA | must | UD, P | Agencies using RSA, both for the approved use of digital signatures and passing encryption session keys or similar keys, must use a modulus of at least 1024 bits. |
---|
745 | 1477 | 0 | Sep-17 | AA | must | UD, P | Agencies using RSA, both for the approved use of digital signatures and passing encryption session keys or similar keys, should use a modulus of at least 2048 bits. |
---|
746 | 0477 | 5 | Feb-14 | AA | must | UD, P | Agencies using RSA, both for the approved use of digital signatures and for passing encryption session keys or similar keys, must ensure that the key pair used for passing encrypted session keys is different from the key pair used for digital signatures. |
---|
747 | 1054 | 3 | Sep-17 | AA | must | UD, P | Agencies must use a hashing algorithm from the SHA-2 family. |
---|
748 | 0479 | 3 | Sep-12 | AA | should not | UD, P | Agencies using AES or 3DES should not use electronic codebook mode. |
---|
749 | 0480 | 5 | Sep-17 | AA | must | UD, P | Agencies using 3DES must use three distinct keys. |
---|
750 | 1468 | 1 | Sep-17 | ASD | should | C, S, TS | Agencies should give preference to algorithms which meet the standards described in CNSSAM 02-15 to appropriately protect CONFIDENTIAL, SECRET and/or TOP SECRET information. |
---|
751 | 1231 | 3 | Sep-17 | ASD | must | C, S, TS | If using Suite B, agencies must use the associated algorithms in the configuration specified in the table below, to appropriately protect CONFIDENTIAL, SECRET and TOP SECRET information.[table][head][cell]-[/cell][cell]Cryptographic Algorithm or Protocol[/cell][cell]Requirements for Information Classified Confidential and Secret[/cell][cell]Requirements for Information Classified Top Secret[/cell][/head][row][cell v=2]Encryption[/cell][cell v=2]AES[/cell][cell]128 bit key OR 256 bit key[/cell][cell]256 bit key[/cell][/row][row][cell h=2]CNSSAM recommendation AES 256 bit key[/cell][/row][row][cell v=2]Hashing[/cell][cell v=2]SHA[/cell][cell]SHA-256 OR SHA-384[/cell][cell]SHA-384[/cell][/row][row][cell h=2]CNSSAM recommendation SHA-384[/cell][/row][row][cell v=2]Digital Signature[/cell][cell v=2]ECDSA[/cell][cell]NIST P-256 OR NIST P-384[/cell][cell]NIST P-384[/cell][/row][row][cell h=2]CNSSAM recommendation NIST P-384 OR RSA 3072-bit or larger[/cell][/row][row][cell v=2]Key Exchange[/cell][cell v=2]ECDH[/cell][cell]NIST P-256 OR NIST P-384[/cell][cell]NIST P-384[/cell][/row][row][cell h=2]CNSSAM recommendation DH 3072-bit or larger, or NIST P-384 or RSA 3072-bit or larger[/cell][/row][/table] |
---|
752 | 1232 | 2 | Apr-15 | ASD | must | C, S, TS | Agencies using Suite B algorithms must use them in an evaluated configuration. |
---|
753 | 0481 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies using a product that implements an AACP must ensure that only AACAs can be used. |
---|
754 | 0482 | 4 | Feb-14 | AA | must not | UD, P, C, S, TS | Agencies must not use SSL |
---|
755 | 1447 | 0 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must use TLS |
---|
756 | 1139 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should use the latest version of TLS. |
---|
757 | 1369 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should use AES-GCM for symmetric encryption when available. |
---|
758 | 1370 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should use a TLS implementation that supports secure renegotiation |
---|
759 | 1371 | 0 | Feb-14 | AA | must | UD, P, C, S, TS | If secure renegotiation is not available, agencies must disable renegotiation |
---|
760 | 1372 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should use DH or ECDH for key establishment. |
---|
761 | 1448 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | When using DH or ECDH for key establishment, agencies should use the ephemeral variant. |
---|
762 | 1373 | 0 | Feb-14 | AA | must not | UD, P, C, S, TS | Agencies must not use anonymous DH. |
---|
763 | 1374 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should use SHA-2 based certificates where available. |
---|
764 | 1375 | 1 | Apr-15 | AA | should | UD, P, C, S, TS | Cipher suites should be configured to use SHA-2 as part of the Message Authentication Code (MAC) and Pseudo-Random Function (PRF) where possible. |
---|
765 | 1453 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should use Perfect Forward Secrecy for TLS connections. |
---|
766 | 0484 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | The settings below should be implemented when using SSH.[table][head][cell]Configuration Description[/cell][cell]Configuration Directive[/cell][/head][row][cell]Disallow the use of SSH version 1[/cell][cell]Protocol 2[/cell][/row][row][cell]On machines with multiple interfaces, configure the SSH daemon to listen only on the required interfaces[/cell][cell]ListenAddress xxx.xxx.xxx.xxx[/cell][/row][row][cell]Disable connection forwarding[/cell][cell]AllowTCPForwarding no[/cell][/row][row][cell]Disable gateway ports[/cell][cell]Gatewayports no[/cell][/row][row][cell]Disable the ability to login directly as root[/cell][cell]PermitRootLogin no[/cell][/row][row][cell]Disable host-based authentication[/cell][cell]HostbasedAuthentication no[/cell][/row][row][cell v=2]Disable rhosts-based authentication[/cell][cell]RhostsAuthentication no[/cell][/row][row][cell]IgnoreRhosts yes[/cell][/row][row][cell]Do not allow empty passphrases[/cell][cell]PermitEmptyPasswords no[/cell][/row][row][cell]Configure a suitable login banner[/cell][cell]Banner/directory/filename[/cell][/row][row][cell]Configure a login authentication timeout of no more than 60 seconds[/cell][cell]LoginGraceTime xx[/cell][/row][row][cell]Disable X forwarding[/cell][cell]X11Forwarding no[/cell][/row][/table] |
---|
767 | 0485 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should use public key-based authentication in preference to using passphrase-based authentication. |
---|
768 | 1449 | 0 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should protect SSH private keys with a passphrase or a key encryption key. |
---|
769 | 0486 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies that allow passphrase authentication must use techniques to block brute force attempts against the passphrase. |
---|
770 | 0487 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies that use logins without a passphrase for automated purposes should disable:
- access from IP addresses that do not need access
- port forwarding
- agent credential forwarding
- X11 display remoting
- console access.
|
---|
771 | 0488 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies that use remote access without the use of a passphrase should use the 'forced command' option to specify what command is executed. |
---|
772 | 0997 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use parameter checking when using the 'forced command' option. |
---|
773 | 0489 | 3 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies that use SSH-agent or other similar key caching programs should:
- only use the software on workstation and servers with screen locks
- ensure that the key cache expires within four hours of inactivity
- ensure that agent credential forwarding is used when SSH traversal is needed.
|
---|
774 | 0490 | 2 | Nov-10 | AA | should not | UD, P, C, S, TS | Agencies should not allow versions of S/MIME earlier than 3.0 to be used. |
---|
775 | 0494 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should use tunnel mode for IPsec connections. |
---|
776 | 0495 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies choosing to use transport mode should additionally use an IP tunnel for IPsec connections. |
---|
777 | 0496 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must use the ESP protocol for IPsec connections. |
---|
778 | 1233 | 0 | Sep-12 | AA | must not | UD, P, C, S, TS | Agencies must not use manual keying for Key Exchange when establishing an IPsec connection. |
---|
779 | 0497 | 4 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies using ISAKMP in IKEv1 should disable aggressive mode. |
---|
780 | 0498 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should use a security association lifetime of less than four hours, or 14400 seconds. |
---|
781 | 0998 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must use HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 as a HMAC algorithm. |
---|
782 | 0999 | 4 | Apr-15 | AA | should | UD, P, C, S, TS | Agencies should use the largest modulus size possible for all relevant components in the network when conducting a key exchange. |
---|
783 | 1000 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use Perfect Forward Secrecy for IPsec connections. |
---|
784 | 1001 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should disable the use of XAUTH for IPsec connections using IKEv1. |
---|
785 | 1091 | 3 | Apr-15 | AA | must | UD, P, C, S, TS | Agencies must revoke keying materials or certificates when they are suspected of being compromised. |
---|
786 | 1393 | 0 | Apr-15 | ASD | must | UD, P, C, S, TS | Agencies must immediately report to ASD any HACE keying material or certificates when they are suspected of being compromised. |
---|
787 | 0499 | 6 | Apr-15 | ASD | must | C, S, TS | Agencies must comply with ACSI 53, ACSI 103, ACSI 105, ACSI 107 or ACSI 173 and the specific equipment doctrine when using HACE. |
---|
788 | 1002 | 3 | Sep-11 | AA | should not | UD, P | Agencies should not transport commercial grade cryptographic equipment in a keyed state. |
---|
789 | 0500 | 2 | Nov-10 | AA | must | UD, P | Unkeyed commercial grade cryptographic equipment must be distributed and managed by a means approved for the transportation and management of government property. |
---|
790 | 0501 | 3 | Sep-11 | AA | must | UD, P | Keyed commercial grade cryptographic equipment must be distributed, managed and stored by a means approved for the transportation and management of government property based on the sensitivity or classification of the key in the equipment. |
---|
791 | 0502 | 5 | Apr-15 | AA | must | UD, P, C, S, TS | Before personnel are granted communications security custodian access, agencies must ensure that they have:
- a demonstrated need for access
- read and agreed to comply with the relevant Key Management Plan (KMP) for the cryptographic system they are using
- a security clearance at least equal to the classification of the keying material
- agreed to protect the authentication information for the cryptographic system at the sensitivity or classification of information it secures
- agreed not to share authentication information for the cryptographic system without approval
- agreed to be responsible for all actions under their accounts
- agreed to report all potentially security related problems to an ITSM or a COMSEC Custodian Officer.
|
---|
792 | 0503 | 4 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must be able to readily account for all transactions relating to cryptographic system material, including identifying hardware and software that were issued with the cryptographic equipment and materials, when they were issued and where they were issued. |
---|
793 | 0504 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must conduct inventory of cryptographic system material:
- on handover/takeover of administrative responsibility for the cryptographic system
- on change of personnel with access to the cryptographic system
- at least twice a year.
|
---|
794 | 1003 | 4 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should perform inventory to check all cryptographic system material as per the accounting documentation. |
---|
795 | 1004 | 4 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should conduct inventory using two personnel that have undergone communications security custodial training and have been appointed as COMSEC custodians. |
---|
796 | 0505 | 4 | Sep-17 | AA | should | UD, P, C, S, TS | Cryptographic equipment should be stored in a room that meets the requirements for a server room of an appropriate level, based on the sensitivity or classification of the information the cryptographic system processes. |
---|
797 | 0506 | 2 | Apr-15 | AA | should | C, S, TS | Areas in which High Assurance Cryptographic Equipment is used should be separated from other areas and designated as a cryptographic controlled area. |
---|
798 | 0507 | 3 | Apr-15 | AA | should | UD, P | Agencies should develop a KMP when they implement a cryptographic system using cryptographic equipment. |
---|
799 | 0509 | 6 | Apr-15 | AA | must | C, S, TS | Agencies must have an approved KMP in place prior to implementing a High Assurance cryptographic system using High Assurance Cryptographic Equipment. |
---|
800 | 0510 | 5 | Apr-15 | AA | must | C, S, TS | Agencies must document the minimum contents in their KMP as described in ACSI 105. |
---|
801 | 0511 | 4 | Apr-15 | AA | must | C, S, TS | The level of detail included in a KMP must be consistent with the criticality and sensitivity or classification of the information to be protected. |
---|
802 | 1005 | 5 | Apr-15 | AA | should | C, S, TS | Agencies should hold and maintain an access register that records High Assurance cryptographic system information such as:
- details of personnel with system administrator access
- details of those whose system administrator access was withdrawn
- details of system documents
- accounting activities
- compliance check activities.
|
---|
803 | 0628 | 4 | May-16 | AA | must | UD, P, C, S, TS | Agencies must ensure that:
- all systems are protected from systems in other security domains by one or more gateways or cross domain solutions
- all gateways contain mechanisms to filter data flows at the network layer.
|
---|
804 | 1192 | 1 | May-16 | AA | should | UD, P, C, S, TS | Agencies should ensure that all connections between security domains contain mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model. |
---|
805 | 0631 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must ensure that gateways:
- are the only communications paths into and out of internal networks
- by default, deny all connections into and out of the network
- allow only explicitly authorised connections
- are configured to apply controls as specified in the Data Transfers and Content Filtering chapter of this manual
- are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
- provide sufficient logging and audit capabilities to detect cyber security incidents, attempted intrusions and overuse/unusual usage patterns
- provide real-time alerts.
|
---|
806 | 0634 | 5 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must ensure that all gateways connecting networks in different security domains are operated and maintained such that they:
- apply controls as specified in the Data Transfers and Content Filtering chapter of this manual
- filter and log network traffic attempting to enter the gateway, agencies may choose not to log untrusted internet traffic providing there is application level logging related to the permitted network communications (eg. the web server logs successful connections).
- log network traffic attempting to leave the gateway
- are configured to save event logs to a separate secure log server
- are protected by authentication, logging and auditing of all physical access to gateway components
- have all controls tested to verify their effectiveness after any changes to their configuration.
|
---|
807 | 0637 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must use demilitarised zones to house services accessed externally and mediate internal and external access to information held on agency networks. |
---|
808 | 0598 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must perform a security risk assessment on gateways and their configuration before their implementation. |
---|
809 | 0605 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | All owners of systems connected via a gateway must understand and accept the residual security risk of the gateway and from any connected security domains including those connected via a cascaded connection. |
---|
810 | 1041 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should review at least annually the security architecture of the gateway and security risks of all connected security domains including those connected via a cascaded connection. |
---|
811 | 0624 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must update the Security Risk Management Plan before changes are made to the gateway to ensure all security risks have been accepted. |
---|
812 | 0625 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must document and assess all changes to gateway architecture in accordance with the agency's change management process. |
---|
813 | 1037 | 4 | May-16 | AA | should | UD, P, C, S, TS | Agencies should ensure that testing of security measures is performed at irregular intervals no more than six months apart. |
---|
814 | 0609 | 4 | Sep-12 | AA | should | UD, P | All users should be trained on the secure use and security risks of gateways before access to systems connected to a gateway is granted. |
---|
815 | 0610 | 4 | Sep-12 | AA | must | C, S, TS | All users must be trained on the secure use and security risks of gateways before access to the systems connected to a gateway is granted. |
---|
816 | 0611 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must limit access to gateway administration functions. |
---|
817 | 0612 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that system administrators are formally trained to manage gateways. |
---|
818 | 0613 | 3 | Sep-12 | AA | must | P, C, S, TS | Agencies must ensure that all system administrators of gateways that process AUSTEO or AGAO information are Australian nationals. |
---|
819 | 0616 | 2 | Nov-10 | AA | should | UD, P | Agencies should separate roles for the administration of gateways (e.g. separate network and security policy configuration roles). |
---|
820 | 0617 | 2 | Nov-10 | AA | must | C, S, TS | Agencies must separate roles for the administration of gateways (e.g. separate network and security policy configuration roles). |
---|
821 | 0629 | 2 | Nov-10 | AA | must | UD, P, C, S, TS | For gateways between networks in different security domains, any shared components must be managed by the system owners of the highest security domain or by a mutually agreed party. |
---|
822 | 0607 | 1 | Nov-10 | AA | should | UD, P | Once connectivity is established, system owners should become information stakeholders for all connected security domains. |
---|
823 | 0608 | 1 | Nov-10 | AA | must | C, S, TS | Once connectivity is established, system owners must become information stakeholders for all connected security domains. |
---|
824 | 0619 | 4 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must authenticate users to all sensitive or classified networks accessed through gateways. |
---|
825 | 0620 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must ensure that only users authenticated and authorised to a gateway can use the gateway. |
---|
826 | 1039 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use multi-factor authentication for access to gateways. |
---|
827 | 0622 | 4 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should authenticate ICT equipment to networks accessed through gateways. |
---|
828 | 0626 | 3 | Sep-11 | AA | must | C, S, TS | Agencies connecting a TOP SECRET, SECRET or CONFIDENTIAL network to any other network from a different security domain must implement a CDS. |
---|
829 | 0597 | 5 | Feb-14 | AA | must | C, S, TS | When designing and deploying a CDS, agencies must consult with ASD Technical Assessments and comply with all directions provided. |
---|
830 | 0627 | 5 | May-16 | AA | must | C, S, TS | Agencies introducing additional connectivity to a CDS, such as adding a new gateway to a common network, must consult with ASD Technical Assessments on the impact to the security of the CDS and comply with all directions provided. |
---|
831 | 0635 | 3 | Sep-11 | AA | must | C, S, TS | Agencies must ensure that all bi-directional gateways between TOP SECRET, SECRET or CONFIDENTIAL networks and any other network have separate upward and downward network paths using a diode, content filtering and physically separate infrastructure for each path. |
---|
832 | 0670 | 3 | Sep-12 | AA | must | C, S, TS | When exporting data from a security domain, agencies must ensure that all CDS events are logged. |
---|
833 | 0675 | 2 | Sep-12 | AA | must | C, S, TS | A trusted source must sign all data to be exported from a security domain. |
---|
834 | 1193 | 2 | Apr-15 | AA | must | UD | Agencies must use a firewall between networks of different security domains. |
---|
835 | 0639 | 6 | Apr-15 | AA | must | P | Agencies must use an ASD approved firewall between networks of different security domains. |
---|
836 | 1194 | 1 | Sep-12 | AA | must | UD, P, C, S, TS | The requirement to use a firewall as part of gateway infrastructure must be met by both parties independently; shared equipment does not satisfy the requirements of both parties. |
---|
837 | 0641 | 6 | Apr-15 | AA | must | P, C, S, TS | Agencies must use an ASD approved firewall between an AUSTEO or AGAO network and a foreign network in addition to the firewall between networks of different security domains. |
---|
838 | 0642 | 6 | Apr-15 | AA | should | P, C, S, TS | Agencies should use an ASD approved firewall between an AUSTEO or AGAO network and another Australian controlled network in addition to the firewall between networks of different security domains. |
---|
839 | 0643 | 4 | Sep-12 | AA | must | UD, P | Agencies must use a Common Criteria-evaluated diode for controlling the data flow of uni-directional gateways between sensitive or classified networks and public network infrastructure. |
---|
840 | 0645 | 4 | Feb-14 | AA | must | C, S, TS | Agencies must use a High Assurance diode from ASD's EPL for controlling the data flow of uni-directional gateways between classified networks and public network infrastructure. |
---|
841 | 1157 | 2 | Sep-12 | AA | must | UD, P | Agencies must use a Common Criteria-evaluated diode for controlling the data flow of uni-directional gateways between sensitive and classified networks. |
---|
842 | 1158 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must use a High Assurance diode from ASD's EPL for controlling the data flow of uni-directional gateways between sensitive or classified networks where the highest system is CONFIDENTIAL or above. |
---|
843 | 0646 | 3 | Sep-12 | AA | must | P, C, S, TS | Agencies must use a Common Criteria-evaluated diode between an AUSTEO or AGAO network and a foreign network at the same classification. |
---|
844 | 0647 | 5 | Feb-14 | AA | should | P, C, S, TS | Agencies should use a Common Criteria-evaluated diode from ASD's EPL between an AUSTEO or AGAO network and another agency controlled network at the same classification. |
---|
845 | 0648 | 2 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies deploying a diode to control data flow in uni-directional gateways should monitor the volume of the data being transferred. |
---|
846 | 0258 | 1 | Sep-09 | AA | must | UD, P, C, S, TS | Agencies must have a policy governing appropriate web usage. |
---|
847 | 0260 | 1 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should ensure all web access, including that by internal servers, is conducted through a web proxy. |
---|
848 | 0261 | 3 | Sep-12 | AA | should | UD, P, C, S, TS | A web proxy should authenticate users and provide logging that includes the following details about websites accessed:
- address (uniform resource locator)
- time/date
- user
- amount of data uploaded and downloaded
- internal IP address
- external IP address.
|
---|
849 | 1235 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should restrict the installation of add-ons to only those add-ons approved by the agency. |
---|
850 | 0263 | 4 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies permitting TLS through their gateways should implement either:
- a solution that decrypts and inspects the TLS traffic as per content filtering requirements
- a whitelist specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses either blocked or decrypted and inspected as per content filtering requirements.
|
---|
851 | 0996 | 4 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should seek legal advice regarding the inspection of encrypted TLS traffic by their gateways. |
---|
852 | 0958 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should implement whitelisting for all Hypertext Transfer Protocol traffic communicated through their gateways. |
---|
853 | 0995 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies using a whitelist on their gateways to specify the external addresses to which connections are permitted, should specify whitelist addresses by domain name or IP address. |
---|
854 | 1170 | 0 | Sep-11 | AA | should | UD, P, C, S, TS | If agencies do not whitelist websites they should implement categories for all websites and block prohibited categories and uncategorised sites. |
---|
855 | 0959 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | If agencies do not whitelist websites they should blacklist websites to prevent access to known malicious websites. |
---|
856 | 0960 | 3 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies blacklisting websites should update the blacklist on a daily basis to ensure that it remains effective. |
---|
857 | 1171 | 0 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should block attempts to access a website through its IP address instead of through its domain name. |
---|
858 | 1236 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should block dynamic and other domains where domain names can be registered anonymously for free. |
---|
859 | 0963 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should use the web proxy to filter content that is potentially harmful to hosts and users. |
---|
860 | 0961 | 4 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should restrict client-side active content, such as Java and ActiveX to a whitelist of approved websites. This whitelist may be the same as the HTTP whitelist, or a separate active content whitelist. |
---|
861 | 1237 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should ensure that web content filtering controls are applied to outbound web traffic where appropriate. |
---|
862 | 0591 | 5 | Sep-17 | AA | must | UD, P | A Common Criteria-evaluated KVM must be used when sharing peripherals between a combination of unclassified/DLM and PROTECTED systems. |
---|
863 | 0593 | 7 | Sep-17 | AA | must | C, S, TS | A Common Criteria-evaluated KVM must be used when sharing peripherals between a combination of systems of different security domains at the same classification (e.g. different caveats). |
---|
864 | 1457 | 1 | Sep-17 | AA | must | P, C, S, TS | A High Assurance KVM must be used when sharing peripherals between a combination of different security classifications. |
---|
865 | 0594 | 3 | Sep-12 | AA | should | P, C, S, TS | Agencies should use a Common Criteria-evaluated product when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not accredited to process the same caveat. |
---|
866 | 0661 | 5 | Sep-17 | AA | must | UD, P, C, S, TS | Agencies must ensure that users transferring data to and from a system are held accountable through agency policies and procedures for the data they transfer. |
---|
867 | 0664 | 4 | Sep-12 | AA | must | C, S, TS | All data transferred to a system of a lesser sensitivity or classification must be approved by a trusted source. |
---|
868 | 0665 | 2 | Nov-10 | AA | must | C, S, TS | Trusted sources must be:
- a strictly limited list derived from business requirements and the result of a security risk assessment
- approved by the accreditation authority.
|
---|
869 | 0657 | 3 | Sep-12 | AA | must | UD, P | Data imported to a system must be scanned for malicious and active content. |
---|
870 | 0658 | 3 | Sep-12 | AA | must | C, S, TS | Data imported to a system must undergo:
- scanning for malicious and active content
- data format checks
- logging of each event
- monitoring to detect overuse/unusual usage patterns.
|
---|
871 | 1187 | 0 | Sep-11 | AA | must | UD, P | When exporting data, agencies must implement protective marking checks. |
---|
872 | 0669 | 2 | Sep-12 | AA | must | C, S, TS | When exporting formatted textual data with no free-text fields and all fields have a predefined set of permitted values, the following activities must be undertaken:
- protective marking checks
- logging of each event
- monitoring to detect overuse/unusual usage patterns
- data format checks
- limitations on data types
- keyword searches
- size limits.
|
---|
873 | 0662 | 3 | Sep-12 | AA | should | UD, P | Data transfers should be performed in accordance with procedures approved by the accreditation authority. |
---|
874 | 0663 | 3 | Sep-12 | AA | must | C, S, TS | Data transfers must be performed in accordance with procedures approved by the accreditation authority. |
---|
875 | 0678 | 1 | Nov-10 | AA | must | P, C, S, TS | When exporting data from an AUSTEO or AGAO system, the following additional activities must be undertaken:
- ensure that keyword searches are performed on all textual data
- ensure that any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator
- develop procedures to prevent AUSTEO and AGAO information in both textual and non-textual formats from being exported.
|
---|
876 | 0659 | 3 | Sep-12 | AA | must | C, S, TS | When importing data to a security domain, or through a gateway, the data must be filtered by a product designed for that purpose. |
---|
877 | 0651 | 3 | Sep-12 | AA | must | C, S, TS | Agencies must block all suspicious data and malicious and active content from entering a security domain. |
---|
878 | 0652 | 1 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must block any data identified by a content filtering process as suspicious until reviewed and approved for transfer by a trusted source other than the originator. |
---|
879 | 1389 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Email and web content entering a security domain should be automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour. |
---|
880 | 1284 | 0 | Sep-12 | AA | should | UD, P | Agencies should perform validation on all data passing through a content filter, blocking content which fails the validation. |
---|
881 | 1285 | 0 | Sep-12 | AA | must | C, S, TS | Agencies must perform validation on all data passing through a content filter, blocking content which fails the validation. |
---|
882 | 1286 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should perform content/file conversion for all ingress or egress data transiting a security domain boundary. |
---|
883 | 1287 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should perform content/file sanitisation on suitable file types if content/file conversion is not appropriate for data transiting a security domain boundary. |
---|
884 | 1288 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should perform antivirus scans on all content using up-to-date engines and signatures, using multiple different scanning engines. |
---|
885 | 1289 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should extract the contents from archive/container files and subject the extracted files to content filter tests. |
---|
886 | 1290 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should perform controlled inspection of archive/container files to ensure that content filter performance or availability is not adversely affected. |
---|
887 | 1291 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should block files that cannot be inspected and generate an alert or notification. |
---|
888 | 0649 | 2 | Sep-12 | AA | should | UD, P | Agencies should identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment. |
---|
889 | 0650 | 2 | Sep-12 | AA | must | C, S, TS | Agencies must identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment. |
---|
890 | 1292 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should verify the integrity of content where applicable, and block the content if verification fails. |
---|
891 | 0677 | 3 | Sep-12 | AA | must | C, S, TS | If data is signed, agencies must ensure that the signature is validated before the data is exported. |
---|
892 | 1293 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should decrypt and inspect all encrypted content, traffic and data to allow content filtering. |
---|
893 | 0667 | 3 | Sep-12 | AA | must | UD, P, C, S, TS | Agencies must use protective marking checks to restrict the export of data out of each security domain, including through a gateway. |
---|
894 | 0660 | 4 | Sep-12 | AA | must | C, S, TS | When importing data to each security domain, including through a gateway, agencies must audit the complete data transfer logs at least monthly. |
---|
895 | 0673 | 4 | Sep-12 | AA | must | C, S, TS | When exporting data out of each security domain, including through a gateway, agencies must audit the complete data transfer logs at least monthly. |
---|
896 | 1294 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | When importing content to a security domain, including through a gateway, agencies should perform monthly audits of the imported content. |
---|
897 | 1295 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | When exporting content out of a security domain, including through a gateway, agencies should perform monthly audits of the exported content. |
---|
898 | 1077 | 2 | Sep-12 | AA | must | P, C, S, TS | Agencies must implement content filtering to prevent the export of AUSTEO and AGAO data to foreign systems, ensuring that:
- at a minimum, keyword searches are performed on all textual data
- any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator.
|
---|
899 | 1082 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must develop a policy governing the use of mobile devices. |
---|
900 | 1398 | 0 | Apr-15 | AA | must | UD, P | Agencies must assess and document the risks of using mobile devices, including against ASD's Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) publication. |
---|
901 | 1195 | 0 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should use a Mobile Device Management solution to ensure their mobile device policy is applied to all mobile devices that are used with their systems. |
---|
902 | 0687 | 4 | Feb-14 | ASD | must not | TS | Agencies must not allow mobile devices to process or store TOP SECRET information unless explicitly approved by ASD to do so. |
---|
903 | 1083 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must advise personnel of the sensitivities and classifications permitted for data and voice communications when using mobile devices. |
---|
904 | 1399 | 0 | Apr-15 | AA | should | UD | Agencies permitting personnel to access or store sensitive or official information using non-agency owned mobile devices should ensure an agency approved platform with an appropriate security configuration is used. |
---|
905 | 1400 | 0 | Apr-15 | AA | must | P | Agencies permitting personnel to access or store classified information using non-agency owned mobile devices must ensure an ASD approved platform with an appropriate security configuration in accordance with ASD's associated hardening guide for that device is used. |
---|
906 | 1047 | 5 | Apr-15 | AA | should | UD | Agencies permitting personnel to access or store sensitive or official information using nonagency owned mobile devices should implement technical controls to enforce the separation of sensitive or official information from personal information. |
---|
907 | 0693 | 4 | Apr-15 | AA | must | P | Agencies permitting personnel to access or store classified information using non-agency owned mobile devices must implement technical controls to enforce the separation of sensitive information from personal information. |
---|
908 | 0694 | 3 | Apr-13 | AA | must not | C, S, TS | Agencies must not allow non-agency owned mobile devices to access highly classified systems. |
---|
909 | 0172 | 2 | Sep-11 | AA | must not | TS | Agencies must not permit non-agency owned mobile devices to be brought into TOP SECRET areas without prior approval from the accreditation authority. |
---|
910 | 1297 | 0 | Sep-12 | AA | must | UD, P, C, S, TS | Prior to allowing non-agency owned mobile devices to connect to an agency system, agencies must seek legal advice. |
---|
911 | 0869 | 2 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should encrypt information on all mobile devices using at least an AACA |
---|
912 | 1084 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption must physically transfer the device as a sensitive or classified asset in a SCEC endorsed secure briefcase. |
---|
913 | 1085 | 1 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies using mobile devices to communicate sensitive or classified information over public network infrastructure must use encryption approved for communicating such information over public network infrastructure. |
---|
914 | 1145 | 2 | Apr-13 | AA | should | C, S, TS | Agencies should apply privacy filters to the screens of mobile devices. |
---|
915 | 0682 | 3 | Sep-11 | AA | must not | C, S, TS | Agencies must not enable Bluetooth functionality on mobile devices. |
---|
916 | 1196 | 0 | Sep-11 | AA | must | UD, P | Agencies must ensure mobile devices are configured to remain undiscoverable to all other Bluetooth devices except during pairing. |
---|
917 | 1198 | 0 | Sep-11 | AA | must | UD, P | Agencies must ensure Bluetooth pairing is performed so that a connection is only made to the device intended. |
---|
918 | 1199 | 0 | Sep-11 | AA | should | UD, P | Agencies should ensure Bluetooth pairing is only performed for a device required for business needs and pairing that is no longer required is removed from the mobile device. |
---|
919 | 1197 | 0 | Sep-11 | AA | should | UD, P | Agencies should ensure mobile devices are configured to allow only Bluetooth classes that are required. |
---|
920 | 1202 | 0 | Sep-11 | AA | should | UD, P | Agencies should restrict the range of Bluetooth headsets to less than 10 metres by only using class 2 or class 3 devices. |
---|
921 | 1200 | 2 | Apr-13 | AA | must | UD, P | If using Bluetooth on a mobile device, agencies must ensure both pairing devices use Bluetooth version 2.1 or later. |
---|
922 | 1201 | 2 | Apr-13 | AA | must | UD, P | If using Bluetooth on a mobile device, agencies must ensure the device is configured to avoid supporting multiple Bluetooth headset connections. |
---|
923 | 0862 | 1 | Nov-10 | AA | should | UD, P, C, S, TS | Agencies should control the configuration of mobile devices in the same manner as devices in the office environment. |
---|
924 | 0863 | 2 | Apr-13 | AA | should | UD, P, C, S, TS | Agencies allowing mobile devices to access sensitive or classified information should prevent personnel from installing or uninstalling applications on a mobile device once provisioned. |
---|
925 | 0864 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must prevent personnel from disabling security functions on a mobile device once provisioned. |
---|
926 | 1365 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should ensure their mobile carrier is able to provide security updates. |
---|
927 | 1366 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should ensure that mobile devices are able to accept security updates from the mobile carrier as soon as they become available. |
---|
928 | 1367 | 0 | Feb-14 | AA | should | UD, P, C, S, TS | Agencies should implement a policy enforcing compliance with an agency-defined security configuration for mobile devices. |
---|
929 | 0874 | 3 | Apr-13 | AA | should | UD, P | Agencies should ensure that web browsing from a mobile device is through the agency's Internet gateway rather than via a direct connection to the Internet. |
---|
930 | 0705 | 3 | Feb-14 | AA | must | UD, P, C, S, TS | Agencies must disable split tunnelling on devices supporting this functionality when using an agency system via a VPN connection |
---|
931 | 1356 | 0 | Apr-13 | AA | should not | UD | Agencies should not use paging, Multimedia Message Service, Short Message Service or Instant Messaging to communicate sensitive information. |
---|
932 | 0240 | 4 | Apr-13 | AA | must not | P, C, S, TS | Agencies must not use paging, Multimedia Message Service, Short Message Service or Instant Messaging to communicate classified information. |
---|
933 | 0700 | 4 | Apr-13 | AA | should | UD, P | Agencies should develop an emergency destruction plan for all agency owned mobile devices. |
---|
934 | 0701 | 2 | Nov-10 | AA | must | C, S, TS | Agencies must develop an emergency destruction plan for mobile devices. |
---|
935 | 0702 | 2 | Nov-10 | AA | must | C, S, TS | If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a mobile device, the function must be used as part of the emergency destruction procedures. |
---|
936 | 0866 | 2 | Sep-11 | AA | should | UD, P, C, S, TS | Agencies should ensure personnel are aware not to access or communicate sensitive or classified information in public locations (e.g. public transport, transit lounges and coffee shops) unless extra care is taken to reduce the chance of being overheard or having the screen of the device observed. |
---|
937 | 0870 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | Agencies must ensure mobile devices are carried in a secured state when not being actively used. |
---|
938 | 0871 | 1 | Nov-10 | AA | must | UD, P, C, S, TS | When in use mobile devices must be kept under continual direct supervision. |
---|
939 | 1298 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Agencies should implement technical controls on mobile devices and conduct user education prior to personnel travelling overseas with a mobile device. |
---|
940 | 1087 | 0 | Nov-10 | AA | must | UD, P, C, S, TS | When travelling with mobile devices and media, personnel must retain control over them at all times, this includes not placing them in checked-in luggage or leaving them unattended for any period of time. |
---|
941 | 1299 | 0 | Sep-12 | AA | should | UD, P, C, S, TS | Personnel should take the following precautions when travelling overseas with a mobile device:
- avoid storing authentication details or tokens and passphrases with the device
- avoid connecting to open Wi-Fi networks
- clear web browser after each session including history, cache, cookies, URL and temporary files
- encrypt emails where possible
- ensure login pages are encrypted before entering passphrases
- avoid connecting to untrusted computers or inserting removable media.
|
---|
942 | 1088 | 2 | Sep-12 | AA | must | UD, P, C, S, TS | If personnel are requested to decrypt mobile devices for inspection by customs personnel, or their mobile device leaves their possession at any time, they must report the potential compromise of information on the device to an ITSM as soon as possible. |
---|
943 | 1300 | 1 | Sep-17 | AA | should | UD, P, C, S, TS | All passphrases associated with a mobile device should be changed upon returning from overseas. |
---|
944 | 0865 | 2 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that the area in which devices are used meets the requirements in the Australian Government Physical Security Management Protocol. |
---|
945 | 0685 | 3 | Sep-11 | AA | must | UD, P, C, S, TS | Agencies must ensure that when devices are not being actively used they are secured in accordance with the requirements in the Australian Government Physical Security Management Protocol. |
---|
Built by hand back in 2016, and avaliable from http://Mouat.net.au/ism/compare/ - If you find this useful, please consider donating to fuel this project. |