ISM Versions:
Processed 945 Controls.
9 New Controls.
126 Updated Controls.
810 Unchanged Controls.
0 Deleted Controls.
Total 945 Controls.
 CtlRevUpdateAuthComply Classification Details
112030Sep-12AAmustUD, P, C, S, TSAgencies must identify and analyse security risks to their information and systems.
212041Feb-14AAmustUD, P, C, S, TSSecurity risks deemed unacceptable must be treated.
312051Feb-14AAmustUD, P, C, S, TSAgencies must incorporate the controls contained in the Australian Government Information Security Manual in their security risk management processes.
412061Feb-14AAmustUD, P, C, S, TSSecurity risks deemed acceptable must be formally accepted by the responsible authority, as indicated for each control in this manual, and continually monitored by the agency.
512070Sep-12AAshouldUD, P, C, S, TSAgencies should mitigate residual security risks through the implementation of alternative security measures.
600093Apr-15AAmustUD, P, C, S, TSAgencies must determine system specific security risks that could warrant additional controls to those specified in this manual.
712080Sep-12AAmustUD, P, C, S, TSAgencies must document identified information security risks, as well as the evaluation of those risks and mitigation strategies, in their Security Risk Management Plan.
800073Feb-14AAmustUD, P, C, S, TSAgencies undertaking system design activities for in-house or outsourced projects must use the latest release of this manual for security requirements.
900084Feb-14AAmustUD, P, C, S, TSAgencies must comply with additional or alternative controls as stipulated in device and scenario-specific guidance issued by ASD.
1000015Feb-14ASDmustUD, P, C, S, TSFor any control where the authority field is 'ASD', system owners must seek and be granted approval for non-compliance from the Director ASD in consultation with their accreditation authority.
1110611Feb-14AAmustUD, P, C, S, TSSystem owners seeking approval for non-compliance with any control in this manual must be granted non-compliance from their accreditation authority.
1213790Feb-14N/AmustUD, P, C, S, TSIn circumstances where the agency head and accreditation authority roles are separate, the accreditation authority must ensure the agency head has appropriate oversight of the security risks being accepted on behalf of the agency.
1307103Sep-12AAmustUD, P, C, S, TSSystem owners seeking approval for non-compliance with any control must document:
  • the justification for non-compliance
  • a security risk assessment
  • the alternative mitigation measures to be implemented, if any.
1407114Sep-17AAshouldUD, P, C, S, TSIf a system processes, stores or communicates information from another agency, that agency should be consulted as part of seeking non-compliance with any control.
1507135Apr-15AAshouldUD, P, C, S, TSAgencies should provide a copy of their compliance and non-compliance reports to ASD.
1608763Sep-12AAmustUD, P, C, S, TSAgencies must review decisions to grant non-compliance with any control, including the justification, any mitigation measures and security risks, at least every two years or when significant changes occur to ensure its continuing relevance, adequacy and effectiveness.
1700033Sep-11AAmustUD, P, C, S, TSAgencies must retain a copy of decisions to grant non-compliance with any control from this manual.
1808794Apr-15AAshouldUD, P, C, S, TSSecurity personnel should familiarise themselves with the information security roles and services provided by Australian government agencies and bodies.
1908734May-16AAmustUD, P, C, S, TSAgencies intending to use service providers not on ASD's Certified Cloud Services List (CCSL) must ensure that service providers are located in Australia.
2010732Apr-15AAmust notUD, P, C, S, TSAgency data and computing environments must not be accessed, configured or administered from outside Australian borders by a service provider unless a contractual arrangement exists between the service provider and customer to do so.
2112102Apr-15AAmustUD, P, C, S, TSThe risks of using outsourced cloud services, including those in ASD's cloud computing advice, must be assessed and documented.
2213951Sep-17AAmustUD, PAgencies must only use outsourced cloud services listed on ASD’s CCSL.
2313960Apr-15ASDmustUD, PAgencies proposing to use outsourced cloud services not listed on ASD's CCSL must notify ASD in writing at the earliest opportunity and certainly before entering into or renewing a contract with a cloud service provider.
2413970Apr-15ASDmustC, S, TSAgencies must notify ASD in writing at the earliest opportunity during the initial stages of considering using a cloud service and certainly prior to entering or renewing a contract with a cloud service provider.
2508722Apr-15AAmustUD, P, C, S, TSService providers' systems that are used to provide information technology services, including outsourced cloud services, must be accredited prior to handling government information.
2600724Apr-15AAmustUD, P, C, S, TSAny measures associated with the protection of information entrusted to another party must be documented in contract provisions, a memorandum of understanding or equivalent formal agreement between parties.
2714510Apr-15AAshouldUD, P, C, S, TSWhen entering into a contract or other agreement for information technology services, agencies should explicitly retain contractual ownership over their data.
2814520Apr-15AAshouldUD, P, C, S, TSAgencies should perform a due diligence review of suppliers, including their country of origin, before obtaining software, hardware or services, to assess the potential increase to agency security risk profiles.
2907143Sep-17AAmustUD, P, C, S, TSAgencies must appoint a senior executive, commonly referred to as the CISO, who is responsible for coordinating communication between security and business functions, as well as manage and understand the application of controls and security risk management processes.
3000133Sep-11AAmustUD, P, C, S, TSAgencies must designate an ITSM as the ITSA, to have responsibility for information technology security management across the agency.
3100253Nov-10AAshouldUD, P, C, S, TSAgencies should maintain an email address for their ITSA in the form of [email protected]
3207413Sep-12AAmustUD, P, C, S, TSAgencies must appoint at least one executive, commonly referred to as an ITSM, to manage the day-to-day operations of information security within the agency, in line with the strategic directions provided by the CISO or equivalent.
3307683Sep-17AAmustUD, P, C, S, TSAgencies must appoint at least one officer, commonly referred to as an ITSO, who is expert in administering and configuring a broad range of systems as well as analysing and reporting on information security issues.
3410710Nov-10AAmustUD, P, C, S, TSEach system must have a system owner who is responsible for the operation of the system.
3510720Nov-10AAshouldUD, P, C, S, TSSystem owners should be a member of the Senior Executive Service or in an equivalent management position.
3600272Nov-10AAmustUD, P, C, S, TSSystem owners must obtain and maintain accreditation for their systems.
3700393Sep-17AAmustUD, P, C, S, TSAgencies must have a document that fulfils the purpose of an ISP.
3800401Sep-17AAmustUD, P, C, S, TSEvery system must be covered by a document that fulfils the purpose of an SRMP.
3900411Sep-17AAmustUD, P, C, S, TSEvery system must be covered by a document that fulfils the purpose of an SSP.
4000422Sep-17AAshouldUD, P, C, S, TSSOPs should be developed for systems.
4100432Sep-17AAmustUD, P, C, S, TSAgencies must develop, maintain and implement a document that fulfils the purpose of an IRP and any required supporting procedures.
4208864Sep-17AAshouldUD, P, C, S, TSInformation security documentation should be developed by personnel with a good understanding of both the subject matter and the business requirements.
4300443Sep-17AAshouldUD, P, C, S, TSSRMP, SSP, SOPs and IRP should be logically connected and consistent for each system and with the ISP.
4407871Nov-10AAshouldUD, P, C, S, TSAgencies should create and maintain a document framework including a hierarchical listing of all information security documentation and their relationships.
4508852Sep-11AAshouldUD, P, C, S, TSAgencies should adopt the naming conventions provided in this manual for their information security documentation.
4600462Nov-10AAshouldUD, P, C, S, TSWhen information security documentation development is outsourced, agencies should:
  • review the documents for suitability
  • retain control over the content
  • ensure that all policy requirements are met.
4700472Nov-10AAshouldUD, P, C, S, TSAll information security documentation should be formally approved by a person with an appropriate level of seniority and authority.
4808873Sep-11AAshouldUD, P, C, S, TSAgencies should ensure that:
  • all high-level information security documentation is approved by the agency head or their delegate
  • all system-specific documentation is approved by the system owner and an ITSM.
4911530Nov-10AAshouldUD, P, C, S, TSOnce information security documentation has been approved it should be published and communicated to all stakeholders.
5008883Sep-11AAshouldUD, P, C, S, TSAgencies should review information security documentation:
  • at least annually
  • in response to significant changes in the environment, business or system.
5111540Nov-10AAshouldUD, P, C, S, TSAgencies should record the date of the most recent review on each information security document.
5200492Nov-10AAshouldUD, P, C, S, TSThe ISP should describe information security policies, standards and responsibilities.
5308903Sep-11AAshouldUD, P, C, S, TSThe ISP should cover topics such as:
  • accreditation processes
  • personnel responsibilities
  • configuration control
  • access control
  • networking and connections with other systems
  • physical security and media control
  • emergency procedures and cyber security incident management
  • change management
  • information security awareness and training.
5407881Nov-10AAshouldUD, P, C, S, TSThe SRMP should contain a security risk assessment and a corresponding risk treatment strategy.
5508933Sep-11AAshouldUD, P, C, S, TSAgencies should incorporate their SRMP into their wider agency risk management plan.
5608943Sep-11AAshouldUD, P, C, S, TSAgencies should develop their SRMP in accordance with Australian or international standards for risk management.
5708952Nov-10AAmustUD, P, C, S, TSAgencies must select controls from this manual to be included in the SSP based on the scope of the system with additional system specific controls being included as a result of the associated SRMP or higher level SSP.
5800674Apr-15AAmustUD, P, C, S, TSAgencies must use the latest release of this manual when developing, and updating, their SSPs as part of accreditation and reaccreditation of their systems.
5900513Sep-12AAshouldUD, P, C, S, TSAgencies should develop SOPs for each of the following roles:
  • ITSM
  • ITSO
  • system administrator
  • user.
6007891Nov-10AAshouldUD, P, C, S, TSThe following procedures should be documented in the ITSM's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Cyber security incidents[/cell][cell]Reporting and managing cyber security incidents[/cell][/row][/table]
6107902Sep-12AAshouldUD, P, C, S, TSThe following procedures should be documented in the ITSO's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Access control[/cell][cell]Authorising access rights to applications and data[/cell][/row][row][cell]Asset musters[/cell][cell]Labelling, registering and mustering assets, including media[/cell][/row][row][cell]Audit logs[/cell][cell]Reviewing system audit trails and manual logs, particularly for privileged users[/cell][/row][row][cell]Configuration control[/cell][cell]Approving and releasing changes to the system software or configurations[/cell][/row][row][cell v=3]Cyber security incidents[/cell][cell]Detecting potential cyber security incidents[/cell][/row][row][cell]Establishing the cause of any cyber security incident, whether accidental or deliberate[/cell][/row][row][cell]Actions to be taken to recover and minimise the exposure from a cyber security incident[/cell][/row][row][cell v=2]Data transfers[/cell][cell]Managing the review of media containing information that is to be transferred off-site[/cell][/row][row][cell]Managing the review of incoming media for viruses or unapproved software[/cell][/row][row][cell]ICT equipment[/cell][cell]Managing the destruction of unserviceable ICT equipment and media[/cell][/row][row][cell v=4]System integrity audit[/cell][cell]Reviewing user accounts, system parameters and access controls to ensure that the system is secure[/cell][/row][row][cell]Checking the integrity of system software[/cell][/row][row][cell]Testing access controls[/cell][/row][row][cell]Inspecting ICT equipment and cables[/cell][/row][row][cell]System maintenance[/cell][cell]Managing the ongoing security and functionality of system software, including: maintaining awareness of current software vulnerabilities, testing and applying software patches/updates/signatures, and applying appropriate hardening techniques[/cell][/row][row][cell]User account management[/cell][cell]Authorising new users[/cell][/row][/table]
6200552Sep-12AAshouldUD, P, C, S, TSThe following procedures should be documented in the system administrator's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Access control[/cell][cell]Implementing access rights to applications and data[/cell][/row][row][cell]Configuration control[/cell][cell]Implementing changes to the system software or configurations[/cell][/row][row][cell v=3]System backup and recovery[/cell][cell]Backing up data, including audit logs[/cell][/row][row][cell]Securing backup tapes[/cell][/row][row][cell]Recovering from system failures[/cell][/row][row][cell v=3]User account management[/cell][cell]Adding and removing users[/cell][/row][row][cell]Setting user privileges[/cell][/row][row][cell]Cleaning up directories and files when a user departs or changes roles[/cell][/row][/table]
6300563Sep-12AAshouldUD, P, C, S, TSThe following procedures should be documented in the user's SOPs.[table][head][cell]Topic[/cell][cell]Procedures to be Included[/cell][/head][row][cell]Cyber security incidents[/cell][cell]What to do in the case of a suspected or actual cyber security incident[/cell][/row][row][cell]End of day[/cell][cell]How to secure systems at the end of the day[/cell][/row][row][cell]Media control[/cell][cell]Procedures for handling and using media[/cell][/row][row][cell]Passphrases[/cell][cell]Choosing and protecting passphrases[/cell][/row][row][cell]Temporary absence[/cell][cell]How to secure systems when temporarily absent[/cell][/row][/table]
6400572Sep-12AAshouldUD, P, C, S, TSITSMs, ITSOs, system administrators and users should sign a statement that they have read and agree to abide by their respective SOPs.
6500583Sep-12AAmustUD, P, C, S, TSAgencies must include, as a minimum, the following content in their IRP:
  • broad guidelines on what constitutes a cyber security incident
  • the minimum level of cyber security incident response and investigation training for users and system administrators
  • the authority responsible for initiating investigations of a cyber security incident
  • the steps necessary to ensure the integrity of evidence supporting a cyber security incident
  • the steps necessary to ensure that critical systems remain operational
  • how to formally report cyber security incidents.
6600593Sep-17AAshouldUD, P, C, S, TSAgencies should include the following content in their IRP:
  • clear definitions of the types of cyber security incidents that are likely to be encountered
  • the expected response to each cyber security incident type
  • the authority responsible for responding to cyber security incidents
  • the criteria by which the responsible authority would initiate or request a formal investigation of a cyber security incident by a law enforcement agency, the Australian Cyber Security Centre or other relevant authority
  • other authorities which need to be informed in the event of an investigation being undertaken
  • the details of the system contingency measures or a reference to these details if they are located in a separate document.
6700622Nov-10AAmustUD, P, C, S, TSAgencies must include in evacuation procedures the requirement to secure information and systems before the evacuation; unless the chief warden, to avoid serious injury or loss of life, authorises personnel to evacuate immediately without securing information and systems.
6811590Nov-10AAshouldUD, P, C, S, TSAgencies should include in evacuation procedures the requirement to secure information and systems during the warning phase before the evacuation.
6901182Nov-10AAmustUD, P, C, S, TSAgencies must determine availability requirements for their systems and implement appropriate security measures to support these requirements.
7001195Sep-17AAmustUD, P, C, S, TSAgencies must:
  • back up all information identified as critical to their business
  • store backups of critical information, with associated documented recovery procedures, at a remote location secured in accordance with the requirements for the sensitivity or classification of the information
  • test backup and restoration processes regularly to confirm their effectiveness
  • ensure that backups cannot be maliciously modified/corrupted or deleted without appropriate authorisation.
7109133Apr-15AAmustUD, P, C, S, TSAgencies must develop a business continuity plan.
7209142Sep-11AAshouldUD, P, C, S, TSAgencies should develop a disaster recovery plan.
7307913Sep-17AAmustUD, P, C, S, TSAn accreditation framework must be developed and implemented.
7400646Apr-15AAmustUD, P, C, S, TSSystems must be awarded accreditation before they are used to process, store or communicate sensitive or classified information.
7500764Sep-17AAmust notUD, P, C, S, TSSystems must not process, store or communicate information above the sensitivity or classification for which the system has received accreditation.
7600772Apr-15AAmust notUD, P, C, S, TSSystems must not process, store or communicate caveated or compartmented information unless specifically accredited for such purposes.
7707931Nov-10AAshouldUD, P, C, S, TSFor multinational and multi-agency systems, the certification and accreditation authorities should be determined by a formal agreement between the parties involved.
7812290Sep-12AAmustUD, P, C, SAn agency's accreditation authority must be at least a senior executive with an appropriate level of understanding of the security risks they are accepting on behalf of the agency.
7912301Feb-14ASDmustTSFor TOP SECRET systems, the accreditation authority must be ASD.
8000822Nov-10AAshouldUD, P, C, S, TSBefore beginning the accreditation process, the system owner should advise the certification and accreditation authorities of their intent to seek certification and accreditation for their system.
8107953Apr-15AAmustUD, P, C, S, TSAll systems must undergo certification as part of the accreditation process; unless the accreditation authority is satisfied that if the system is not immediately operational it would have a devastating and potentially long-lasting effect on operations.
8208081Apr-15AAmustUD, P, C, S, TSThe accreditation authority must accept the residual security risk to a system and the information it processes, stores or communicates in order to award accreditation.
8300692Nov-10AAshouldUD, P, C, S, TSAgencies should ensure that the period between accreditations of systems does not exceed two years.
8400702Nov-10AAmustUD, P, C, S, TSAgencies must ensure that the period between accreditations of systems does not exceed three years.
8511412Sep-17AAmustUD, P, C, S, TSAll systems must undergo a security assessment as part of the certification process.
8611421Sep-17AAmustUD, P, C, S, TSThe certification authority must accept the effectiveness of security measures for the system in order to award certification.
8708073Apr-15AAshouldUD, P, C, S, TSThe certification authority should produce a certification report for the accreditation authority outlining the security measures that have been implemented for a system and an assessment of the residual security risk relating to the system and the information that it processes, stores or communicates.
8801007Sep-17AAmustUD, PCommercial or government-provided gateway services intended for use by multiple agencies must undergo an Information Security Registered Assessor Program (IRAP) security assessment and be awarded certification by ASD at least every two years.
8914591Sep-17AAmustUD, PCloud services storing, processing or communicating Australian government information must undergo an Information Security Registered Assessor Program security assessment and be awarded certification by ASD at least every two years.
9009024Apr-15AAshould notUD, P, C, S, TSAssessors of systems should not also be the system owner or certification authority.
9107973Sep-17AAmustUD, P, C, S, TSBefore undertaking the security assessment, the system owner must approve the system architecture and associated documentation.
9209044Sep-17AAshouldUD, P, C, S, TSBefore undertaking a security assessment the system owner should provide a statement of applicability for the system which includes:
  • the version of this manual, and any complementary publications, used for determining security measures
  • controls from this manual that are, and are not, applicable to the system
  • controls from this manual that are applicable but are not being implemented (including the rationale behind these decisions)
  • any additional security measures being implemented.
9307982Apr-15AAmustUD, P, C, S, TSThe system architecture, including associated documentation, must be reviewed by the assessor to determine whether it is based on sound security principles.This includes:
  • determining whether appropriate policies have been developed to protect information that is processed, stored or communicated by the system
  • determining whether the SRMP, SSP, SOPs and IRP are comprehensive and appropriate for the environment the system is to operate in
  • determining whether all relevant controls specified in this manual and supplementary publications are addressed.
9408052Apr-15AAmustUD, P, C, S, TSThe security measures for the system must be reviewed by the assessor to determine whether they have been implemented and are operating effectively.
9508062Apr-15AAmustUD, P, C, S, TSThe assessor must ensure that, where applicable, a currently valid physical security certification has been awarded by an appropriate physical security certification authority.
9611401Apr-15AAmustUD, P, C, S, TSThe assessor must produce a report for the certification authority outlining areas of non-compliance for a system and any suggested remediation actions.
9711632Sep-17AAshouldUD, P, C, S, TSAgencies should implement a vulnerability management strategy by:
  • conducting vulnerability assessments on systems throughout their life cycle to identify vulnerabilities
  • analysing identified vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls
  • using a risk-based approach to prioritise the implementation of identified mitigations or treatments
  • monitoring information on new or updated vulnerabilities in operating systems, software and devices as well as other elements which may adversely impact on the security of a system.
9809095Sep-17AAshouldUD, P, C, S, TSAgencies should have vulnerability assessments conducted by suitably skilled personnel independent of the target of the assessment or by an independent third party.
9909115Sep-17AAshouldUD, P, C, S, TSAgencies should conduct vulnerability assessments on systems:
  • before the system is deployed, including conducting assessments during the system design and development stages
  • after a significant change to the system
  • after significant changes to the threats or risks faced by a system – for example, a software vendor announces a critical vulnerability in a product used by the agency at least annually, or as specified by an ITSM or the system owner.
10001122Sep-11AAmustUD, P, C, S, TSAgencies must analyse any vulnerabilities to determine their potential impact on the agency and determine appropriate mitigations or other treatments.
10101133Sep-11AAmustUD, P, C, S, TSAgencies must mitigate or otherwise treat identified vulnerabilities as soon as possible.
10212110Sep-12AAmustUD, P, C, S, TSAgencies must have a formal change management process in place.
10309124Sep-12AAshouldUD, P, C, S, TSAgencies should ensure their change management process includes:
  • a policy which identifies which changes need to go through the formal change management process
  • documenting the changes to be implemented
  • formal approval of the change request
  • maintaining and auditing logs of all changes
  • conducting vulnerability management activities when significant changes have been made to the system
  • testing and implementing the approved changes
  • updating the relevant information security documentation including the SRMP, SSP and SOPs
  • notifying and educating users of the changes that have been implemented as close as possible to the time the change is applied
  • continually educating users in regard to changes.
10401152Nov-10AAmustUD, P, C, S, TSAgencies must ensure that for routine and urgent changes:
  • the change management process, as defined in the relevant information security documentation, is followed
  • the proposed change is approved by the relevant authority
  • any proposed change that could impact the security of a system is submitted to the accreditation authority for approval
  • all associated information security documentation is updated to reflect the change.
10501172Nov-10AAmustUD, P, C, S, TSThe change management process must define appropriate actions to be followed before and after urgent changes are implemented.
10608091Nov-10AAmustUD, P, C, S, TSWhen a configuration change impacts the security of a system, and is subsequently assessed as having changed the overall security risk for the system, the system must undergo reaccreditation.
10701203Sep-17AAmustUD, P, C, S, TSAgencies must develop, implement and maintain data sources, procedures and tools to ensure that:
  • any security alerts generated by systems are investigated
  • systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes.
10801212Nov-10AAshouldUD, P, C, S, TSAgencies should use the results of the security risk assessment to determine the appropriate balance of resources allocated to prevention as opposed to detection of cyber security incidents.
10901232Nov-10AAmustUD, P, C, S, TSAgencies must direct personnel to report cyber security incidents to an ITSM as soon as possible after the cyber security incident is discovered.
11001243Apr-15AAshouldUD, P, C, S, TSAgencies should:
  • encourage personnel to note and report any observed or suspected security weaknesses in, or threats to, systems or services
  • establish and follow procedures for reporting software malfunctions
  • put mechanisms in place to enable the types, volumes and costs of cyber security incidents and malfunctions to be quantified and monitored
  • manage the violation of information security policies and procedures by personnel through a formal disciplinary process.
11101395Sep-17ASDmustUD, P, C, S, TSAgencies must report cyber security incidents to ASD.
11201404Sep-17ASDmustUD, P, C, S, TSAgencies must formally report cyber security incidents using the CSIR scheme.
11301412Nov-10AAmustUD, P, C, S, TSAgencies that outsource their information technology services and functions must ensure that the service provider consults with the agency when a cyber security incident occurs.
11401421Sep-11AAmustUD, P, C, S, TSAgencies must notify all communications security custodians of any suspected loss or compromise of keying material.
11501436May-16ASDmustUD, P, C, S, TSAgencies must notify ASD of any suspected loss or compromise of High Assurance Cryptographic Equipment or keying material associated with High Assurance Cryptographic Equipment in accordance with ACSI 107.
11601222Nov-10AAmustUD, P, C, S, TSAgencies must detail cyber security incident responsibilities and procedures for each system in the relevant SSP, SOPs and IRP.
11701252Nov-10AAshouldUD, P, C, S, TSAgencies should ensure that all cyber security incidents are recorded in a register.
11801262Nov-10AAshouldUD, P, C, S, TSAgencies should include, at a minimum, the following information in their register:
  • the date the cyber security incident was discovered
  • the date the cyber security incident occurred
  • a description of the cyber security incident, including the personnel and locations involved
  • the action taken
  • to whom the cyber security incident was reported
  • the file reference.
11909163Sep-11AAshouldUD, P, C, S, TSAgencies should use their register as a reference for future security risk assessments.
12001291Sep-09AAmustUD, P, C, S, TSWhen a data spill occurs agencies must assume that the information has been compromised.
12101301Sep-09AAmustUD, P, C, S, TSAgencies must include in standard procedures for all personnel with access to systems a requirement that they notify an ITSM of any data spillage and access to any data which they are not authorised to access.
12201311Apr-15AAmustUD, P, C, S, TSAgencies must document procedures for managing data spills in their IRP.
12301322Apr-15AAmustUD, P, C, S, TSAgencies must treat any data spill as a cyber security incident and follow the IRP to manage it.
12401330Sep-08AAmustUD, P, C, S, TSWhen a data spill occurs, agencies must report the details of the data spill to the information owner.
12501341Nov-10AAmust notUD, P, C, S, TSWhen information is introduced onto a system not accredited to handle the information, personnel must not delete the information until advice is sought from an ITSM.
12601353Feb-14AAshould notUD, P, C, S, TSWhen information is introduced onto a system not accredited to handle the information, personnel should not copy, print or email the information.
12701362Nov-10AAshouldUD, P, C, S, TSWhen information is introduced onto a system not accredited to handle the information, agencies should segregate the affected system from the network.
12809175Feb-14AAshouldUD, P, C, S, TSAgencies should follow the steps described below when malicious code is detected:
  • Isolate the infected system.
  • Decide whether to request assistance from ASD, and if such assistance is requested and agreed to, delay any further action until advised by ASD to continue.
  • Scan all previously connected systems, and any media used in a set period leading up to the cyber security incident, for malicious code.
  • Isolate all infected systems and media to prevent reinfecting the system.
  • Change all passwords and key material stored or potentially accessed from compromised systems.
  • Advise users of any relevant aspects of the compromise, including changing all passphrases on the compromised systems and any other system that uses the same passphrase.
  • Use current antivirus or other internet security software to remove the infection from the systems or media.
  • Report the cyber security incident and perform any other activities specified in the IRP.
  • Where possible, restore a compromised system from a known good backup or rebuild the affected machine.
12912120Sep-12AAshouldUD, P, C, S, TSAgencies considering allowing intrusion activity to continue under controlled conditions for the purpose of scoping the intrusion should inform their accreditation authority.
13001371Sep-12AAmustUD, P, C, S, TSAgencies considering allowing intrusion activity to continue under controlled conditions for the purpose of seeking further information or evidence must seek legal advice.
13101382Nov-10AAshouldUD, P, C, S, TSAgencies should:
  • transfer a copy of raw audit trails onto media for secure archiving, as well as securing manual log records for retention
  • ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation.
13209154Feb-14AAshouldUD, P, C, S, TSAgencies should ensure that any requests for ASD assistance are made as soon as possible after the cyber security incident is detected and that no actions, which could affect the integrity of the evidence, are carried out before ASD's involvement.
13312130Sep-12AAshouldUD, P, C, S, TSAgencies should perform a post-incident analysis of successful intrusions, storing network traffic for at least seven days after the incident.
13412140Sep-12AAshouldUD, P, C, S, TSAgencies operating sites in posts or missions located outside of Australia should contact the Department of Foreign Affairs and Trade to determine requirements.
13508103Sep-17AAmustUD, P, C, S, TSAgencies must ensure that any facility containing a system, including deployable systems, is certified and accredited in accordance with the requirements of the Australian Government Physical Security Management Protocol.
13601574Feb-14AAmustUD, P, C, SAgencies communicating sensitive or classified information over public network infrastructure or over infrastructure in unsecured spaces (Zone One security areas) must use encryption approved for communicating such information over public network infrastructure.
13713581Apr-15ASDmustTSAgencies communicating TOP SECRET or codeword information outside a Zone Five security area boundary must encrypt information using High Assurance Cryptographic Equipment.
13801641Sep-09AAshouldUD, P, C, S, TSAgencies should prevent unauthorised people from observing systems, in particular, displays and keyboards.
13912961Apr-15AAmustUD, P, C, S, TSAgencies must implement physical security measures to protect network devices, especially those in public areas, from physical damage or unauthorised access.
14010531Sep-11AAmustUD, P, C, S, TSAgencies must ensure that servers and network devices are secured in either security containers or rooms as specified in the Australian Government Physical Security Management Protocol.
14108132Sep-11AAmust notUD, P, C, S, TSAgencies must not leave server rooms, communications rooms and security containers or rooms in an unsecured state.
14210741Sep-11AAmustUD, P, C, S, TSAgencies must ensure that keys or equivalent access mechanisms to server rooms, communications rooms and security containers or rooms are appropriately controlled.
14301501Nov-10AAmustUD, P, C, S, TSAgencies operating no-lone zones must suitably signpost the area and have all entry and exit points appropriately secured.
14401593Sep-11AAmustUD, P, C, S, TSAgencies must account for all sensitive and classified ICT equipment and media.
14503362Sep-11AAmustUD, P, C, S, TSAgencies must register all ICT equipment and media with a unique identifier in an appropriate register.
14601613Sep-11AAmustUD, P, C, S, TSAgencies must ensure that ICT equipment and media with sensitive or classified information is secured in accordance with the requirements for storing sensitive or classified information in the Australian Government Physical Security Management Protocol.
14701623Sep-11AAshouldUD, P, C, S, TSAgencies preventing the storage of sensitive or classified information on hard drives and enforcing scrubbing of the operating system's swap files and other temporary data at logoff or shutdown should:
  • assess the security risks associated with such a practice
  • in the SSP specify the processes and conditions for their application.
14802522Nov-10AAmustUD, P, C, S, TSAgencies must provide ongoing information security awareness and training for personnel on information security policies including topics such as responsibilities, consequences of non-compliance, and potential security risks and counter-measures.
14902512Nov-10AAmustUD, P, C, S, TSAgencies must ensure that all personnel who have access to a system have sufficient information security awareness and training.
15002532Sep-11AAshouldUD, P, C, S, TSAgencies should align the exact degree and content of information security awareness and training to a person's roles and responsibilities.
15109223Sep-11AAshouldUD, P, C, S, TSAgencies should ensure that information security awareness and training includes:
  • the purpose of the training or awareness program
  • security appointments and contacts
  • the legitimate use of system accounts, software and information
  • the security of accounts, including shared passphrases
  • security risks associated with unnecessarily exposing email addresses and other personal details
  • authorisation requirements for applications, databases and data
  • the security risks associated with non-agency systems, particularly the Internet
  • reporting any suspected compromises or anomalies
  • reporting requirements for cyber security incidents, suspected compromises or anomalies
  • classifying, marking, controlling, storing and sanitising media
  • protecting workstations from unauthorised access
  • informing the support section when access to a system is no longer needed
  • observing rules and regulations governing the secure operation and authorised use of systems.
15202554Sep-12AAshouldUD, P, C, S, TSAgencies should ensure that information security awareness and training includes advice to personnel not to attempt to:
  • physically damage systems
  • bypass, strain or test security measures
  • introduce or use unauthorised ICT equipment or software on a system
  • assume the roles and privileges of others
  • attempt to gain access to information for which they have no authorisation
  • relocate ICT equipment without proper authorisation.
15302562Sep-12AAmustTSAgencies must provide all users with familiarisation training on the information security policies and procedures and the secure operation of the system before being granted unsupervised access to the system.
15404323Sep-12AAmustUD, P, C, S, TSAgencies must specify in the SSP any authorisations, security clearances and briefings necessary for system access.
15504053Sep-11AAmustUD, P, C, S, TSAgencies must:
  • limit system access on a need-to-know basis
  • have any requests for access to a system authorised by the person's manager
  • provide personnel with the least amount of privileges needed to undertake their duties
  • review system access and privileges at least annually and when personnel change roles
  • when reviewing access, ensure a response from the person's manager confirming the need to access the system is still valid, otherwise access will be removed.
15604073Sep-17AAshouldUD, P, C, S, TSAgencies should:
  • maintain a secure record of:[ul][li]all personnel authorised to access a system
  • their user identification
  • who provided the authorisation to access the system
  • when the authorisation was granted
  • when the access was last reviewed
  • when the access was removed.
[/li]
  • maintain the record for the life of the system to which access is granted.
    • [/ul]
    15704344Apr-15AAmustUD, P, C, S, TSAgencies must ensure that personnel undergo an appropriate employment screening, and where necessary hold an appropriate security clearance, according to the requirements in the Australian Government Personnel Security Management Protocol before being granted access to a system.
    15804351Sep-11AAmustUD, P, C, S, TSAll personnel must have received any necessary briefings before being granted access to a system.
    15904404Sep-17AAmustP, C, S, TSAgencies must follow the requirements for temporary access to classified information in the Australian Government Personnel Security Management Protocol before granting personnel temporary access to a system.
    16004414Sep-12AAmustP, C, S, TSAgencies granting personnel temporary access to a system must ensure that either:
    • effective controls are in place to restrict access to only information that is necessary to undertake their duties
    • they are continually supervised by another user who has the appropriate security clearances to access the system.
    16104424Sep-17AAmustP, C, S, TSAgencies must follow the requirements for temporary access to classified information in the Australian Government Personnel Security Management Protocol before granting personnel emergency access to a system.
    16204432Sep-11AAmust notP, C, S, TSAgencies must not grant personnel temporary access or emergency access to systems that process, store or communicate caveated or compartmented information.
    16308172Sep-17AAmustUD, P, C, S, TSAgencies must ensure personnel know how to report any suspicious contact and what suspicious contact is, especially contact from external sources using online services.
    16408183Sep-17AAmustUD, P, C, S, TSAgencies must make personnel aware of their online services and usages policies.
    16508191Sep-17AAshouldUD, P, C, S, TSAgencies should implement measures to monitor their personnel’s compliance with the agency’s online services usage policies.
    16608203Sep-17AAmustUD, P, C, S, TSAgencies must ensure personnel are instructed to take special care not to post sensitive or classified information to public online services and how to report cases where such information is posted.
    16711461Sep-17AAmustUD, P, C, S, TSAgencies must ensure personnel posting information to online services maintain separate professional accounts from any personal accounts they have for online services.
    16811472Sep-17AAshouldUD, P, C, S, TSAgencies should ensure personnel are aware of the approved online services where information authorised for release to the public domain can be posted.
    16908211Nov-10AAshouldUD, P, C, S, TSAgencies should ensure that personnel are informed of the security risks associated with posting personal information on websites, especially for those personnel holding higher level security clearances.
    17011482Sep-17AAshouldUD, P, C, S, TSPersonnel should use the privacy settings on online services to restrict access to personal information they post to only those they authorise to view it.
    17108230Sep-09AAshould notUD, P, C, S, TSAgencies should not allow personnel to use peer-to-peer applications over the Internet.
    17208241Sep-11AAshould notUD, P, C, S, TSAgencies should not allow personnel to send or receive files via peer-to-peer applications.
    17301811Sep-09AAmustUD, P, C, S, TSAgencies must install all cables in accordance with the relevant Australian Standards as directed by the Australian Communications and Media Authority.
    17409264Sep-12AAshouldUD, P, C, SAgencies should comply with the cable colours specified in the following table.[table][head][cell]System[/cell][cell]Cable Colour[/cell][/head][row][cell]SECRET[/cell][cell]Pink[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Green[/cell][/row][row][cell]PROTECTED[/cell][cell]Blue[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Black or Grey[/cell][/row][/table]
    17501863Sep-12AAmustUD, P, C, S, TSIn TOP SECRET areas, agencies must comply with the cable colours specified in the following table.[table][head][cell]System[/cell][cell]Cable Colour[/cell][/head][row][cell]TOP SECRET[/cell][cell]Red[/cell][/row][row][cell]SECRET[/cell][cell]Pink[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Green[/cell][/row][row][cell]PROTECTED[/cell][cell]Blue[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Black or Grey[/cell][/row][/table]
    17608250Sep-09AAshould notUD, P, C, SAgencies should not allow cable colours for foreign systems installed in Australian facilities to be the same colour as cables used for Australian systems.
    17708270Sep-09AAmust notTSAgencies must not allow cable colours for foreign systems installed in Australian facilities to be the same colour as cables used for Australian systems.
    17808260Sep-09AAshouldUD, P, C, SThe cable colour to be used for foreign systems should be agreed between the host agency, the foreign system owner and the accreditation authority.
    17908280Sep-09AAmustTSThe cable colour to be used for foreign systems must be agreed between the host agency, the foreign system owner and the accreditation authority.
    18012150Sep-12AAmustUD, P, C, SAgencies that are non-compliant with cable colouring must band cables with the classification colour at the inspection points.
    18112160Sep-12AAmustUD, P, C, S, TSIn TOP SECRET areas, no matter the classification of the system, agencies that are non-compliant with cable colouring must band and label the cables with the classification at the inspection points.
    18201874Sep-12AAmust notUD, P, C, S, TSAgencies must not deviate from the approved group combinations for cables as indicated below.[table][head][cell]Group[/cell][cell]Approved Combination[/cell][/head][row][cell v=2]1[/cell][cell]Unclassified (DLM)[/cell][/row][row][cell]PROTECTED[/cell][/row][row][cell v=2]2[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]SECRET[/cell][/row][row][cell]3[/cell][cell]TOP SECRET[/cell][/row][/table]
    18301891Nov-10AAmustUD, P, C, S, TSWith fibre optic cables the fibres in the sheath, as shown below, must only carry a single group.[IMG-0]
    18401901Nov-10AAmustUD, P, C, S, TSIf a fibre optic cable contains subunits, as shown below, each subunit must only carry a single group; however, each subunit in the cable can carry a different group.[IMG-1]
    18510980Nov-10AAshouldUD, P, C, SCables should terminate in either:
    • individual cabinets
    • one cabinet with a division plate to delineate classifications for small systems.
    18610990Nov-10AAmustUD, P, C, SIn TOP SECRET areas, cables must terminate in either:
    • individual cabinets
    • one cabinet with a division plate to delineate classifications for small systems.
    18711000Nov-10AAmustTSTOP SECRET cables must terminate in an individual TOP SECRET cabinet.
    18811010Nov-10AAshouldUD, P, C, S, TSReticulation systems leading into cabinets in secured communications and server rooms should terminate as close as possible to the cabinet.
    18911020Nov-10AAshouldUD, P, C, SReticulation systems leading into cabinets not in a secure communications or server room should terminate as close as possible to the cabinet.
    19011030Nov-10AAmustUD, P, C, S, TSIn TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room must terminate at the boundary of the cabinet.
    19101981Nov-10AAmustTSWhen penetrating an audio secured space, agencies must consult with ASIO and comply with all directions provided.
    19211040Nov-10AAmustUD, P, C, SCable groups sharing a wall outlet must:
    • use fibre optic cables
    • use different connectors on opposite sides of the wall outlet for each group.
    19311050Nov-10AAmust notTSTOP SECRET cables must not share a wall outlet with another classification.
    19411060Nov-10AAmustTSIn areas containing outlets for both TOP SECRET systems and systems of other classifications, agencies must ensure that the connectors for the TOP SECRET systems are different from those of the other systems.
    19511070Nov-10AAmust notUD, P, C, SWall outlets must not be coloured red.
    19611080Nov-10AAmustTSWall outlets must be coloured red.
    19711090Nov-10AAshouldUD, P, C, SFaceplates on wall outlets should be clear plastic.
    19811100Nov-10AAmustUD, P, C, S, TSIn TOP SECRET areas, faceplates on wall outlets must be clear plastic.
    19911110Nov-10AAshouldUD, P, C, S, TSAgencies should use fibre optic cables
    20011121Sep-11AAshouldUD, P, C, S, TSAgency cables should be inspectable at a minimum of five-metre intervals.
    20111140Nov-10AAshouldUD, P, C, S, TSApproved cable groups can share a common reticulation system but should have either a dividing partition or a visible gap between the differing cable groups.
    20211151Sep-11AAshouldUD, P, C, S, TSAgencies should use flexible or plastic conduit in walls to run cables from cable trays to wall outlets.
    20311161Sep-11AAshouldTSAgencies should ensure there is a visible gap between TOP SECRET cabinets and cabinets of a lower classification.
    20411170Nov-10AAshouldUD, P, C, S, TSAgencies should use fibre optic cables
    20511180Nov-10AAshouldUD, P, C, SCables should be inspectable at a minimum of five-metre intervals.
    20611190Nov-10AAshouldUD, P, C, S, TSIn TOP SECRET areas, cables should be fully inspectable for their entire length.
    20711200Nov-10AAshouldUD, P, C, S, TSApproved cable groups can share a common reticulation system but should have either a dividing partition or a visible gap between the individual cable groups.
    20811210Nov-10AAshouldUD, P, C, S, TSCables from cable trays to wall outlets should run in flexible or plastic conduit.
    20911220Nov-10AAshouldTSFor wall penetrations that exit into a lower classified space, cables should be encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound.
    21011231Sep-12AAshouldTSTOP SECRET facilities should have a power distribution board located in the TOP SECRET area with a feed from an Uninterruptible Power Supply (UPS) to power all ICT equipment.
    21111241Sep-11AAshouldTSAgencies should ensure there is a visible gap between TOP SECRET cabinets and cabinets of a lower classification.
    21211250Nov-10AAshouldUD, P, C, SAgencies should use fibre optic cables
    21301821Nov-10AAmustUD, P, C, S, TSIn TOP SECRET areas, agencies must use fibre optic cables
    21411260Nov-10AAshouldUD, P, C, S, TSCables should be inspectable at a minimum of five-metre intervals.
    21501841Nov-10AAmustUD, P, C, S, TSIn TOP SECRET areas, cables must be fully inspectable for their entire length.
    21611270Nov-10AAshouldUD, P, C, SApproved cable groups can share a common reticulation system but should have either a dividing partition or a visible gap between the differing cable groups.
    21711280Nov-10AAmustUD, P, C, SIn TOP SECRET areas, approved cable groups can share a common reticulation system but must have either a dividing partition or a visible gap between the differing cable groups.
    21811291Sep-11AAmust notTSTOP SECRET cables must not share a common reticulation system, unless it is in an enclosed reticulation system and has dividing partitions or visible gaps between the differing cable groups.
    21911301Sep-11AAshouldUD, P, C, SCables should be run in an enclosed cable reticulation system.
    22011311Sep-11AAmustUD, P, C, S, TSIn TOP SECRET areas, cables must be run in an enclosed cable reticulation system.
    22111640Sep-11AAshouldUD, P, C, SConduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings should be clear plastic.
    22211651Sep-12AAmustUD, P, C, S, TSIn TOP SECRET areas, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings must be clear plastic.
    22311320Nov-10AAmustUD, P, C, S, TSCables from cable trays to wall outlets must run in flexible or plastic conduit.
    22411330Nov-10AAmust notTSCables must not run in a party wall.
    22501941Nov-10AAmustTSAgencies must use a visible smear of conduit glue to seal:
    • all plastic conduit joints
    • conduit runs connected by threaded lock nuts.
    22601952Sep-11AAmustTSAgencies must use SCEC endorsed tamper evident seals to seal all removable covers on reticulation systems, including:
    • box section front covers
    • conduit inspection boxes
    • outlet and junction boxes
    • T-pieces.
    22701961Nov-10AAmustTSTamper evident seals must be uniquely identifiable.
    22811340Nov-10AAmustTSFor wall penetrations that exit into a lower classified space, cables must be encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound.
    22911350Nov-10AAmustTSTOP SECRET facilities must have a power distribution board located in the TOP SECRET area with a feed from a UPS to power all ICT equipment.
    23011361Sep-11AAmustTSAgencies must ensure there is a visible gap between TOP SECRET cabinets and cabinets of a lower classification.
    23102011Nov-10AAmustTSLabels for TOP SECRET conduits must be:
    • a minimum size of 2.5cm x 1cm
    • attached at 5m intervals
    • marked as 'TS RUN'.
    23202021Nov-10AAmustTSConduit labels in areas where uncleared personnel could frequently visit must have red text on a clear background.
    23302031Nov-10AAmustTSConduit labels in areas that are not clearly observable must have red text on a white background.
    23402041Nov-10AAshouldUD, P, C, S, TSConduit labels installed in public or visitor areas should not draw undue attention from people who do not have a need-to-know of the existence of such cables.
    23510950Nov-10AAshouldUD, P, C, SWall outlet boxes should denote the classification, cable number and outlet number.
    23602051Nov-10AAmustTSWall outlet boxes must denote the classification, cable number and outlet number.
    23702063Feb-14AAshouldUD, P, C, S, TSSite conventions for labelling and registration should be documented in an agency's SOPs.
    23810960Nov-10AAshouldUD, P, C, SAgencies should label cables at each end, with sufficient source and destination details to enable the physical identification and inspection of the cable.
    23902071Nov-10AAmustTSAgencies must label cables at each end, with sufficient source and destination details to enable the physical identification and inspection of the cable.
    24002080Sep-08AAshouldUD, P, C, SAgencies should maintain a register of cables.
    24102101Nov-10AAmustTSAgencies must maintain a register of cables.
    24202092Nov-10AAshouldUD, P, C, SThe cable register should record at least the following information:
    • cable identification number
    • classification
    • source
    • destination
    • site/floor plan diagram
    • seal numbers if applicable.
    24310970Nov-10AAmustUD, P, C, S, TSFor cables in TOP SECRET areas, the cable register must record at least the following information:
    • cable identification number
    • classification
    • source
    • destination
    • site/floor plan diagram
    • seal numbers if applicable.
    24402112Sep-12AAshouldUD, P, C, S, TSAgencies should inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the SSP.
    24502131Nov-10AAmustUD, P, C, S, TSAgencies must ensure that only approved cable groups terminate on a patch panel.
    24610931Sep-17AAshouldUD, P, C, SIn areas containing cables for systems of different classifications, connectors for each system should be different from those of the other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification.
    24702142Nov-10AAmustTSIn areas containing cables for both TOP SECRET systems and systems of other classifications, agencies must ensure that the connectors for the TOP SECRET systems are different from those of the other systems.
    24810940Nov-10AAshouldUD, P, C, SIn areas containing cables for systems of different classifications, agencies should document the selection of connector types.
    24902152Nov-10AAmustTSIn areas containing cables for both TOP SECRET systems and systems of other classifications, agencies must document the selection of connector types for TOP SECRET systems.
    25002161Nov-10AAshouldTSAgencies should physically separate TOP SECRET and non-TOP SECRET patch panels by installing them in separate cabinets.
    25102173Sep-12AAmustTSWhere spatial constraints demand patch panels of a lower classification than TOP SECRET be located in the same cabinet, agencies must:
    • provide a physical barrier in the cabinet to separate patch panels
    • ensure that only personnel holding a TOP SECRET security clearance have access to the cabinet
    • obtain approval from the relevant accreditation authority prior to installation.
    25202182Sep-17AAshouldTSAgencies should ensure that the fibre optic fly leads used to connect wall outlets to ICT equipment either:
    • do not exceed 5m in length, or
    • if they exceed 5m in length, they:[ul][li]are run in the facility's fixed infrastructure in a protective and easily inspected pathway
    • are clearly labelled at the equipment end with the wall outlet designator
    • are approved by the accreditation authority.
    [/li][/ul]
    25302472Feb-14AAmustC, S, TSAgencies designing and installing systems with Radio Frequency (RF) transmitters inside or co-located with their facility must:
    • contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
    • install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
    25402484Sep-17AAmustUD, P, C, SAgencies designing and installing systems with RF transmitters that will be co-located with systems of a higher classification must:
    • contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
    • install cables and ICT equipment in accordance with this manual, plus any specific installation criteria derived from the emanation security threat assessment.
    25511371Feb-14AAmustTSAgencies designing and installing systems in shared facilities with non-Australian government entities must:
    • contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
    • install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
    25609324Feb-14AAshouldUD, PAgencies deploying systems overseas should:
    • contact ASD for emanation security threat advice
    • install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
    25702492Feb-14AAmustC, S, TSAgencies deploying systems overseas in military and fixed locations must:
    • contact ASD for an emanation security threat assessment in accordance with the latest version of ACSI 71
    • install cables and ICT equipment in accordance with this manual plus any specific installation criteria derived from the emanation security threat assessment.
    25802462Sep-17AAshouldUD, P, C, S, TSAgencies needing an emanation security threat assessment should seek one as early as possible in project life cycles as emanation security controls can have significant cost implications.
    25902502Nov-10AAmustTSAgencies must ensure that ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility.
    26002211Nov-10AAmust notTSWireless RF pointing devices must not be used in TOP SECRET areas unless used in an RF screened building.
    26102221Sep-09AAshouldUD, PAgencies using infrared keyboards should ensure that infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space.
    26202233Sep-11AAmust notC, SAgencies using infrared keyboards must not allow:
    • line of sight and reflected communications travelling into an unsecured space
    • multiple infrared keyboards for different systems in the same area
    • other infrared devices in the same area
    • infrared keyboards to be operated in areas with unprotected windows.
    26302243Sep-11AAmust notTSAgencies using infrared keyboards must not allow:
    • line of sight and reflected communications travelling into an unsecured space
    • multiple infrared keyboards for different systems in the same area
    • other infrared devices in the same area
    • infrared keyboards in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them.
    26410580Nov-10AAshould notUD, PAgencies should not use Bluetooth and wireless keyboards unless in an RF screened building.
    26511550Nov-10AAmust notC, S, TSAgencies must not use Bluetooth and wireless keyboards unless in an RF screened building.
    26611660Sep-11AAmustUD, PAgencies must use Bluetooth version 2.1 or later if Bluetooth keyboards are used.
    26711670Sep-11AAshouldUD, PAgencies should restrict the range of Bluetooth keyboards to less than 10 metres by only using class 2 or class 3 devices.
    26808300Sep-09AAshouldP, C, SAgencies should prevent RF devices from being brought into secured spaces unless authorised by the accreditation authority.
    26902251Sep-09AAmustTSAgencies must prevent RF devices from being brought into TOP SECRET areas unless authorised by the accreditation authority.
    27008292Sep-11AAshouldC, S, TSAgencies should deploy security measures to detect and respond to active RF devices in secured spaces.
    27109293Sep-11AAshouldUD, P, C, S, TSAgencies should limit the effective range of communications outside their area of control by either:
    • minimising the output power level of wireless devices
    • RF shielding.
    27205881Nov-10AAmustUD, P, C, S, TSAgencies must develop a policy governing the use of fax machines and MFDs.
    27310921Apr-15AAmustUD, P, C, S, TSAgencies must have separate fax machines or MFDs for sending classified and unclassified fax messages.
    27402412Nov-10AAmustUD, P, C, S, TSAgencies sending sensitive or classified fax messages must ensure that the fax message is encrypted to an appropriate level when communicated over unsecured telecommunications infrastructure or the PSTN.
    27502424Feb-14ASDmustC, S, TSAgencies intending to use fax machines or MFDs to send classified information must comply with additional requirements in ACSI 129 and ACSI 131.
    27610750Nov-10AAshouldUD, P, C, S, TSThe sender of a fax message should make arrangements for the receiver to:
    • collect the fax message as soon as possible after it is received
    • notify the sender if the fax message does not arrive in an agreed amount of time.
    27702443Sep-11AAshould notUDAgencies should not enable a direct connection from a MFD to a digital telephone network unless the telephone network is accredited to at least the same level as the computer network to which the device is connected.
    27802453Sep-11AAmust notP, C, S, TSAgencies must not enable a direct connection from a MFD to a digital telephone network unless the telephone network is accredited to at least the same level as the computer network to which the device is connected.
    27905903Apr-15AAshouldUD, P, C, S, TSWhere MFDs connected to computer networks have the ability to communicate via a gateway to another network, agencies should ensure that:
    • each MFD applies user identification, authentication and audit functions for all information communicated by that device
    • these mechanisms are of similar strength to those specified for workstations on that network
    • each gateway can identify and filter the information in accordance with the requirements for the export of data via a gateway.
    28005893Sep-11AAmust notUD, P, C, S, TSAgencies must not permit MFDs connected to computer networks to be used to copy documents above the sensitivity or classification of the connected network.
    28110362Sep-11AAshouldUD, P, C, S, TSAgencies should ensure that fax machines and MFDs are located in an area where their use can be observed.
    28210780Nov-10AAmustUD, P, C, S, TSAgencies must develop a policy governing the use of telephones and telephone systems.
    28302292Nov-10AAmustUD, P, C, S, TSAgencies must advise personnel of the permitted sensitive or classified information that can be discussed on both internal and external telephone connections.
    28402302Nov-10AAshouldUD, P, C, S, TSAgencies should advise personnel of the audio security risk posed by using telephones in areas where sensitive or classified conversations can occur.
    28502310Sep-08AAshouldUD, P, C, S, TSAgencies permitting different levels of conversation for different kinds of connections should use telephones that give a visual indication of what kind of connection has been made.
    28602322Nov-10AAmustUD, P, C, S, TSAgencies intending to use telephone systems for the transmission of sensitive or classified information must ensure that:
    • the system has been accredited for the purpose
    • all sensitive or classified traffic that passes over external systems is appropriately encrypted.
    28702332Nov-10AAmust notUD, P, C, S, TSAgencies must not use cordless telephones for sensitive or classified conversations.
    28802340Sep-08AAmust notUD, P, C, S, TSAgencies must not use cordless telephones in conjunction with secure telephony devices.
    28902352Nov-10AAmust notTSAgencies must not use speakerphones on telephones in TOP SECRET areas unless:
    • it is located in a room rated as audio secure
    • the room is audio secure during any conversations
    • only personnel involved in discussions are present in the room.
    29002363Sep-11AAshouldUD, P, C, SAgencies should ensure that off-hook audio protection features are used on all telephones that are not accredited for the transmission of sensitive or classified information in areas where such information could be discussed.
    29109313Sep-11AAshouldSAgencies should use push-to-talk handsets in open areas, and where telephones are shared.
    29202372Nov-10AAmustTSAgencies must ensure that off-hook audio protection features are used on all telephones that are not accredited for the transmission of classified information in areas where such information could be discussed.
    29302380Sep-08AAshouldTSAgencies should use push-to-talk handsets to meet the requirement for off-hook audio protection.
    29413535Sep-17AAmustUD, P, C, S, TSAgencies, at a minimum, must implement the controls indicated in the following table on all systems able to receive emails or browse web content originating in a different security domain.[table][head][cell h=3]TOP 4 MITIGATION STRATEGIES[/cell][/head][head][cell]Mitigation strategy[/cell][cell]Chapter and section of ISM[/cell][cell]Control numbers[/cell][/head][row][cell]Application whitelisting[/cell][cell]Software Security - Standard operating environments[/cell][cell]0843, 0846, 0955, 1391, 1392[/cell][/row][row][cell]Patch applications[/cell][cell]Software Security - Software Patching[/cell][cell]0300, 0303, 0304, 0940, 0941, 1143, 1144[/cell][/row][row][cell]Patch operating systems[/cell][cell]Software Security - Software Patching[/cell][cell]0300, 0303, 0304, 0940, 0941, 1143, 1144[/cell][/row][row][cell v=2]Restrict administrative privileges[/cell][cell]Access Control - Privileged Access[/cell][cell]0445, 0985, 1175[/cell][/row][row][cell]Personnel Security for Systems - Authorisations, Security Clearances and Briefings[/cell][cell]0405[/cell][/row][/table]
    29513541Sep-17AAmustUD, P, C, S, TSAgencies must adopt a risk management approach and implement alternative security controls for:
    • technologies that lack available software to enforce the mandatory controls
    • scenarios or circumstances that prevent enforcement of the mandatory controls.
    29613552Feb-14AAmustUD, P, C, S, TSAgencies must provide information relating to implementation of the mandatory ISM controls upon request from ASD
    29702792Nov-10AAshouldUD, P, C, S, TSAgencies should select products that have their desired security functionality in the scope of the product's evaluation and are applicable to the intended environment.
    29802805Apr-15AAmustUD, P, C, S, TSAgencies must select a product with the required security functionality that has completed a Protection Profile evaluation in preference to one that has completed an EAL-based evaluation.
    29902825Apr-15AAmust notUD, P, C, S, TSAgencies must not use unevaluated products, unless the risks have been appropriately accepted and documented.
    30004633Sep-12AAmustUD, P, C, S, TSAgencies must check product evaluation documentation, where available, to determine any product specific requirements.
    30104643Sep-12AAmustUD, P, C, S, TSAgencies must comply with all product specific requirements outlined in product evaluation documentation.
    30202836Apr-15AAmustUD, P, C, S, TSAgencies selecting High Assurance products must contact ASD and comply with any product specific requirements.
    30313422Apr-15AAmustC, S, TSAgencies must comply with specific guidance on High Assurance products for handling information classified CONFIDENTIAL and above.
    30413431Feb-14AAmustUD, P, C, S, TSWhen using products with converged elements, agencies must apply the relevant sections of this manual for each discrete element.
    30502850Sep-08AAshouldUD, P, C, S, TSAgencies should ensure that products are delivered in a manner consistent with any delivery procedures defined in associated documentation.
    30602864Feb-14ASDmustUD, P, C, S, TSAgencies procuring High Assurance products must contact ASD and comply with any product specific delivery procedures.
    30709374Sep-17AAshouldUD, P, C, S, TSAgencies should ensure that products purchased, without the delivery assurances provided through the use of formally evaluated procedures, are delivered in a manner that provides confidence that they receive the product that they expected to receive - and in an unaltered state.
    30802842Sep-11AAshouldUD, P, C, S, TSAgencies should:
    • verify the integrity of software using vendor supplied checksums when available
    • validate the software's interaction with the operating system and network in a test environment prior to use on operational systems.
    30902872Sep-11AAshouldUD, P, C, S, TSAgencies should ensure that leasing agreements for products take into account the:
    • difficulties that could be encountered when the product needs maintenance
    • difficulties that could be encountered in sanitising a product before returning it
    • the possible requirement for destruction if sanitisation cannot be performed.
    31009383Sep-11AAshouldUD, P, C, S, TSAgencies should choose products from developers that have made a commitment to the continuing maintenance of the assurance of their product.
    31102891Sep-09AAshouldUD, P, C, S, TSAgencies should install, configure, operate and administer evaluated products in accordance with available documentation resulting from the product's evaluation.
    31202904Feb-14ASDmustUD, P, C, S, TSAgencies must ensure that High Assurance products are installed, configured, operated and administered in accordance with all product specific guidance produced by ASD.
    31302914Sep-17AAmustUD, P, C, S, TSAgencies wishing to use an evaluated product in an unevaluated configuration must undertake a security risk assessment including:
    • the necessity for the unevaluated configuration
    • testing of the unevaluated configuration in the agency's environment
    • documentation of any new vulnerabilities introduced due to the product being used outside of its evaluated configuration.
    31402924Feb-14ASDmust notUD, P, C, S, TSHigh Assurance products must not be used in an unevaluated configuration.
    31502933Sep-11AAmustUD, P, C, S, TSAgencies must classify ICT equipment based on the sensitivity or classification of information for which the equipment and any associated media in the equipment are approved for processing, storing or communicating.
    31602943Apr-13AAmustUD, P, C, S, TSAgencies must clearly label all ICT equipment capable of storing information, with the exception of High Assurance products, with the appropriate protective marking.
    31711680Sep-11AAmustUD, P, C, S, TSWhen using non-textual protective markings for ICT equipment due to operational security reasons, agencies must document the labelling scheme and train personnel appropriately.
    31802963Feb-14ASDmustUD, P, C, S, TSAgencies must seek ASD authorisation before applying labels to external surfaces of High Assurance products.
    31910793Feb-14ASDmustUD, P, C, S, TSAgencies must have ASD approval before undertaking any repairs to High Assurance products.
    32003053Sep-11AAshouldUD, P, C, S, TSWhere possible, maintenance and repairs for ICT equipment should be carried out on-site by an appropriately cleared technician.
    32103071Nov-10AAshouldUD, P, C, S, TSIf an uncleared technician is used to undertake maintenance or repairs of ICT equipment, agencies should sanitise and reclassify or declassify the equipment and associated media before maintenance or repair work is undertaken.
    32203063Sep-11AAmustUD, P, C, S, TSIf an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician must be escorted by someone who:
    • is appropriately cleared and briefed
    • takes due care to ensure that sensitive or classified information is not disclosed
    • takes all responsible measures to ensure the integrity of the equipment
    • has the authority to direct the technician.
    32303081Nov-10AAshouldUD, P, C, S, TSAgencies should ensure that the ratio of escorts to uncleared technicians allows for appropriate oversight of all activities.
    32409433Sep-11AAshouldUD, P, C, S, TSIf an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician should be escorted by someone who is sufficiently familiar with the equipment to understand the work being performed.
    32503103Sep-11AAmustUD, P, C, S, TSAgencies having ICT equipment maintained or repaired off-site must ensure that the physical transfer, processing and storage requirements are appropriate for the sensitivity or classification of the equipment and that procedures are complied with at all times.
    32609443Sep-11AAshouldUD, P, C, S, TSAgencies having ICT equipment maintained or repaired off-site should treat the equipment as per the requirements for the highest classification processed, stored or communicated in the area that the equipment will be returned to.
    32703132Sep-17AAmustUD, P, C, S, TSAgencies must have a documented process for the sanitisation and disposal of ICT equipment.
    32803114Apr-15AAmustUD, P, C, S, TSWhen disposing of ICT equipment containing sensitive or classified media, agencies must sanitise the equipment by either:
    • sanitising the media within the equipment
    • removing the media from the equipment, then sanitising or destroying the media individually and disposing of it separately
    • destroying the equipment in its entirety.
    32912170Sep-12AAmustUD, P, C, S, TSWhen disposing of ICT equipment, agencies must remove labels and markings indicating the classification, code words, caveats, owner, system or network name, or any other marking that can associate the equipment with its original use.
    33003154Feb-14ASDmustUD, P, C, S, TSAgencies must contact ASD and comply with any requirements for the disposal of High Assurance products.
    33103212Feb-14ASDmustUD, P, C, S, TSAgencies must contact ASD and comply with any requirements for disposing of TEMPEST rated ICT equipment.
    33212180Sep-12AAshouldP, C, S, TSICT equipment and associated media that is located overseas and has processed or stored AUSTEO or AGAO information should be sanitised in situ where possible.
    33303123Sep-12AAmustP, C, S, TSICT equipment and associated media that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised must be returned to Australia for destruction.
    33403161Nov-10AAmustUD, P, C, S, TSAgencies must formally authorise the disposal of ICT equipment, or waste, into the public domain.
    33514550Apr-15AAmustUD, P, C, S, TSAgencies must inspect printers and MFDs for the presence of memory devices and sanitise or destroy them.
    33603172Sep-12AAmustUD, P, C, S, TSAgencies must print at least three pages of random text with no blank areas on each colour printer cartridge or MFD print drum.
    33712190Sep-12AAshouldUD, P, C, S, TSAgencies should inspect MFD print drums and image transfer rollers and:
    • remove any remnant toner with a soft cloth
    • destroy if there is remnant toner which cannot be removed
    • destroy if a print is visible on the image transfer roller.
    33812200Sep-12AAmustP, C, S, TSAgencies must inspect photocopier or MFD platens and destroy them if any images are retained on the platen.
    33912210Sep-12AAmustUD, P, C, S, TSAgencies must inspect all paper paths and remove all paper from the printer or MFD, including paper that may have jammed inside the unit.
    34003182Sep-12AAmustUD, P, C, S, TSAgencies unable to sanitise printer cartridges or MFD print drums must destroy the cartridge or MFD print drum in accordance with the requirements for electrostatic memory devices.
    34103192Sep-12AAmustUD, P, C, S, TSAgencies must visually inspect televisions and computer monitors by turning up the brightness and contrast to the maximum level to determine if any information has been burnt into or persists on the screen.
    34210761Sep-11AAmustUD, P, C, S, TSAgencies must attempt to sanitise televisions and computer monitors with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time.
    34312220Sep-12AAmustUD, P, C, S, TSAgencies must destroy televisions and computer monitors that cannot be sanitised.
    34412231Apr-15AAmustUD, P, C, S, TSTo sanitise network devices, agencies must sanitise the memory according to any available guidance provided by ASD or vendors. Agencies should use available guidance in the order of preference below:
    • ASD EPL Consumer Guide
    • any other ASD advice specific to the device
    • vendor sanitisation guidance
    • if guidance is unavailable, perform a full reset and loading of a dummy configuration file.
    34512241Feb-14AAmustUD, P, C, S, TSAgencies must sanitise or destroy memory (such as phone number directories and pages stored for transmission) from the fax machine.
    34612251Feb-14AAshouldUD, P, C, S, TSAgencies should remove the paper tray of the fax machine and transmit an unclassified fax with a minimum length of four pages. The paper tray should then be re-installed to allow the fax summary page to be printed.
    34712261Feb-14AAmustUD, P, C, S, TSAgencies must check fax machines to ensure no pages are trapped in the paper path due to a paper jam.
    34813590Feb-14AAshouldUD, P, C, S, TSAgencies should have a removable media policy that includes:
    • details of the authority for removable media within an agency
    • media registration and accounting requirements
    • media classification requirements
    • the types of media permitted within the agency
    • explicit cases where removable media is approved for use
    • requirements for the use of media
    • requirements for disposal of media.
    34903220Sep-08AAmustUD, P, C, S, TSAgencies must document procedures for the reclassification and declassification of media.
    35003233Sep-11AAmustUD, P, C, S, TSAgencies must classify media to the highest sensitivity or classification stored on the media since any previous reclassification.
    35103253Sep-11AAmustUD, P, C, S, TSAgencies must classify any media connected to a system the same sensitivity or classification as the system, unless either:
    • the media is read-only
    • the media is inserted into a read-only device
    • the system has a mechanism through which read-only access can be assured.
    35203302Nov-10AAmustP, C, S, TSAgencies wishing to reclassify media to a lower classification must ensure that:
    • the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised or destroyed
    • a formal administrative decision is made to reclassify the media.
    35303314Sep-17AAmustUD, P, C, S, TSAgencies must reclassify media if either:
    • information copied onto the media is of a higher classification than the sensitivity or classification of the information already on the media, or
    • information contained on the media is subjected to a classification upgrade.
    35403323Sep-11AAshouldUD, P, C, S, TSAgencies should label media with a marking that indicates the sensitivity or classification applicable to the information it stores; unless it is internally mounted fixed media and the ICT equipment containing the media is labelled.
    35503333Sep-11AAmustUD, P, C, S, TSAgencies must ensure that the sensitivity or classification of all media is easily visually identifiable.
    35603343Sep-11AAmustUD, P, C, S, TSWhen using non-textual protective markings for media due to operational security reasons, agencies must document the labelling scheme and train personnel appropriately.
    35703353Sep-11AAmustSAgencies must label non-volatile media that has been sanitised and reclassified with a notice similar to: 'Warning: media has been sanitised and reclassified from SECRET to CONFIDENTIAL. Further lowering of classification only via destruction.'
    35803373Sep-11AAmust notUD, P, C, S, TSAgencies must not use media with a system that is not accredited to process, store or communicate the information on the media.
    35903385Sep-17AAmustUD, P, C, S, TSAgencies must ensure that sensitive or classified media meet the minimum physical security storage requirements in the Australian Government Protective Security Policy Framework.
    36003412Nov-10AAmustUD, P, C, S, TSAgencies must disable any automatic execution features in operating systems for connectable media.
    36103424Sep-17AAmustUD, P, C, S, TSAgencies must prevent unauthorised media from connecting to a system via the use of either:
    • device access control or data loss prevention software, or
    • physical means.
    36203433Sep-11AAshouldUD, P, C, S, TSAgencies should prevent media being written to, via the use of device access control or data loss prevention software, if there is no business need.
    36303443Sep-11AAshouldUD, PAgencies should disable external interfaces on a system that allows DMA, if there is no business need.
    36403453Sep-11AAmustC, S, TSAgencies must disable external interfaces on a system that allows DMA, if there is no business need.
    36508314Sep-17AAmustUD, P, C, S, TSAgencies must ensure that media containing sensitive or classified information meet the minimum physical transfer requirements as specified in the Australian Government Protective Security Policy Framework.
    36608324May-16AAmustUD, P, C, S, TSAgencies must encrypt media with at least an ASD Approved Cryptographic Algorithm (AACA) if it is to be transferred through an area not certified and accredited to process the sensitivity or classification of the information on the media.
    36710593May-16AAshouldUD, P, C, S, TSAgencies should encrypt media with at least an AACA even if being transferred through an area certified and accredited to process the sensitivity or classification of the information on the media.
    36803473Sep-11AAshould notUD, P, C, S, TSAgencies transferring data manually between two systems of different security domains, sensitivities or classifications should not use rewriteable media.
    36911690Sep-11AAshould notSAgencies should not permit any media that uses external interface connections in a SECRET area without prior written approval from the accreditation authority.
    37003463Sep-17AAmust notTSAgencies must not permit any media that use external interface connections in a TOP SECRET area without prior written approval from the accreditation authority.
    37103481Sep-17AAmustUD, P, C, S, TSAgencies must document procedures for the sanitisation of media including the verification approach taken.
    37203514Sep-17AAmustUD, PAgencies must sanitise volatile media by either:
    • removing power from the media for at least 10 minutes
    • overwriting all locations on the media with a random pattern followed by a read back for verification.
    37303522Sep-11AAmustC, S, TSAgencies must sanitise volatile media by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, followed by removing power from the media for at least 10 minutes.
    37403534Sep-12AAmustUD, P, C, S, TSFollowing sanitisation, volatile media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]Unclassified (under certain circumstances)[/cell][/row][row][cell]SECRET[/cell][cell]Unclassified[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table]
    37508352Sep-17AAmust notTSVolatile media must not be reclassified below TOP SECRET if the volatile media is either:
    • stored sensitive, static data for an extended period of time, or
    • had sensitive data repeatedly stored on or written to the same memory location for an extended period of time.
    37603544Sep-12AAmustUD, P, C, S, TSAgencies must sanitise non-volatile magnetic media by:
    • if pre-2001 or under 15 Gigabytes: overwriting the media at least three times in its entirety with a random pattern followed by a read back for verification.
    • if post-2001 or over 15 Gigabytes: overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.
    37710651Sep-11AAshouldUD, P, C, S, TSAgencies should reset the host protected area and device configuration overlay table of non-volatile magnetic hard disks prior to overwriting the media.
    37810662Feb-14AAshouldUD, P, C, S, TSAgencies should overwrite the growth defects table (g-list) on non-volatile magnetic hard disks.
    37910672Apr-15AAshouldUD, P, C, S, TSAgencies should use the ATA secure erase command, where available, for sanitising non-volatile magnetic hard disks in addition to using block overwriting software.
    38010680Nov-10AAmustUD, P, C, S, TSAgencies must boot from separate media to the media being sanitised to undertake the sanitisation process.
    38103564Sep-12AAmustUD, P, C, S, TSFollowing sanitisation, non-volatile magnetic media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]TOP SECRET[/cell][/row][row][cell]SECRET[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table]
    38203574Sep-17AAmustUD, P, C, S, TSAgencies must sanitise non-volatile EPROM media by erasing in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification.
    38308361Sep-11AAmustUD, P, C, S, TSAgencies must sanitise non-volatile EEPROM media by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification.
    38403584Sep-12AAmustUD, P, C, S, TSFollowing sanitisation, non-volatile EPROM and EEPROM media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]TOP SECRET[/cell][/row][row][cell]SECRET[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table]
    38503592Sep-11AAmustUD, P, C, S, TSAgencies must sanitise non-volatile flash memory media by overwriting the media at least twice in its entirety with a random pattern, followed by a read back for verification.
    38603604Sep-12AAmustUD, P, C, S, TSFollowing sanitisation, non-volatile flash memory media must be treated no less than as indicated below.[table][head][cell]Pre-Sanitisation Handling[/cell][cell]Post-Sanitisation Handling[/cell][/head][row][cell]TOP SECRET[/cell][cell]TOP SECRET[/cell][/row][row][cell]SECRET[/cell][cell]SECRET[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][/row][/table]
    38709473Sep-11AAshouldUD, P, C, S, TSAgencies should sanitise all media prior to reuse.
    38814640May-16AAmustUD, P, C, S, TSAgencies using cryptography suitable for reducing the handling requirements of media to unclassified, must follow the sanitisation and post-sanitisation requirements stated in the product guide for the cryptography used.
    38914650May-16AAmustUD, P, C, S, TSAgencies using cryptography suitable for reducing the handling requirements of media to unclassified, must follow vendor issued instructions for sanitising the encrypted media when a product guide is not available. Sanitisation and post-handling requirements for non-encrypted media must then be followed.
    39014660May-16AAmustUD, P, C, S, TSAgencies using cryptography not suitable for reducing the handling requirements of media to unclassified, must follow sanitisation processes and handling requirements for non-encrypted media.
    39103503Feb-14AAmustUD, P, C, S, TSAgencies must destroy the following media types prior to disposal, as they cannot be sanitised:
    • microform (i.e. microfiche and microfilm)
    • optical discs
    • printer ribbons and the impact surface facing the platen
    • programmable read-only memory
    • read-only memory
    • faulty or other types of media that cannot be successfully sanitised.
    39213471Sep-17AAmustUD, P, C, S, TSWhere volatile media has undergone sanitisation but verification has failed and sensitive or classified information persists on the media, agencies must destroy the media, and handle the media at the sensitivity or classification of the information it contains until it is destroyed.
    39303630Sep-08AAmustUD, P, C, S, TSAgencies must document procedures for the destruction of media.
    39403641Nov-10AAmustUD, P, C, S, TSTo destroy media, agencies must either:
    • break up the media
    • heat the media until it has either burnt to ash or melted
    • degauss the media.
    39503661Nov-10AAmustUD, P, C, S, TSAgencies must use one of the methods shown in the table below.[table][head][cell v=2]Item[/cell][cell h=6]Destruction Methods[/cell][/head][head][cell]Furnace / Incinerator[/cell][cell]Hammer Mill[/cell][cell]Disintegrator[/cell][cell]Grinder / Sander[/cell][cell]Cutting[/cell][cell]Degausser[/cell][/head][row][cell]Electrostatic memory devices[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]No[/cell][/row][row][cell]Magnetic floppy disks[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]Yes[/cell][cell]Yes[/cell][/row][row][cell]Magnetic hard disks[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]Yes[/cell][/row][row][cell]Magnetic tapes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]Yes[/cell][cell]Yes[/cell][/row][row][cell]Optical disks[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][/row][row][cell]Semiconductor memory[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]Yes[/cell][cell]No[/cell][cell]No[/cell][cell]No[/cell][/row][/table]
    39611600Nov-10AAmustUD, P, C, S, TSAgencies must employ degaussers certified by the National Security Agency/Central Security Service or the Government Communications Headquarters/Communications-Electronics Security Group for the purpose of degaussing media.
    39713600Feb-14AAshouldUD, P, C, S, TSAgencies should check the field strength of the degausser at regular intervals when destroying media.
    39813610Feb-14AAshouldUD, P, C, S, TSAgencies should use approved equipment when destroying media.
    39903685Apr-15AAmustUD, P, C, S, TSAgencies must, at minimum, store and handle the resulting media waste for all methods, except for furnace/incinerator and degausser, as indicated below.[table][head][cell v=2]Initial media handing[/cell][cell h=4]Screen aperture size particles can pass through[/cell][/head][head][cell]Less than or equal to 3mm[/cell][cell]Less than or equal to 6mm[/cell][cell]Less than or equal to 9mm[/cell][/head][row][cell]TOP SECRET[/cell][cell]Unclassified[/cell][cell]CONFIDENTIAL[/cell][cell]SECRET[/cell][/row][row][cell]SECRET[/cell][cell]Unclassified[/cell][cell]PROTECTED[/cell][cell]CONFIDENTIAL[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][cell]PROTECTED[/cell][/row][row][cell]PROTECTED[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][cell]Unclassified[/cell][/row][/table]
    40003612Nov-10AAmustUD, P, C, S, TSAgencies must use a degausser of sufficient field strength for the coercivity of the media.
    40108381Nov-10AAmustUD, P, C, S, TSAgencies must use a degausser capable of the magnetic orientation (longitudinal or perpendicular) of the media.
    40203622Nov-10AAmustUD, P, C, S, TSAgencies must comply with any product specific directions provided by product manufacturers and certification authorities.
    40303703Sep-11AAmustUD, P, C, S, TSAgencies must perform the destruction of media under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed.
    40403712Nov-10AAmustUD, P, C, S, TSPersonnel supervising the destruction of media must:
    • supervise the handling of the media to the point of destruction
    • ensure that the destruction is completed successfully.
    40503723Sep-11AAmustUD, P, C, S, TSAgencies must perform the destruction of accountable material under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed.
    40603732Nov-10AAmustUD, P, C, S, TSPersonnel supervising the destruction of accountable media must:
    • supervise the handling of the material to the point of destruction
    • ensure that the destruction is completed successfully
    • sign a destruction certificate.
    40708391Nov-10AAshould notUD, P, C, S, TSAgencies should not outsource the destruction of TOP SECRET media or accountable material.
    40808402Feb-14AAmustUD, P, C, S, TSAgencies outsourcing the destruction of media to an external destruction service must use a service that has been approved by ASIO-T4 Protective Security.
    40910691Sep-11AAshouldUD, P, C, S, TSAgencies should sanitise media, if possible, prior to transporting it to an off-site location for destruction.
    41003740Sep-08AAmustUD, P, C, S, TSAgencies must document procedures for the disposal of media.
    41103293Sep-11AAmustUD, P, C, S, TSAgencies declassifying media must ensure that:
    • the media has been reclassified to an unclassified level either through an administrative decision, sanitisation or destruction
    • a formal administrative decision is made to release the unclassified media, or its waste, into the public domain.
    41203752Nov-10AAmustUD, P, C, S, TSAgencies must declassify all media prior to disposing of it into the public domain.
    41303782Sep-11AAmustUD, P, C, S, TSAgencies must dispose of media in a manner that does not draw undue attention to its previous sensitivity or classification.
    41414061Sep-17AAmustUD, P, C, S, TSWhen developing a workstation SOE, the Common Operating Environment Policy produced by the Department of Finance must be used.
    41514072Sep-17AAshouldUD, P, C, S, TSThe latest release of an operating system should be used for SOEs.
    41614082Sep-17AAshouldUD, P, C, S, TSWhen developing a Microsoft Windows SOE, the 64-bit version of the operating system should be used.
    41714090Apr-15AAshouldUD, P, C, S, TSWhen using a Microsoft Windows operating system, to harden its configuration agencies should use the applicable SOE Build Guideline from the Common Operating Environment Policy produced by the Department of Finance.
    41814670May-16AAshouldUD, P, C, S, TSThe latest releases of key business applications such as office productivity suites (e.g Microsoft Office), PDF readers (e.g. Adobe Reader). web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (Microsoft outlook) and software platforms (e.g. oracle Java Platform and Microsoft .NET Framework) should be used within SOEs.
    41903835Sep-17AAmustUD, P, C, S, TSDefault operating system accounts must be disabled, renamed or have their passphrase changed.
    42003806Sep-17AAshouldUD, P, C, S, TSUnneeded operating system accounts, software, components, services and functionality should be removed or disabled
    42114100Apr-15AAmustUD, P, C, S, TSLocal administrator accounts must be disabled.
    42214690Sep-17AAmustUD, P, C, S, TSUnique domain accounts with local administrative privileges, but without domain administrative privileges, should be used for workstation and server management.
    42303824Apr-15AAmust notUD, P, C, S, TSUsers must not have the ability to install, uninstall or disable software.
    42413452Sep-17AAmustUD, P, C, S, TSDevices must be prevented from simultaneously connecting to two different networks.
    42514111Sep-17AAshouldUD, P, C, S, TSAny security functionality in applications should be enabled and configured for maximum security.
    42614700Sep-17AAshouldUD, P, C, S, TSAny unrequired functionality in applications should be disabled.
    42714120Apr-15AAshouldUD, P, C, S, TSVendor guidance should be followed to assist in securely configuring their products.
    42808436Sep-17AAmustUD, P, C, S, TSAn application whitelisting solution must be used within SOEs to restrict the execution of programs and DLLs to an approved set.
    42914131Sep-17AAshouldUD, P, C, S, TSAn application whitelisting solution should be used within SOEs to restrict the execution of scripts and installers to an approved set.
    43008456Sep-17AAshouldUD, P, C, S, TSUsers and system administrators should be restricted to executing a subset of approved programs, DLLs, scripts and installers based on their specific duties.
    43108465Apr-15AAmust notUD, P, C, S, TSUsers and system administrators must not be allowed to temporarily or permanently disable, bypass or be exempt from application whitelisting mechanisms.
    43209554Sep-17AAmustUD, P, C, S, TSApplication whitelisting must be implemented using at least one of the following methods:
    • cryptographic hashes
    • publisher certificates
    • absolute paths
    • parent folders.
    43314710Sep-17AAmustUD, P, C, S, TSWhen implementing application whitelisting using publisher certificates, both publisher names and product names must be used for application whitelisting rules.
    43413920Apr-15AAmustUD, P, C, S, TSWhen implementing application whitelisting using absolute path rules, file system permissions must be configured to prevent users and system administrators from modifying files that are permitted to run.
    43513910Apr-15AAmustUD, P, C, S, TSWhen implementing application whitelisting using parent folder rules, file system permissions must be configured to prevent users and system administrators from adding or modifying files in authorised parent folders.
    43609574Sep-17AAshouldUD, P, C, S, TSApplication whitelisting solutions should be configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file.
    43714140Apr-15AAmustUD, P, C, S, TSThe latest supported version of Microsoft's EMET must be used within Microsoft Windows SOEs.
    43814150Apr-15AAshouldUD, P, C, S, TSMicrosoft's EMET should be configured with both operating system mitigation measures and application-specific mitigation measures e.g. using the Microsoft supplied recommended and popular software templates.
    43913411Apr-15AAshouldUD, P, C, S, TSHIPS should be used within SOEs.
    44010345Apr-15AAmustUD, P, C, S, TSHIPS must be used on high value servers, such as authentication servers (e.g. Active Directory Domain Controllers and RADIUS servers), DNS servers, web servers, file servers and email servers.
    44114161Sep-17AAmustUD, P, C, S, TSSoftware-based application firewalls must be used within SOEs to limit both inbound and outbound network connections.
    44214171Sep-17AAmustUD, P, C, S, TSAntivirus or internet security software must be used within SOEs.
    44310335Sep-17AAmustUD, P, C, S, TSAntivirus or internet security software must have:
    • signature-based detection enabled and set to a high level
    • heuristic-based detection enabled and set to a high level
    • detection signatures checked for currency and updated on at least a daily basis
    • automatic and regular scanning configured for all fixed disks and removable media.
    44413901Apr-15AAshouldUD, PAntivirus or internet security software should have reputation ratings enabled.
    44514180Apr-15AAmustUD, P, C, S, TSEndpoint device control software must be used within SOEs to prevent unauthorised removable media and devices from being used with workstations and servers.
    44611435Sep-17AAmustUD, P, C, S, TSA patch management strategy must be developed and implemented covering the patching of security vulnerabilities in operating systems, applications, drivers and hardware devices.
    44702974Sep-17AAshouldUD, P, C, S, TSRelevant sources should be monitored for information about new security vulnerabilities and associated patches for operating systems, applications, drivers and hardware devices.
    44811448Sep-17AAmustUD, P, C, S, TSSecurity vulnerabilities in operating systems, applications, drivers and hardware devices assessed as extreme risk must be patched or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent 3rd parties, system owners or users.
    44909407Sep-17AAmustUD, P, C, S, TSSecurity vulnerabilities in operating systems, applications, drivers and hardware devices assessed as high risk must be patched or mitigated within two weeks of the security vulnerability being identified by vendors, independent 3rd parties, system owners or users.
    45014720Sep-17AAmustUD, P, C, S, TSSecurity vulnerabilities in operating systems, applications, drivers and hardware devices assessed as moderate or low risk must be patched or mitigated within one month of the security vulnerability being identified by vendors, independent 3rd parties, system owners or users.
    45103005Apr-15ASDmustC, S, TSHigh Assurance products must only be patched with ASD approved patches using methods and timeframes prescribed by ASD.
    45202985Apr-15AAshouldUD, P, C, S, TSWhere possible, a centralised and managed approach should be used to patch operating systems, applications, drivers and hardware devices.
    45303035Sep-17AAmustUD, P, C, S, TSAn approach for patching operating systems, applications, drivers and hardware devices that ensures the integrity and authenticity of patches, as well as the processes used to apply them, must be used.
    45409417Sep-17AAmustUD, P, C, S, TSWhen patches are not available for security vulnerabilities, one or more of the following approaches must be implemented:
    • resolve the security vulnerability by either:[ul][li]disabling the functionality associated with the security vulnerability
    • asking the vendor for an alternative method of managing the security vulnerability
    • moving to a different product with a more responsive vendor
    • engaging a software developer to resolve the security vulnerability.
    [/li]
  • prevent exploitation of the security vulnerability by either:
      [li]applying external input sanitisation (if an input triggers the exploit)
    • applying filtering or verification on output (if the exploit relates to an information disclosure)
    • applying additional access controls that prevent access to the security vulnerability
    • configuring firewall rules to limit access to the security vulnerability.
    [/li]
  • contain exploitation of the security vulnerability by either:
      [li]applying firewall rules limiting outward traffic that is likely in the event of an exploitation
    • applying mandatory access control preventing the execution of exploitation code
    • setting file system permissions preventing exploitation code from being written to disk.
    [/li]
  • detect exploitation of the security vulnerability by either:
      [li]deploying an intrusion detection system
    • monitoring logging alerts
    • using other mechanisms for the detection of exploits using the known security vulnerability.
    [/li][/ul]
    • 45503044Apr-15AAmustUD, P, C, S, TSOperating systems, applications and hardware devices that are no longer supported by their vendors must be updated to a vendor supported version or replaced with an alternative vendor supported version.
    45604003Sep-17AAshouldUD, P, C, S, TSSoftware development environments should be configured such that there are at least three environments covering development, testing and production.
    45714190Apr-15AAshouldUD, P, C, S, TSNew development and modifications of software should only take place in the development environment.
    45814201Sep-17AAmust notUD, P, C, S, TSInformation in production environments must not be used in testing or development environments unless the testing or development environments are secured to the same security standard as the production environment.
    45914211Sep-17AAshouldUD, P, C, S, TSThe ability to transfer information between development, test and production environments should be strictly limited according to a defined and documented policy, with access granted only to users with a clear business requirement.
    46014222Sep-17AAshouldUD, P, C, S, TSUnauthorised access to the authoritative source for software should be prevented.
    46112382Sep-17AAshouldUD, P, C, S, TSThreat modelling and other secure design techniques should be used to ensure that threats to software and mitigations to these threats are identified.
    46204012Apr-15AAshouldUD, P, C, S, TSSoftware developers should use secure programming practices when developing software, including:
    • designing software to use the lowest privilege level needed to achieve its task
    • denying access by default
    • checking return values of all system calls
    • validating all inputs
    • following secure coding standards.
    46314230Apr-15AAshouldUD, P, C, S, TSSoftware developers should use platform-specific secure programming practices published by vendors when developing software.
    46404022Sep-17AAshouldUD, P, C, S, TSSoftware should be tested for security vulnerabilities by an independent party as well as the software developer before it is used in a production environment.
    46512392Sep-17AAshouldUD, P, C, S, TSRobust web application frameworks should be used to aid in the development of secure web applications.
    46612401Sep-17AAmustUD, P, C, S, TSValidation and/or sanitisation must be performed on all input handled by a web application.
    46712412Sep-17AAmustUD, P, C, S, TSOutput encoding must be performed on all output produced by a web application.
    46814241Sep-17AAshouldUD, P, C, S, TSWeb browser-based security controls should be implemented for web applications in order to help protect the web application and its users.
    46909715Sep-17AAshouldUD, P, C, S, TSFor web application development, the Open Web Application Security Project guides to building secure web applications should be followed.
    47012432Sep-17AAshouldUD, P, C, S, TSAn accurate inventory of all deployed databases and their contents should be maintained and regularly audited.
    47112451Sep-17AAshouldUD, P, C, S, TSAll temporary installation files and logs should be removed after DBMS software has been installed.
    47212461Sep-17AAshouldUD, P, C, S, TSDBMS software should be configured according to vendor guidance.
    47312471Sep-17AAshouldUD, P, C, S, TSDBMS software features and stored procedures that are not required should be disabled or removed.
    47412481Sep-17AAshouldUD, P, C, S, TSAll sample databases should be removed from database servers.
    47512491Sep-17AAmustUD, P, C, S, TSDBMS software must be configured to run as a separate account with the minimum privileges needed to perform its functions.
    47612500Sep-12AAmustUD, P, C, S, TSThe account under which DBMS software runs must have limited access to non-essential areas of the database server's file system.
    47712511Sep-17AAshouldUD, P, C, S, TSThe ability of DBMS software to read local files from a server should be disabled.
    47812521Apr-15AAmustUD, P, C, S, TSPassphrases stored in databases must be hashed with a strong hashing algorithm which is uniquely salted.
    47912562Sep-17AAmustUD, P, C, S, TSFile-based access controls must be applied to database files.
    48014250Apr-15AAshouldUD, P, C, S, TSHard disks of database servers should be encrypted using full disk encryption.
    48103935Apr-15AAmustUD, P, C, S, TSDatabases or their contents must be associated with protective markings.
    48212552Sep-17AAshouldUD, P, C, S, TSDatabase users’ ability to access, insert, modify and remove content in databases should be restricted based on their work duties.
    48312580Sep-12AAshouldUD, P, C, S, TSWhere concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more highly classified information, database views in combination with database user access roles should be implemented.
    48412601Apr-15AAmustUD, P, C, S, TSDefault database administrator accounts must be disabled, renamed or have their passphrases changed.
    48512620Sep-12AAmustUD, P, C, S, TSDatabase administrators must have unique and identifiable accounts.
    48612611Apr-15AAshould notUD, P, C, S, TSDatabase administrator accounts should not be shared across different databases.
    48712631Apr-15AAmustUD, P, C, S, TSDatabase administrator accounts must be used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases.
    48812640Sep-12AAshouldUD, P, C, S, TSDatabase administrator access should be restricted to defined roles rather than accounts with default administrative permissions, or all permissions.
    48912661Apr-15AAmustUD, P, C, S, TSAnonymous database accounts must be removed.
    49012680Sep-12AAshouldUD, P, C, S, TSThe need-to-know principle should be enforced through the application of minimum privileges, database views and database roles.
    49112691Apr-15AAshouldUD, P, C, S, TSDatabase servers and web servers should be functionally separated, either physically or virtually.
    49212701Apr-15AAshouldUD, P, C, S, TSDatabase servers that require network connectivity should be placed on a different network segment to an agency's workstations.
    49312710Sep-12AAshouldUD, P, C, S, TSNetwork access controls should be implemented to restrict database servers' communications to strictly defined network resources such as web servers, application servers and storage area networks.
    49412720Sep-12AAshouldUD, P, C, S, TSIf only local access to a database system is required, networking functionality of DBMS software should be disabled or directed to listen solely to the localhost interface.
    49512731Apr-15AAmust notUD, P, C, S, TSTest and development environments must not use the same database servers as production environments.
    49612743Sep-17AAmust notUD, P, C, S, TSInformation in production databases must not be used in testing or development databases unless the testing or development environments are secured to the same security standard as the production environment.
    49712750Sep-12AAmustUD, P, C, S, TSAll queries to database systems from web applications must be filtered for legitimate content and correct syntax.
    49812761Apr-15AAshouldUD, P, C, S, TSParameterised queries or stored procedures should be used for database interaction instead of dynamically generated queries.
    49912771Apr-15AAmustUD, P, C, S, TSSensitive or classified information communicated between database systems and web applications must be encrypted.
    50012781Apr-15AAshouldUD, P, C, S, TSWeb applications should be designed to provide as little error information as possible to users about DBMS software and database schemas.
    50102641Sep-09AAmustUD, P, C, S, TSAgencies must have a policy governing the use of email.
    50202663Sep-11AAmustUD, P, C, S, TSAgencies must make personnel aware of their email usage policies.
    50308220Sep-09AAshouldUD, P, C, S, TSAgencies should implement measures to monitor their personnel's compliance with email usage policies.
    50402675Apr-15AAmust notUD, P, C, S, TSAgencies must not allow personnel to access non-agency approved web-based email services from agency systems.
    50513400Sep-12AAmustUD, P, C, S, TSAgencies must ensure users are made aware of the social engineering threat, as well as methods to detect suspicious emails in their environment and processes to report these events.
    50602732Nov-10AAmustUD, P, C, S, TSAll official emails must have a protective marking.
    50702752Nov-10AAmustUD, P, C, S, TSEmail protective markings must accurately reflect each element of an email, including attachments.
    50802784Sep-12AAmustUD, P, C, S, TSWhere an unmarked email has originated outside the government, users must assess the information and determine how it is to be handled.
    50908521Nov-10AAshould notUD, P, C, S, TSWhere an email is of a personal nature and does not contain government information, protective markings for official information should not be used.
    51009674Sep-12AAshouldUD, P, C, S, TSWhere an unmarked email has originated from an Australian or overseas government agency, users should contact the originator to determine how it is to be handled.
    51109684Sep-12AAshouldUD, P, C, S, TSWhere an email is received with an unknown protective marking from an Australian or overseas government agency, users should contact the originator to determine appropriate security measures.
    51213680Feb-14AAmustUD, P, C, S, TSAgencies must prevent unmarked emails or emails marked with an unrecognised or invalid protective marking from being sent to the intended recipients by blocking the email at the email server.
    51310223Feb-14AAshouldUD, P, C, S, TSAgencies should prevent unmarked emails or emails marked with an unrecognised or invalid protective marking from being sent to intended recipients by blocking the email at the workstation.
    51405652Sep-11AAmustUD, P, C, S, TSAgencies must configure email systems to reject, log and report inbound emails with protective markings indicating that the content of the email exceeds the sensitivity or classification of the receiving system.
    51510233Sep-11AAshouldUD, P, C, S, TSAgencies should notify the intended recipient of any blocked emails.
    51605633Sep-11AAmustUD, P, C, S, TSAgencies must configure systems to block any outbound emails with a protective marking indicating that the content of the email exceeds the sensitivity or classification of the path over which the email would be communicated.
    51705641Sep-09AAshouldUD, P, C, S, TSAgencies should configure systems to log every occurrence of a blocked email.
    51802703Apr-15AAmustUD, P, C, S, TSAgencies must comply with the current standard for the application of protective markings to emails as promulgated by the Department of Finance.
    51909693Sep-11AAshouldUD, P, C, S, TSAgencies should configure systems so that the protective markings appear at the top and bottom of every page when the email is printed.
    52002711Sep-12AAshould notUD, P, C, S, TSAgencies should not allow a protective marking to be inserted into user generated emails without their intervention.
    52102722Sep-12AAshould notUD, P, C, S, TSAgencies providing a marking tool should not allow users to select protective markings that the system has not been accredited to process, store or communicate.
    52210892Sep-12AAshould notUD, P, C, S, TSAgencies providing a marking tool should not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email.
    52302691Sep-09AAshouldP, C, S, TSAgencies should ensure that emails containing AUSTEO, AGAO or other nationality releasability marked information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed.
    52410243Sep-11AAshouldUD, P, C, S, TSAgencies should only send notification of undeliverable, bounced or blocked emails to senders that can be verified via SPF or other trusted means.
    52505660Sep-08AAmustUD, P, C, S, TSAgencies must ensure that the requirements for blocking unmarked and outbound emails are also applied to automatically forwarded emails.
    52605672Sep-11AAmustUD, P, C, S, TSAgencies must disable open email relaying so that email servers will only relay messages destined for their domains and those originating from inside the domain.
    52705680Sep-08AAshouldUD, P, C, S, TSAgencies should perform regular email server auditing, security reviews and vulnerability analysis activities.
    52805692Nov-10AAshouldUD, P, C, S, TSAgencies should route email through a centralised email gateway.
    52905703Sep-11AAmustUD, P, C, S, TSWhere backup or alternative email gateways are in place, additional email gateways must be maintained at the same standard as the primary email gateway.
    53005713Sep-12AAmustUD, P, C, S, TSWhere users send email from outside their network, an authenticated and encrypted channel must be configured to allow email to be sent via the centralised email gateway.
    53105722Sep-11AAmustUD, P, C, S, TSAgencies must enable opportunistic TLS encryption as defined in IETF RFC 3207 on email servers that make incoming or outgoing email connections over public network infrastructure.
    53212341Feb-14AAmustUD, P, C, S, TSAgencies must implement applicable content filtering controls on email attachments, as recommended in the Data Transfers and Content Filtering chapter of this manual.
    53305613Feb-14AAmustUD, P, C, S, TSAgencies must block at the gateway:
    • emails addressed to internal email aliases with source addresses located from outside the domain
    • all emails arriving via an external connection where the source address uses an internal domain name.
    53410571Sep-11AAshouldUD, P, C, S, TSEmail servers should strip active web addresses from emails and replace them with non-active versions.
    53505742Sep-11AAmustUD, P, C, S, TSAgencies must specify their mail servers using SPF or Sender ID.
    53611830Sep-11AAshouldUD, P, C, S, TSAgencies should use a hard fail SPF record when specifying their mail servers.
    53711511Sep-11AAshouldUD, P, C, S, TSAgencies should use SPF or Sender ID to verify the authenticity of incoming emails.
    53811521Sep-11AAmustUD, P, C, S, TSAgencies must block, mark or identify incoming emails that fail SPF checks in a manner that is visible to the email recipient.
    53908610Sep-08AAshouldUD, P, C, S, TSAgencies should enable DKIM signing on all email originating from their domain.
    54010253Sep-11AAshouldUD, P, C, S, TSAgencies should use DKIM in conjunction with SPF.
    54110263Sep-11AAshouldUD, P, C, S, TSAgencies should verify DKIM signatures on emails received, taking into account that email distribution list software typically invalidates DKIM signatures.
    54210273Sep-11AAshouldUD, P, C, S, TSAgencies operating email distribution list software used by external senders should configure the software so that it does not break the validity of the sender's DKIM signature.
    54304134Apr-15AAmustUD, P, C, S, TSA set of policies and procedures covering user identification, authentication and authorisation must be developed and maintained, as well as communicated to and understood by users.
    54404142Sep-12AAmustUD, P, C, S, TSAgencies must ensure that all users are:
    • uniquely identifiable
    • authenticated on each occasion that access is granted to a system.
    54504206Sep-17AAmustP, C, S, TSWhere systems contain AUSTEO, AGAO or other nationality-based releasability marked information, agencies must ensure all users who are foreign nationals, including seconded foreign nationals, are uniquely identifiable.
    54609755Sep-17AAshouldP, C, S, TSAgencies implementing security measures to identify users who are foreign nationals, including seconded foreign nationals, should ensure that identification measures include their specific nationality.
    54709734Sep-17AAshould notUD, P, C, SAgencies should not use shared non-user specific accounts.
    54804151Nov-10AAmust notTSAgencies must not use shared non user-specific accounts.
    54904162Apr-15AAmustUD, P, C, S, TSIf agencies choose to allow shared non-user specific accounts, another method of attributing actions undertaken by such accounts to specific personnel must be implemented.
    55004173Sep-12AAmust notUD, P, C, S, TSAgencies must not use a numerical password (or personal identification number) as the sole method of authenticating a user.
    55104214Apr-15AAmustUD, P, C, SAgencies using passphrases as the sole method of authentication must enforce the following passphrase policy:
    • a minimum length of 13 alphabetic characters with no complexity requirement; or
    • a minimum length of 10 characters, consisting of at least three of the following character sets:[ul][li]lowercase alphabetic characters (a-z)
    • uppercase alphabetic characters (A-Z)
    • numeric characters (0-9)
    • special characters.
    [/li][/ul]
    55204224Apr-15AAmustTSAgencies using passphrases as the sole method of authentication must enforce the following passphrase policy:
    • a minimum length of 15 alphabetic characters with no complexity requirement; or
    • a minimum length of 11 characters, consisting of at least three of the following character sets:[ul][li]lowercase alphabetic characters (a-z)
    • uppercase alphabetic characters (A-Z)
    • numeric characters (0-9)
    • special characters.
    [/li][/ul]
    55314260Apr-15AAmustUD, P, C, S, TSWhen systems cannot be configured to enforce passphrase complexity requirements, passphrases must be checked by alternative means for compliance with passphrase policies.
    55409744Sep-12AAshouldUD, P, C, S, TSAgencies should use multi-factor authentication for all users.
    55511731Apr-15AAmustUD, P, C, S, TSAgencies must use multi-factor authentication for:
    • system administrators
    • database administrators
    • privileged users
    • positions of trust
    • remote access.
    55614011Sep-17AAmustUD, P, C, S, TSAgencies using passphrases as part of multi-factor authentication must ensure a minimum length of six alphabetic characters with no complexity requirement.
    55713570Feb-14AAshouldUD, P, C, S, TSWhere multi-factor authentication is implemented, none of the factors on their own should be useful for authentication on another system.
    55804232Apr-15AAmustUD, P, C, S, TSAgencies must:
    • ensure that passphrases are changed at least every 90 days
    • prevent passphrases from being changed by the user more than once a day
    • prevent passphrases from being reused within eight passphrase changes
    • prevent the use of sequential passphrases where possible
    • prevent passphrases being stored in cleartext.
    55914030Apr-15AAmustUD, P, C, S, TSAgencies must ensure accounts are locked after a maximum of five failed logon attempts.
    56009763Sep-12AAmustUD, P, C, S, TSAgencies must ensure users provide sufficient evidence to verify their identity when requesting a passphrase reset for their system account.
    56112271Apr-15AAmustUD, P, C, S, TSAgencies must ensure reset passphrases are:
    • random for each individual reset
    • not reused when resetting multiple accounts
    • not based on a single dictionary word
    • not based on another identifying factor, such as the user's name or the date.
    56210551Sep-12AAmustUD, P, C, S, TSAgencies must disable LAN Manager for passphrase authentication on workstations and servers.
    56304182Sep-17AAmustUD, P, C, S, TSAuthentication information must be stored separately from a system to which it grants access.
    56414020Apr-15AAmustUD, P, C, S, TSAuthentication information stored on a system must be protected.
    56504192Apr-15AAmustUD, P, C, S, TSAuthentication information must be protected when communicated across networks.
    56604285Sep-17AAmustUD, P, C, S, TSAgencies must configure systems with a session or screen lock that:
    • activates either after a maximum of 15 minutes of user inactivity or if manually activated by the user
    • completely conceals all information on the screen
    • ensures that the screen does not enter a power saving state before the screen or session lock is activated
    • requires the user to reauthenticate to unlock the system
    • denies users the ability to disable the session or screen locking mechanism.
    56704304Apr-15AAmustUD, P, C, S, TSAgencies must remove or suspend accounts on the same day a user no longer has a legitimate business requirement for its use.
    56814040Apr-15AAshouldUD, P, C, S, TSAgencies should remove or suspend accounts after one month of inactivity.
    56904311Nov-10AAshouldC, S, TSAgencies should ensure that repeated account lockouts are investigated before reauthorising access.
    57004083Apr-15AAshouldUD, P, C, S, TSSystems should have a logon banner that requires a user to acknowledge and accept their security responsibilities before access to the system is granted.
    57109793Sep-11AAshouldUD, P, C, S, TSAgencies should seek legal advice on the exact wording of logon banners.
    57209805Feb-14AAshouldUD, P, C, S, TSLogon banners should explicitly state conditions of access to a system, including:
    • access is restricted to authorised users
    • acceptable usage and information security policies
    • the user's agreement to abide by above-mentioned policies
    • informing the user of activity monitoring and auditing
    • legal ramifications of violating the relevant policies
    • a point of contact for questions on these conditions.
    57300783Apr-15AAmustP, C, S, TSSystems processing, storing or communicating AUSTEO or AGAO information must remain at all times under the control of an Australian national working for or on behalf of the Australian Government.
    57408543Apr-15AAmust notP, C, S, TSAgencies must not allow access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government.
    57504093Apr-15AAmust notP, C, S, TSForeign nationals, including seconded foreign nationals, must not have access to systems that process, store or communicate AUSTEO information unless effective controls and procedures are in place to ensure AUSTEO information is not accessible to them.
    57604113Apr-15AAmust notP, C, S, TSForeign nationals, excluding seconded foreign nationals, must not have access to systems that process, store or communicate AGAO information unless effective controls and procedures are in place to ensure AGAO information is not accessible to them.
    57708162Apr-15AAmust notUD, P, C, S, TSForeign nationals, including seconded foreign nationals, must not have access to systems that process, store or communicate information with national releasability markings unless effective controls and procedures are put in place to ensure information that is not marked as releasable to their nation is not accessible to them.
    57808563Apr-15AAmustUD, P, C, S, TSUsers' authorisations must be enforced by access controls.
    57911752May-16AAmustUD, P, C, S, TSAgencies must prevent users from using privileged accounts to read emails, open attachments, browse the Web or obtain files via internet services such as instant messaging or social media.
    58004455Apr-15AAmustUD, P, C, S, TSAgencies must restrict the use of privileged accounts by ensuring that:
    • the use of privileged accounts are controlled and auditable
    • system administrators are assigned a dedicated account to be used solely for the performance of their administration tasks
    • privileged accounts are kept to a minimum
    • privileged accounts are used for administrative work only
    • passphrases for privileged accounts are regularly audited to check they meet passphrase selection requirements
    • passphrases for privileged accounts are regularly audited to check the same passphrase is not being reused over time or for multiple accounts (particularly between privileged and unprivileged accounts)
    • privileges allocated to privileged accounts are regularly reviewed.
    58104461Sep-09AAmust notP, C, S, TSAgencies must not allow foreign nationals, including seconded foreign nationals, to have privileged access to systems that process, store or communicate AUSTEO information.
    58204471Sep-09AAmust notP, C, S, TSAgencies must not allow foreign nationals, excluding seconded foreign nationals, to have privileged access to systems that process, store or communicate AGAO information.
    58304484Apr-15AAshould notUD, P, C, S, TSAgencies should not allow foreign nationals, excluding seconded foreign nationals, to have privileged access to systems that process, store or communicate sensitive or classified information.
    58409855Apr-15AAmustUD, P, C, S, TSAgencies must conduct the remote administration of systems, including the use of privileged accounts, over a secure communications medium from secure devices.
    58505804Apr-15AAmustUD, P, C, S, TSAgencies must develop an event logging strategy covering:
    • logging facilities, including availability requirements and the reliable delivery of event logs to logging facilities
    • the list of events associated with a system or software component to be logged
    • event log protection and retention requirements.
    58614050Apr-15AAmustUD, P, C, S, TSAgencies must implement a secure centralised logging facility.
    58713441Apr-15AAmustUD, P, C, S, TSAgencies must ensure systems are configured to save event logs to the secure centralised logging facility.
    58805872Apr-15AAshouldUD, P, C, S, TSAgencies should save event logs to the secure centralised logging facility as soon as possible after each event occurs.
    58909884Apr-15AAmustUD, P, C, S, TSAgencies must establish an accurate time source, and use it consistently across systems to assist with the correlation of events.
    59005824Apr-15AAshouldUD, P, C, SAgencies should log, at minimum, the following events for all software components:
    • all privileged operations
    • successful and failed elevation of privileges
    • security related system alerts and failures
    • user and group additions, deletions and modification to permissions
    • unauthorised access attempts to critical systems and files.
    59105833Apr-15AAmustTSAgencies must log, at minimum, the following events for all software components
    • all privileged operations
    • successful and failed elevation of privileges
    • security related system alerts and failures
    • user and group additions, deletions and modification to permissions
    • unauthorised access attempts to critical systems and files.
    59211761Sep-12AAshouldUD, PAgencies should log the following events for any system requiring authentication:
    • logons
    • failed logon attempts
    • logoffs.
    59305841Sep-12AAmustC, S, TSAgencies must log the following events for any system requiring authentication:
    • logons
    • failed logon attempts
    • logoffs.
    59409875Apr-15AAshouldUD, P, C, S, TSThe events listed below should be logged.[table][head][cell]Software Component[/cell][cell]Events To Log[/cell][/head][row][cell v=13]Database[/cell][cell]Access to particularly sensitive information[/cell][/row][row][cell]Addition of new users, especially privileged users[/cell][/row][row][cell]Any query containing comments[/cell][/row][row][cell]Any query containing multiple embedded queries[/cell][/row][row][cell]Any query or database alerts or failures[/cell][/row][row][cell]Attempts to elevate privileges[/cell][/row][row][cell]Attempted access that is successful or unsuccessful[/cell][/row][row][cell]Changes to the database structure[/cell][/row][row][cell]Changes to user roles or database permissions[/cell][/row][row][cell]Database administrator actions[/cell][/row][row][cell]Database logons and logoffs[/cell][/row][row][cell]Modifications to data[/cell][/row][row][cell]Use of executable commands e.g. xp_cmdshell[/cell][/row][row][cell v=14]Operating system[/cell][cell]Access to sensitive data and processes[/cell][/row][row][cell]Application crashes including any error messages[/cell][/row][row][cell]Attempts to use special privileges[/cell][/row][row][cell]Changes to accounts[/cell][/row][row][cell]Changes to security policy[/cell][/row][row][cell]Changes to system configuration data[/cell][/row][row][cell]DNS and HTTP requests[/cell][/row][row][cell]Failed attempts to access data and system resources[/cell][/row][row][cell]Service failures and restarts[/cell][/row][row][cell]Successful and failed attempts to logon and logoff[/cell][/row][row][cell]System startup and shutdown[/cell][/row][row][cell]Transfer of data to external media[/cell][/row][row][cell]User or group management[/cell][/row][row][cell]Use of special privileges[/cell][/row][row][cell v=4]Web application[/cell][cell]Attempted access that is denied[/cell][/row][row][cell]Search queries initiated by users[/cell][/row][row][cell]User access to a web application[/cell][/row][row][cell]Web application crashes including any error messages[/cell][/row][/table]
    59505853Apr-15AAmustUD, P, C, S, TSFor each event logged, agencies must ensure that the logging facility records the following details, where applicable:
    • date and time of the event
    • relevant users or process
    • event description
    • success or failure of the event
    • event source e.g. application name
    • ICT equipment location/identification.
    59605863Apr-15AAmustUD, P, C, S, TSEvent logs must be protected from modification and unauthorised access, and whole or partial loss within the defined retention period.
    59709894Sep-12AAshouldUD, P, C, S, TSAgencies should ensure that event log data is archived in a manner that maintains its integrity.
    59808591Sep-11AAmustUD, P, C, S, TSAgencies must retain event logs for a minimum of 7 years after action is completed in accordance with the NAA's Administrative Functions Disposal Authority.
    59909913Sep-12AAshouldUD, P, C, S, TSAgencies should retain DNS and proxy logs for at least 18 months.
    60001094Apr-15AAmustUD, P, C, S, TSAgencies must develop, document and implement event log auditing requirements covering:
    • the scope of audits
    • the audit schedule
    • what constitutes a violation of information security policy
    • action to be taken when violations are detected
    • reporting requirements
    • specific responsibilities.
    60112281Apr-15AAshouldUD, P, C, S, TSAgencies should correlate events across event logs to prioritise audits and focus investigations.
    60213802Sep-17AAshouldUD, PPrivileged users should use a dedicated workstation when performing privileged tasks.
    60314730Sep-17AAmustC, S, TSPrivileged users must use a dedicated workstation when performing privileged tasks.
    60413811Apr-15AAmustUD, P, C, S, TSAgencies must ensure that dedicated workstations used for privileged tasks are prevented from communicating to assets and sending and receiving traffic not related to administrative purposes.
    60513821Apr-15AAshouldUD, P, C, S, TSAgencies should ensure that privileged users are assigned an unprivileged administration account for authenticating to their dedicated workstations.
    60613831Apr-15AAmustUD, P, C, S, TSAgencies must ensure that all administrative infrastructure including, but not limited to, privileged workstations and jump servers are hardened appropriately as per the recommendations in the Software Security chapter.
    60714420Apr-15AAshouldUD, P, C, S, TSWhere virtualisation is used to separate the administrative environment from the regular unprivileged user environment on the same physical workstation, the unprivileged user environment should be the 'guest' and the administrative environment the 'host'.
    60813841Apr-15AAmustUD, P, C, S, TSAgencies must ensure that all privileged actions must pass through at least one multi-factor authentication process.
    60913851Apr-15AAshouldUD, P, C, S, TSAgencies should place the workstations used for privileged activities into a separate privileged network zone as outlined in the Network Design and Configuration section of the Network Security chapter.
    61013862Sep-17AAshouldUD, PAgencies should only allow management traffic to originate from network zones that are used to administer systems and applications.
    61114740Sep-17AAmustC, S, TSAgencies must only allow management traffic to originate from network zones that are used to administer systems and applications.
    61213870Feb-14AAshouldUD, P, C, S, TSAgencies should ensure that all administrative actions are conducted through a jump server.
    61313880Feb-14AAmustUD, P, C, S, TSAgencies must ensure that jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative purposes.
    61405131Apr-15AAshouldUD, P, C, S, TSNetwork management should be kept under the control of a central network management authority.
    61505143Apr-15AAshouldUD, P, C, S, TSAll changes to a network's configuration should be documented and approved through a formal change management process.
    61605151Apr-15AAshouldUD, P, C, S, TSNetwork configurations should be regularly reviewed to ensure that they conform to documented network configurations.
    61705163Apr-15AAmustUD, P, C, S, TSNetwork documentation must include:
    • a high-level network diagram showing all connections into the network
    • a logical network diagram showing all network devices, critical servers and services
    • the configuration of network devices.
    61805183Apr-15AAmustUD, P, C, S, TSNetwork documentation must be updated as network configuration changes are made and include a 'current as at [date]' or equivalent statement.
    61911772Apr-15AAshouldUD, P, C, S, TSNetwork documentation in aggregate should be classified to at least the same level as the network.
    62011782Apr-15AAmustUD, P, C, S, TSNetwork documentation provided to a third party, such as to a commercial provider, must only contain details necessary for them to undertake their contractual services and functions.
    62111802Apr-15AAmustUD, P, C, S, TSNetwork documentation must be sanitised before being published in public tender documentation.
    62213010Sep-12AAshouldUD, P, C, S, TSAn inventory of authorised network devices should be maintained and audited on a regular basis.
    62313031Apr-15AAshouldUD, P, C, S, TSNetworks should be scanned on a regular basis to detect the presence of any network devices not on an inventory of authorised network devices; this includes network devices attached directly to workstations e.g. a 3G dongle attached to a workstation via a USB port.
    62411812Apr-15AAshouldUD, P, C, S, TSNetworks should be divided into multiple functional zones according to the sensitivity or criticality of information or services in that zone.
    62503855Apr-15AAshouldUD, P, C, S, TSServers should maintain effective functional separation with other servers allowing them to operate independently and minimise communications with other servers at both the network and file system level.
    62614600Apr-15AAmustUD, P, C, S, TSWhen using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that:
    • the isolation mechanism is from a vendor that uses secure programming practices and, when vulnerabilities have been identified, the vendor has developed and distributed patches in a timely manner
    • the configuration of the isolation mechanism is hardened, including removing support for unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism, with the configuration performed and reviewed by subject matter experts
    • the underlying operating system running on the server is hardened
    • security patches are applied to both the isolation mechanism and operating system in a timely manner
    • integrity and log monitoring is performed for the isolation mechanism and underlying operating system in a timely manner.
    62714610Apr-15AAmustC, S, TSWhen using a software-based isolation mechanism to share a physical server's hardware, agencies must control all of the computing environments running on the physical server.
    62814620Apr-15AAmustP, C, S, TSWhen using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that the physical server and all of the computing environments running on the physical server are at the same security classification.
    62914630Apr-15AAmustC, S, TSWhen using a software-based isolation mechanism to share a physical server's hardware, agencies must ensure that the physical server and all of the computing environments running on the physical server are within the same agency-owned security domain.
    63010065Apr-15AAshouldUD, P, C, S, TSSecurity measures should be implemented to minimise the risk of unauthorised access to network management traffic on a network.
    63105205Apr-15AAshouldUD, P, C, S, TSNetwork access controls should be implemented on networks.
    63211822Apr-15AAshouldUD, P, C, S, TSNetwork access controls should be implemented to limit traffic within and between network segments to only those that are required for business operations.
    63314270Apr-15AAshouldUD, P, C, S, TSInternet Best Current Practice 38 (BCP38) should be implemented on networks.
    63400714Apr-15AAmustUD, P, C, S, TSIf information is processed, stored or communicated by a system not under an agency's control, the agency must ensure that the other party's system has appropriate security measures in place to protect the agency's information.
    63505331Sep-12AAshouldUD, P, C, SUnused physical ports on network devices should be disabled.
    63605341Sep-12AAmustTSUnused physical ports on network devices must be disabled.
    63713041Apr-15AAmustUD, P, C, S, TSDefault network device accounts must be disabled, renamed or have their passphrase changed.
    63813050Sep-12AAshouldUD, P, C, S, TSAll clocks should be synchronised between network devices.
    63913072Apr-15AAshouldUD, P, C, S, TSNetwork access control should be used to validate devices as compliant with agency security policies before granting access to networks.
    64005765Apr-15AAmustUD, P, C, S, TSAgencies must develop, implement and maintain an intrusion detection and prevention strategy that includes:
    • network-based intrusion detection and prevention systems
    • procedures and resources for maintaining detection signatures
    • procedures and resources for the analysis of event logs and real-time alerts
    • procedures and resources for responding to detected cyber security incidents
    • the frequency for review of intrusion detection and prevention procedures and resourcing.
    64105775Apr-15AAshouldUD, PNIDS/NIPS should be deployed in all gateways between an agency's networks and public networks.
    64210285Apr-15AAshouldUD, P, C, S, TSNIDS/NIPS should be deployed in all gateways between agency networks and other networks they do not manage.
    64310295Apr-15AAshouldUD, P, C, S, TSNIDS/NIPS in gateways should be located immediately inside the outermost firewall.
    64410305Apr-15AAshouldUD, P, C, S, TSNIDS/NIPS located behind a firewall should be configured to generate a log entry, and an alert, for any information flows that contravene any rule in the firewall rule set.
    64511852Apr-15AAmustUD, P, C, S, TSWhen deploying NIDS/NIPS in non-internet gateways, they must be configured to monitor unusual patterns of behaviours or traffic flows, rather than detect specific internet-based communication protocol signatures.
    64613102Apr-15AAshould notUDVLANs should not be used to separate network traffic between networks as indicated in the table below.[table][head][cell] [/cell][cell]Public[/cell][cell]Unclassified (DLM)[/cell][cell]Protected[/cell][cell]Confidential[/cell][cell]Secret[/cell][cell]Top Secret[/cell][/head][row][cell]Public[/cell][cell] [/cell][cell]X[/cell][cell h=4][/cell][/row][row][cell]Unclassified (DLM)[/cell][cell]X[/cell][cell] [/cell][cell h=4][/cell][/row][row][cell]PROTECTED[/cell][cell h=6] [/cell][/row][row][cell]CONFIDENTIAL[/cell][cell h=6] [/cell][/row][row][cell]SECRET[/cell][cell h=6] [/cell][/row][row][cell]TOP SECRET[/cell][cell h=6] [/cell][/row][/table]
    64705294Apr-15AAmust notP, C, S, TSVLANs must not be used to separate network traffic between networks as indicated in the table below.[table][head][cell] [/cell][cell]Public[/cell][cell]Unclassified (DLM)[/cell][cell]Protected[/cell][cell]Confidential[/cell][cell]Secret[/cell][cell]Top Secret[/cell][/head][row][cell]Public[/cell][cell h=2][/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]Unclassified (DLM)[/cell][cell h=2][/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]PROTECTED[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]CONFIDENTIAL[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][cell]X[/cell][cell]X[/cell][/row][row][cell]SECRET[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][cell]X[/cell][/row][row][cell]TOP SECRET[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell]X[/cell][cell] [/cell][/row][/table]
    64813641Apr-15AAmustUD, P, C, S, TSVLANs from different security domains must be terminated on separate physical network interfaces.
    64905354Apr-15AAmust notUD, P, C, S, TSVLANs with different classifications must not share VLAN trunks.
    65005304Apr-15AAmustUD, P, C, S, TSNetwork devices implementing VLANs must only be managed from the most trusted network.
    65105214Apr-15AAmustUD, P, C, S, TSDual-stack network devices and ICT equipment that support IPv6 must disable the functionality unless it is being used.
    65211862Apr-15AAmustUD, P, C, S, TSNetwork security devices on IPv6 or dual-stack networks must be IPv6 capable.
    65314280Apr-15AAmustUD, P, C, S, TSUnless explicitly required, IPv6 tunnelling must be disabled on all network devices and ICT equipment.
    65414290Apr-15AAmustUD, P, C, S, TSIPv6 tunnelling must be blocked by network security devices at externally connected network boundaries.
    65514300Apr-15AAshouldUD, P, C, S, TSDynamically assigned IPv6 addresses should be configured with DHCPv6 in a stateful manner with lease information stored in a centralised logging facility.
    65605254Apr-15AAmustUD, P, C, S, TSWhen enabling a dual-stack environment or a wholly IPv6 environment the network must be reaccredited.
    65713111Apr-15AAmust notUD, P, C, S, TSSNMPv1 and SNMPv2 must not be used on networks.
    65813121Apr-15AAshouldUD, P, C, S, TSAll default SNMP community strings on network devices should be changed and have write access disabled.
    65914580Apr-15AAshouldUD, PAgencies should determine the functionality and quality of services acceptable to legitimate users of online services, how to maintain such functionality, and what functionality can be lived without during a denial of service.
    66014310Apr-15AAshouldUD, PAgencies should discuss denial of service prevention and mitigation strategies with service providers, specifically:
    • their capacity to withstand a denial of service
    • any costs likely to be incurred by customers resulting from a denial of service
    • thresholds for notifying customers or turning off their online services during a denial of service
    • pre-approved actions that can be undertaken during a denial of service.
    66114320Apr-15AAshouldUD, PDomain names for online services should be protected by ensuring registrar locking and confirming domain registration details (e.g. contact details) are correct.
    66214330Apr-15AAshouldUD, PAgencies should maintain 24x7 contact details for service providers and service providers should maintain 24x7 contact details for their customers.
    66314340Apr-15AAshouldUD, PAgencies and service providers should provide each other with additional out-of-band contact details (e.g. mobile phone number and non-corporate email) for use when normal communication channels fail.
    66414350Apr-15AAshouldUD, PAvailability monitoring with real-time alerting should be implemented to detect an attempted denial of service and measure its impact.
    66514360Apr-15AAshouldUD, PCritical online services (e.g. email services) should be segregated from other online services that are more likely to be targeted (e.g. web hosting services).
    66611901Apr-15AAshouldUD, PAgencies should use multiple Internet links provided by different Internet Service Providers.
    66714371Sep-17AAshouldUD, PA cloud service provider, preferably multiple different cloud service providers, should be used for hosting online services.
    66814380Apr-15AAshouldUD, PWhere a requirement for high availability exists for website hosting, content delivery networks that cache websites should be used.
    66914390Apr-15AAshouldUD, PIf using a content delivery network, disclosing the IP address of the web server under the agency's control (referred to as the origin server) should be avoided.
    67014400Apr-15AAshouldUD, PIf using a content delivery network, access to the origin server should be restricted to the content delivery network and an authorised management network.
    67114410Apr-15AAshouldUD, PA denial of service mitigation service should be used.
    67205365Apr-15AAmustUD, P, C, S, TSWireless networks deployed for the general public to access must be segregated from all other agency networks.
    67313140Sep-12AAmustUD, P, C, S, TSAll wireless access points used for wireless networks must be Wi-Fi Alliance certified.
    67413151Apr-15AAshouldUD, P, C, S, TSThe administrative interface on wireless access points should be disabled for wireless connections.
    67513161Apr-15AAmustUD, P, C, S, TSThe default SSID of wireless access points must be changed.
    67613171Apr-15AAshould notUD, P, C, S, TSThe SSID of a wireless network should not be readily associated with an agency, the location of their premises, or the functionality of the wireless network.
    67713181Apr-15AAshouldUD, P, C, S, TSSSID broadcasting should be enabled on wireless networks.
    67813191Apr-15AAshouldUD, P, C, S, TSThe dynamic host configuration protocol should be used for assigning IP addresses on wireless networks.
    67913201Feb-14AAshould notUD, P, C, S, TSMAC address filtering should not be used as a security mechanism to restrict which devices can connect to a wireless network.
    68013210Sep-12AAmustUD, P, C, S, TSWPA2-Enterprise with EAP-TLS must be used on wireless networks to perform mutual authentication.
    68113221Apr-15AAmustPSupplicants, authenticators and the authentication server used in wireless networks must have completed a Common Criteria evaluation, an ACE and be listed on ASD's EPL.
    68214430Apr-15AAmustC, S, TSSupplicants, authenticators and the authentication server used in wireless networks must have completed an evaluation endorsed by ASD.
    68313231Apr-15AAshouldUD, P, C, S, TSUnique certificates should be used for both devices and users accessing a wireless network.
    68413241Apr-15AAmustPCertificates must be generated using a certificate authority product or hardware security module that has completed a Common Criteria evaluation, an ACE and is listed on ASD's EPL.
    68514440Apr-15AAmustC, S, TSCertificates must be generated using a certificate authority product or hardware security module that has completed an evaluation endorsed by ASD.
    68613250Sep-12AAmust notUD, P, C, S, TSThe certificates for both a device and user accessing a wireless network must not be stored on the same device.
    68713261Apr-15AAshouldUD, P, C, S, TSCertificates for users accessing wireless networks should be issued on smart cards with access PINs and stored separately from devices when not in use.
    68813270Sep-12AAshouldUD, P, C, S, TSCertificates stored on devices accessing wireless networks should be protected by implementing full disk encryption on the devices.
    68913280Sep-12AAmustUD, P, C, S, TSDevices must be configured to validate the server certificate, disable any trust for certificates generated by commercial certificate authorities that are not trusted and disable the ability to prompt users to authorise new servers or commercial certification authorities.
    69013290Sep-12AAshouldUD, P, C, S, TSDevices should be set to enable identity privacy.
    69113300Sep-12AAshould notUD, P, C, S, TSThe PMK caching period should not be set to greater than 1440 minutes (24 hours).
    69214540Apr-15AAshouldUD, PCommunications between wireless access points and a RADIUS server should be encapsulated with an additional layer of encryption.
    69313311Apr-15AAmustC, S, TSCommunications between wireless access points and a RADIUS server must be encapsulated with an additional layer of encryption.
    69413320Sep-12AAmustUD, P, C, S, TSCCMP must be used to protect the confidentiality and integrity of all wireless network traffic.
    69505435Apr-15AAmustPClassified information must be encrypted with an encryption product that has completed a Common Criteria evaluation, an ACE and be listed on ASD's EPL before being communicated over a wireless network.
    69614450Apr-15AAmustC, S, TSClassified information must be encrypted with an encryption product that has completed an evaluation endorsed by ASD before being communicated over a wireless network.
    69713330Sep-12AAmustUD, P, C, S, TSTKIP and WEP support must be disabled or removed from wireless access points.
    69813341Apr-15AAshouldUD, P, C, S, TSWireless networks should implement sufficient frequency separation from other wireless networks
    69913350Sep-12AAshouldUD, P, C, S, TSWireless access points and devices should be upgraded to support the 802.11w amendment.
    70013360Sep-12AAshouldUD, P, C, S, TSWireless functionality on devices should be disabled, preferably by a hardware switch, whenever connected to a fixed network.
    70113370Sep-12AAmust notUD, P, C, S, TSDevices must not be configured to remember and automatically connect to open wireless networks that they have previously connected to.
    70213380Sep-12AAshouldUD, P, C, S, TSInstead of deploying a small number of wireless access points that broadcast on high power, more wireless access points that use minimal broadcast power should be deployed to achieve the desired wireless network footprint.
    70310134Sep-12AAshouldC, S, TSThe effective range of wireless communications outside an agency's area of control should be limited by implementing RF shielding on buildings in which wireless networks are used.
    70405465Apr-15AAshouldUD, P, C, S, TSWhere a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall should be used.
    70505472Apr-15AAshouldUD, P, C, S, TSVideo conferencing and IP telephony signalling and data should be encrypted.
    70605482Apr-15AAshouldUD, P, C, S, TSVideo conferencing and IP telephony functions should only be established using the secure signalling and data protocols.
    70705540Sep-08AAshouldUD, P, C, S, TSAn encrypted and non-replayable two-way authentication scheme should be used for call authentication and authorisation.
    70805532Apr-15AAshouldUD, P, C, S, TSAuthentication and authorisation should be used for all actions on the video conferencing network, including call setup and changing settings.
    70905551Sep-11AAshouldUD, P, C, S, TSAuthentication and authorisation should be used for all actions on the IP telephony network, including:
    • registering a new IP phone
    • changing phone users
    • changing settings
    • accessing voice mail.
    71005514Apr-15AAshouldUD, PIP telephony should be configured such that:
    • IP phones authenticate themselves to the call controller upon registration
    • auto-registration is disabled and only a whitelist of authorised devices are allowed to access the network
    • unauthorised devices are blocked by default
    • all unused and prohibited functionality is disabled.
    71105524Apr-15AAmustC, S, TSIP telephony must be configured such that:
    • IP phones authenticate themselves to the call controller upon registration
    • auto-registration is disabled and only a whitelist of authorised devices are allowed to access the network
    • unauthorised devices are blocked by default
    • all unused and prohibited functionality is disabled.
    71210144Apr-15AAshouldC, S, TSIndividual logins should be used for IP phones.
    71305492Sep-12AAshouldUD, PVideo conferencing and IP telephony traffic should be separated either physically or logically from other data traffic.
    71405502Sep-12AAmustC, S, TSVideo conferencing and IP telephony traffic must be separated either physically or logically from other data traffic.
    71505563Sep-12AAshould notUD, PWorkstations should not be connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.
    71605573Sep-12AAmust notC, S, TSWorkstations must not be connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.
    71710154Apr-15AAshouldUD, P, C, S, TSTraditional analog phones should be used in lobby and shared areas.
    71805583Sep-12AAshouldUD, P, C, S, TSIf IP phones are used in lobby and shared areas, their ability to access data networks and functionality for voice mail and directory services should be limited.
    71905593Apr-15AAshould notUD, PMicrophones (including headsets and USB handsets) and webcams should not be used with Unclassified (DLM) or PROTECTED workstations in CONFIDENTIAL or SECRET areas.
    72014500Apr-15AAmust notUD, P, C, SMicrophones (including headsets and USB handsets) and webcams must not be used with Unclassified (DLM), PROTECTED, CONFIDENTIAL or SECRET workstations in TOP SECRET areas.
    72110196Sep-17AAshouldUD, P, C, S, TSAgencies should develop a denial of service response plan that includes:
    • how to identify signs of a denial of service
    • how to identify the source of a denial of service, either internal or external
    • how capabilities can be maintained during a denial of service e.g. personal mobile phones that have been identified for use in case of an emergency
    • what actions can be taken to clear a denial of service e.g. banning certain devices/IPs at the call controller and firewalls, implementing quality of service, changing authentication, changing dial-in authentication.
    72211613Apr-15AAmustUDAgencies must use an encryption product that implements an ASD Approved Cryptographic Algorithm (AACA) if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains sensitive information to an unclassified level.
    72304574Feb-14AAmustPAgencies must use a Common Criteria-evaluated encryption product that has completed an ACE if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains classified information to an unclassified level.
    72404607Apr-15ASDmustC, S, TSAgencies must use HACE products if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains classified information to that of a lower classification.
    72504592Nov-10AAshouldUD, PAgencies using encryption to secure data at rest should use either:
    • full disk encryption
    • partial encryption where the access control will only allow writing to the encrypted partition.
    72604614Feb-14ASDmustC, S, TSAgencies using encryption to secure data at rest must use either:
    • full disk encryption
    • partial encryption where the access control will only allow writing to the encrypted partition.
    72710801Feb-14AAmustP, C, S, TSIn addition to any encryption already in place, agencies must, at minimum, use an AACA to protect AUSTEO and AGAO information when at rest on a system.
    72804551Nov-10AAmustUD, PWhere practical, cryptographic products must provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
    72904561Sep-11ASDmustC, S, TSWhere practical, cryptographic products must provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
    73004624Sep-12AAmustUD, P, C, S, TSWhen a user authenticates to ICT equipment storing encrypted information, it must be treated in accordance with the original sensitivity or classification of the equipment.
    73111622Feb-14AAmustUDAgencies must use an encryption product that implements an AACP if they wish to communicate sensitive information over public network infrastructure.
    73204655Feb-14AAmustPAgencies must use a Common Criteria-evaluated encryption product that has completed an ACE if they wish to communicate classified information over public network infrastructure.
    73304677Apr-15ASDmustC, S, TSAgencies must use HACE products if they wish to communicate classified information over networks of a lower classification or public network infrastructure.
    73404692Feb-14AAmustP, C, S, TSIn addition to any encryption already in place for communication mediums, agencies must, at minimum, use an AACP to protect AUSTEO and AGAO information when in transit.
    73504714Feb-14AAmustUD, PAgencies using an unevaluated product that implements an AACA must ensure that only AACAs can be used.
    73609944Sep-12AAshouldUD, PAgencies should use ECDH and ECDSA in preference to DH and DSA.
    73704723Sep-12AAmustUD, PAgencies using DH for the approved use of agreeing on encryption session keys must use a modulus of at least 1024 bits.
    73814750Sep-17AAmustUD, PAgencies using DH for the approved use of agreeing on encryption session keys should use a modulus of at least 2048 bits.
    73904733Sep-12AAmustUD, PAgencies using DSA for the approved use of digital signatures must use a modulus of at least 1024 bits.
    74014760Sep-17AAmustUD, PAgencies using DSA for the approved use of digital signatures should use a modulus of at least 2048 bits.
    74114460Apr-15AAmustUD, PAgencies using elliptic curve cryptography must select a curve from the NIST standard, FIPS 186-4.
    74204743Sep-12AAmustUD, PAgencies using ECDH for the approved use of agreeing on encryption session keys must use a field/key size of at least 160 bits.
    74304753Sep-12AAmustUD, PAgencies using ECDSA for the approved use of digital signatures must use a field/key size of at least 160 bits.
    74404764Apr-15AAmustUD, PAgencies using RSA, both for the approved use of digital signatures and passing encryption session keys or similar keys, must use a modulus of at least 1024 bits.
    74514770Sep-17AAmustUD, PAgencies using RSA, both for the approved use of digital signatures and passing encryption session keys or similar keys, should use a modulus of at least 2048 bits.
    74604775Feb-14AAmustUD, PAgencies using RSA, both for the approved use of digital signatures and for passing encryption session keys or similar keys, must ensure that the key pair used for passing encrypted session keys is different from the key pair used for digital signatures.
    74710543Sep-17AAmustUD, PAgencies must use a hashing algorithm from the SHA-2 family.
    74804793Sep-12AAshould notUD, PAgencies using AES or 3DES should not use electronic codebook mode.
    74904805Sep-17AAmustUD, PAgencies using 3DES must use three distinct keys.
    75014681Sep-17ASDshouldC, S, TSAgencies should give preference to algorithms which meet the standards described in CNSSAM 02-15 to appropriately protect CONFIDENTIAL, SECRET and/or TOP SECRET information.
    75112313Sep-17ASDmustC, S, TSIf using Suite B, agencies must use the associated algorithms in the configuration specified in the table below, to appropriately protect CONFIDENTIAL, SECRET and TOP SECRET information.[table][head][cell]-[/cell][cell]Cryptographic Algorithm or Protocol[/cell][cell]Requirements for Information Classified Confidential and Secret[/cell][cell]Requirements for Information Classified Top Secret[/cell][/head][row][cell v=2]Encryption[/cell][cell v=2]AES[/cell][cell]128 bit key OR 256 bit key[/cell][cell]256 bit key[/cell][/row][row][cell h=2]CNSSAM recommendation AES 256 bit key[/cell][/row][row][cell v=2]Hashing[/cell][cell v=2]SHA[/cell][cell]SHA-256 OR SHA-384[/cell][cell]SHA-384[/cell][/row][row][cell h=2]CNSSAM recommendation SHA-384[/cell][/row][row][cell v=2]Digital Signature[/cell][cell v=2]ECDSA[/cell][cell]NIST P-256 OR NIST P-384[/cell][cell]NIST P-384[/cell][/row][row][cell h=2]CNSSAM recommendation NIST P-384 OR RSA 3072-bit or larger[/cell][/row][row][cell v=2]Key Exchange[/cell][cell v=2]ECDH[/cell][cell]NIST P-256 OR NIST P-384[/cell][cell]NIST P-384[/cell][/row][row][cell h=2]CNSSAM recommendation DH 3072-bit or larger, or NIST P-384 or RSA 3072-bit or larger[/cell][/row][/table]
    75212322Apr-15ASDmustC, S, TSAgencies using Suite B algorithms must use them in an evaluated configuration.
    75304813Feb-14AAmustUD, P, C, S, TSAgencies using a product that implements an AACP must ensure that only AACAs can be used.
    75404824Feb-14AAmust notUD, P, C, S, TSAgencies must not use SSL
    75514470Apr-15AAmustUD, P, C, S, TSAgencies must use TLS
    75611393Apr-15AAshouldUD, P, C, S, TSAgencies should use the latest version of TLS.
    75713690Feb-14AAshouldUD, P, C, S, TSAgencies should use AES-GCM for symmetric encryption when available.
    75813700Feb-14AAshouldUD, P, C, S, TSAgencies should use a TLS implementation that supports secure renegotiation
    75913710Feb-14AAmustUD, P, C, S, TSIf secure renegotiation is not available, agencies must disable renegotiation
    76013721Apr-15AAshouldUD, P, C, S, TSAgencies should use DH or ECDH for key establishment.
    76114480Apr-15AAshouldUD, P, C, S, TSWhen using DH or ECDH for key establishment, agencies should use the ephemeral variant.
    76213730Feb-14AAmust notUD, P, C, S, TSAgencies must not use anonymous DH.
    76313740Feb-14AAshouldUD, P, C, S, TSAgencies should use SHA-2 based certificates where available.
    76413751Apr-15AAshouldUD, P, C, S, TSCipher suites should be configured to use SHA-2 as part of the Message Authentication Code (MAC) and Pseudo-Random Function (PRF) where possible.
    76514530Apr-15AAshouldUD, P, C, S, TSAgencies should use Perfect Forward Secrecy for TLS connections.
    76604843Sep-12AAshouldUD, P, C, S, TSThe settings below should be implemented when using SSH.[table][head][cell]Configuration Description[/cell][cell]Configuration Directive[/cell][/head][row][cell]Disallow the use of SSH version 1[/cell][cell]Protocol 2[/cell][/row][row][cell]On machines with multiple interfaces, configure the SSH daemon to listen only on the required interfaces[/cell][cell]ListenAddress xxx.xxx.xxx.xxx[/cell][/row][row][cell]Disable connection forwarding[/cell][cell]AllowTCPForwarding no[/cell][/row][row][cell]Disable gateway ports[/cell][cell]Gatewayports no[/cell][/row][row][cell]Disable the ability to login directly as root[/cell][cell]PermitRootLogin no[/cell][/row][row][cell]Disable host-based authentication[/cell][cell]HostbasedAuthentication no[/cell][/row][row][cell v=2]Disable rhosts-based authentication[/cell][cell]RhostsAuthentication no[/cell][/row][row][cell]IgnoreRhosts yes[/cell][/row][row][cell]Do not allow empty passphrases[/cell][cell]PermitEmptyPasswords no[/cell][/row][row][cell]Configure a suitable login banner[/cell][cell]Banner/directory/filename[/cell][/row][row][cell]Configure a login authentication timeout of no more than 60 seconds[/cell][cell]LoginGraceTime xx[/cell][/row][row][cell]Disable X forwarding[/cell][cell]X11Forwarding no[/cell][/row][/table]
    76704852Nov-10AAshouldUD, P, C, S, TSAgencies should use public key-based authentication in preference to using passphrase-based authentication.
    76814490Apr-15AAshouldUD, P, C, S, TSAgencies should protect SSH private keys with a passphrase or a key encryption key.
    76904863Apr-15AAmustUD, P, C, S, TSAgencies that allow passphrase authentication must use techniques to block brute force attempts against the passphrase.
    77004872Nov-10AAshouldUD, P, C, S, TSAgencies that use logins without a passphrase for automated purposes should disable:
    • access from IP addresses that do not need access
    • port forwarding
    • agent credential forwarding
    • X11 display remoting
    • console access.
    77104882Nov-10AAshouldUD, P, C, S, TSAgencies that use remote access without the use of a passphrase should use the 'forced command' option to specify what command is executed.
    77209973Sep-11AAshouldUD, P, C, S, TSAgencies should use parameter checking when using the 'forced command' option.
    77304893Apr-15AAshouldUD, P, C, S, TSAgencies that use SSH-agent or other similar key caching programs should:
    • only use the software on workstation and servers with screen locks
    • ensure that the key cache expires within four hours of inactivity
    • ensure that agent credential forwarding is used when SSH traversal is needed.
    77404902Nov-10AAshould notUD, P, C, S, TSAgencies should not allow versions of S/MIME earlier than 3.0 to be used.
    77504942Nov-10AAshouldUD, P, C, S, TSAgencies should use tunnel mode for IPsec connections.
    77604952Nov-10AAshouldUD, P, C, S, TSAgencies choosing to use transport mode should additionally use an IP tunnel for IPsec connections.
    77704963Sep-12AAmustUD, P, C, S, TSAgencies must use the ESP protocol for IPsec connections.
    77812330Sep-12AAmust notUD, P, C, S, TSAgencies must not use manual keying for Key Exchange when establishing an IPsec connection.
    77904974Apr-15AAshouldUD, P, C, S, TSAgencies using ISAKMP in IKEv1 should disable aggressive mode.
    78004982Nov-10AAshouldUD, P, C, S, TSAgencies should use a security association lifetime of less than four hours, or 14400 seconds.
    78109983Sep-11AAmustUD, P, C, S, TSAgencies must use HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 as a HMAC algorithm.
    78209994Apr-15AAshouldUD, P, C, S, TSAgencies should use the largest modulus size possible for all relevant components in the network when conducting a key exchange.
    78310003Sep-11AAshouldUD, P, C, S, TSAgencies should use Perfect Forward Secrecy for IPsec connections.
    78410013Sep-11AAshouldUD, P, C, S, TSAgencies should disable the use of XAUTH for IPsec connections using IKEv1.
    78510913Apr-15AAmustUD, P, C, S, TSAgencies must revoke keying materials or certificates when they are suspected of being compromised.
    78613930Apr-15ASDmustUD, P, C, S, TSAgencies must immediately report to ASD any HACE keying material or certificates when they are suspected of being compromised.
    78704996Apr-15ASDmustC, S, TSAgencies must comply with ACSI 53, ACSI 103, ACSI 105, ACSI 107 or ACSI 173 and the specific equipment doctrine when using HACE.
    78810023Sep-11AAshould notUD, PAgencies should not transport commercial grade cryptographic equipment in a keyed state.
    78905002Nov-10AAmustUD, PUnkeyed commercial grade cryptographic equipment must be distributed and managed by a means approved for the transportation and management of government property.
    79005013Sep-11AAmustUD, PKeyed commercial grade cryptographic equipment must be distributed, managed and stored by a means approved for the transportation and management of government property based on the sensitivity or classification of the key in the equipment.
    79105025Apr-15AAmustUD, P, C, S, TSBefore personnel are granted communications security custodian access, agencies must ensure that they have:
    • a demonstrated need for access
    • read and agreed to comply with the relevant Key Management Plan (KMP) for the cryptographic system they are using
    • a security clearance at least equal to the classification of the keying material
    • agreed to protect the authentication information for the cryptographic system at the sensitivity or classification of information it secures
    • agreed not to share authentication information for the cryptographic system without approval
    • agreed to be responsible for all actions under their accounts
    • agreed to report all potentially security related problems to an ITSM or a COMSEC Custodian Officer.
    79205034Sep-17AAmustUD, P, C, S, TSAgencies must be able to readily account for all transactions relating to cryptographic system material, including identifying hardware and software that were issued with the cryptographic equipment and materials, when they were issued and where they were issued.
    79305043Feb-14AAmustUD, P, C, S, TSAgencies must conduct inventory of cryptographic system material:
    • on handover/takeover of administrative responsibility for the cryptographic system
    • on change of personnel with access to the cryptographic system
    • at least twice a year.
    79410034Feb-14AAshouldUD, P, C, S, TSAgencies should perform inventory to check all cryptographic system material as per the accounting documentation.
    79510044Feb-14AAshouldUD, P, C, S, TSAgencies should conduct inventory using two personnel that have undergone communications security custodial training and have been appointed as COMSEC custodians.
    79605054Sep-17AAshouldUD, P, C, S, TSCryptographic equipment should be stored in a room that meets the requirements for a server room of an appropriate level, based on the sensitivity or classification of the information the cryptographic system processes.
    79705062Apr-15AAshouldC, S, TSAreas in which High Assurance Cryptographic Equipment is used should be separated from other areas and designated as a cryptographic controlled area.
    79805073Apr-15AAshouldUD, PAgencies should develop a KMP when they implement a cryptographic system using cryptographic equipment.
    79905096Apr-15AAmustC, S, TSAgencies must have an approved KMP in place prior to implementing a High Assurance cryptographic system using High Assurance Cryptographic Equipment.
    80005105Apr-15AAmustC, S, TSAgencies must document the minimum contents in their KMP as described in ACSI 105.
    80105114Apr-15AAmustC, S, TSThe level of detail included in a KMP must be consistent with the criticality and sensitivity or classification of the information to be protected.
    80210055Apr-15AAshouldC, S, TSAgencies should hold and maintain an access register that records High Assurance cryptographic system information such as:
    • details of personnel with system administrator access
    • details of those whose system administrator access was withdrawn
    • details of system documents
    • accounting activities
    • compliance check activities.
    80306284May-16AAmustUD, P, C, S, TSAgencies must ensure that:
    • all systems are protected from systems in other security domains by one or more gateways or cross domain solutions
    • all gateways contain mechanisms to filter data flows at the network layer.
    80411921May-16AAshouldUD, P, C, S, TSAgencies should ensure that all connections between security domains contain mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.
    80506313Sep-12AAmustUD, P, C, S, TSAgencies must ensure that gateways:
    • are the only communications paths into and out of internal networks
    • by default, deny all connections into and out of the network
    • allow only explicitly authorised connections
    • are configured to apply controls as specified in the Data Transfers and Content Filtering chapter of this manual
    • are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
    • provide sufficient logging and audit capabilities to detect cyber security incidents, attempted intrusions and overuse/unusual usage patterns
    • provide real-time alerts.
    80606345Feb-14AAmustUD, P, C, S, TSAgencies must ensure that all gateways connecting networks in different security domains are operated and maintained such that they:
    • apply controls as specified in the Data Transfers and Content Filtering chapter of this manual
    • filter and log network traffic attempting to enter the gateway, agencies may choose not to log untrusted internet traffic providing there is application level logging related to the permitted network communications (eg. the web server logs successful connections).
    • log network traffic attempting to leave the gateway
    • are configured to save event logs to a separate secure log server
    • are protected by authentication, logging and auditing of all physical access to gateway components
    • have all controls tested to verify their effectiveness after any changes to their configuration.
    80706374Sep-12AAmustUD, P, C, S, TSAgencies must use demilitarised zones to house services accessed externally and mediate internal and external access to information held on agency networks.
    80805982Nov-10AAmustUD, P, C, S, TSAgencies must perform a security risk assessment on gateways and their configuration before their implementation.
    80906052Nov-10AAmustUD, P, C, S, TSAll owners of systems connected via a gateway must understand and accept the residual security risk of the gateway and from any connected security domains including those connected via a cascaded connection.
    81010413Sep-12AAshouldUD, P, C, S, TSAgencies should review at least annually the security architecture of the gateway and security risks of all connected security domains including those connected via a cascaded connection.
    81106243Sep-11AAmustUD, P, C, S, TSAgencies must update the Security Risk Management Plan before changes are made to the gateway to ensure all security risks have been accepted.
    81206253Sep-11AAmustUD, P, C, S, TSAgencies must document and assess all changes to gateway architecture in accordance with the agency's change management process.
    81310374May-16AAshouldUD, P, C, S, TSAgencies should ensure that testing of security measures is performed at irregular intervals no more than six months apart.
    81406094Sep-12AAshouldUD, PAll users should be trained on the secure use and security risks of gateways before access to systems connected to a gateway is granted.
    81506104Sep-12AAmustC, S, TSAll users must be trained on the secure use and security risks of gateways before access to the systems connected to a gateway is granted.
    81606112Nov-10AAmustUD, P, C, S, TSAgencies must limit access to gateway administration functions.
    81706123Sep-11AAmustUD, P, C, S, TSAgencies must ensure that system administrators are formally trained to manage gateways.
    81806133Sep-12AAmustP, C, S, TSAgencies must ensure that all system administrators of gateways that process AUSTEO or AGAO information are Australian nationals.
    81906162Nov-10AAshouldUD, PAgencies should separate roles for the administration of gateways (e.g. separate network and security policy configuration roles).
    82006172Nov-10AAmustC, S, TSAgencies must separate roles for the administration of gateways (e.g. separate network and security policy configuration roles).
    82106292Nov-10AAmustUD, P, C, S, TSFor gateways between networks in different security domains, any shared components must be managed by the system owners of the highest security domain or by a mutually agreed party.
    82206071Nov-10AAshouldUD, POnce connectivity is established, system owners should become information stakeholders for all connected security domains.
    82306081Nov-10AAmustC, S, TSOnce connectivity is established, system owners must become information stakeholders for all connected security domains.
    82406194Sep-12AAmustUD, P, C, S, TSAgencies must authenticate users to all sensitive or classified networks accessed through gateways.
    82506203Sep-12AAmustUD, P, C, S, TSAgencies must ensure that only users authenticated and authorised to a gateway can use the gateway.
    82610393Sep-11AAshouldUD, P, C, S, TSAgencies should use multi-factor authentication for access to gateways.
    82706224Feb-14AAshouldUD, P, C, S, TSAgencies should authenticate ICT equipment to networks accessed through gateways.
    82806263Sep-11AAmustC, S, TSAgencies connecting a TOP SECRET, SECRET or CONFIDENTIAL network to any other network from a different security domain must implement a CDS.
    82905975Feb-14AAmustC, S, TSWhen designing and deploying a CDS, agencies must consult with ASD Technical Assessments and comply with all directions provided.
    83006275May-16AAmustC, S, TSAgencies introducing additional connectivity to a CDS, such as adding a new gateway to a common network, must consult with ASD Technical Assessments on the impact to the security of the CDS and comply with all directions provided.
    83106353Sep-11AAmustC, S, TSAgencies must ensure that all bi-directional gateways between TOP SECRET, SECRET or CONFIDENTIAL networks and any other network have separate upward and downward network paths using a diode, content filtering and physically separate infrastructure for each path.
    83206703Sep-12AAmustC, S, TSWhen exporting data from a security domain, agencies must ensure that all CDS events are logged.
    83306752Sep-12AAmustC, S, TSA trusted source must sign all data to be exported from a security domain.
    83411932Apr-15AAmustUDAgencies must use a firewall between networks of different security domains.
    83506396Apr-15AAmustPAgencies must use an ASD approved firewall between networks of different security domains.
    83611941Sep-12AAmustUD, P, C, S, TSThe requirement to use a firewall as part of gateway infrastructure must be met by both parties independently; shared equipment does not satisfy the requirements of both parties.
    83706416Apr-15AAmustP, C, S, TSAgencies must use an ASD approved firewall between an AUSTEO or AGAO network and a foreign network in addition to the firewall between networks of different security domains.
    83806426Apr-15AAshouldP, C, S, TSAgencies should use an ASD approved firewall between an AUSTEO or AGAO network and another Australian controlled network in addition to the firewall between networks of different security domains.
    83906434Sep-12AAmustUD, PAgencies must use a Common Criteria-evaluated diode for controlling the data flow of uni-directional gateways between sensitive or classified networks and public network infrastructure.
    84006454Feb-14AAmustC, S, TSAgencies must use a High Assurance diode from ASD's EPL for controlling the data flow of uni-directional gateways between classified networks and public network infrastructure.
    84111572Sep-12AAmustUD, PAgencies must use a Common Criteria-evaluated diode for controlling the data flow of uni-directional gateways between sensitive and classified networks.
    84211583Feb-14AAmustUD, P, C, S, TSAgencies must use a High Assurance diode from ASD's EPL for controlling the data flow of uni-directional gateways between sensitive or classified networks where the highest system is CONFIDENTIAL or above.
    84306463Sep-12AAmustP, C, S, TSAgencies must use a Common Criteria-evaluated diode between an AUSTEO or AGAO network and a foreign network at the same classification.
    84406475Feb-14AAshouldP, C, S, TSAgencies should use a Common Criteria-evaluated diode from ASD's EPL between an AUSTEO or AGAO network and another agency controlled network at the same classification.
    84506482Nov-10AAshouldUD, P, C, S, TSAgencies deploying a diode to control data flow in uni-directional gateways should monitor the volume of the data being transferred.
    84602581Sep-09AAmustUD, P, C, S, TSAgencies must have a policy governing appropriate web usage.
    84702601Sep-12AAshouldUD, P, C, S, TSAgencies should ensure all web access, including that by internal servers, is conducted through a web proxy.
    84802613Sep-12AAshouldUD, P, C, S, TSA web proxy should authenticate users and provide logging that includes the following details about websites accessed:
    • address (uniform resource locator)
    • time/date
    • user
    • amount of data uploaded and downloaded
    • internal IP address
    • external IP address.
    84912350Sep-12AAshouldUD, P, C, S, TSAgencies should restrict the installation of add-ons to only those add-ons approved by the agency.
    85002634Feb-14AAshouldUD, P, C, S, TSAgencies permitting TLS through their gateways should implement either:
    • a solution that decrypts and inspects the TLS traffic as per content filtering requirements
    • a whitelist specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses either blocked or decrypted and inspected as per content filtering requirements.
    85109964Feb-14AAshouldUD, P, C, S, TSAgencies should seek legal advice regarding the inspection of encrypted TLS traffic by their gateways.
    85209584Sep-12AAshouldUD, P, C, S, TSAgencies should implement whitelisting for all Hypertext Transfer Protocol traffic communicated through their gateways.
    85309953Sep-11AAshouldUD, P, C, S, TSAgencies using a whitelist on their gateways to specify the external addresses to which connections are permitted, should specify whitelist addresses by domain name or IP address.
    85411700Sep-11AAshouldUD, P, C, S, TSIf agencies do not whitelist websites they should implement categories for all websites and block prohibited categories and uncategorised sites.
    85509593Sep-11AAshouldUD, P, C, S, TSIf agencies do not whitelist websites they should blacklist websites to prevent access to known malicious websites.
    85609603Sep-11AAshouldUD, P, C, S, TSAgencies blacklisting websites should update the blacklist on a daily basis to ensure that it remains effective.
    85711710Sep-11AAshouldUD, P, C, S, TSAgencies should block attempts to access a website through its IP address instead of through its domain name.
    85812360Sep-12AAshouldUD, P, C, S, TSAgencies should block dynamic and other domains where domain names can be registered anonymously for free.
    85909634Sep-12AAshouldUD, P, C, S, TSAgencies should use the web proxy to filter content that is potentially harmful to hosts and users.
    86009614Sep-12AAshouldUD, P, C, S, TSAgencies should restrict client-side active content, such as Java and ActiveX to a whitelist of approved websites. This whitelist may be the same as the HTTP whitelist, or a separate active content whitelist.
    86112370Sep-12AAshouldUD, P, C, S, TSAgencies should ensure that web content filtering controls are applied to outbound web traffic where appropriate.
    86205915Sep-17AAmustUD, PA Common Criteria-evaluated KVM must be used when sharing peripherals between a combination of unclassified/DLM and PROTECTED systems.
    86305937Sep-17AAmustC, S, TSA Common Criteria-evaluated KVM must be used when sharing peripherals between a combination of systems of different security domains at the same classification (e.g. different caveats).
    86414571Sep-17AAmustP, C, S, TSA High Assurance KVM must be used when sharing peripherals between a combination of different security classifications.
    86505943Sep-12AAshouldP, C, S, TSAgencies should use a Common Criteria-evaluated product when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not accredited to process the same caveat.
    86606615Sep-17AAmustUD, P, C, S, TSAgencies must ensure that users transferring data to and from a system are held accountable through agency policies and procedures for the data they transfer.
    86706644Sep-12AAmustC, S, TSAll data transferred to a system of a lesser sensitivity or classification must be approved by a trusted source.
    86806652Nov-10AAmustC, S, TSTrusted sources must be:
    • a strictly limited list derived from business requirements and the result of a security risk assessment
    • approved by the accreditation authority.
    86906573Sep-12AAmustUD, PData imported to a system must be scanned for malicious and active content.
    87006583Sep-12AAmustC, S, TSData imported to a system must undergo:
    • scanning for malicious and active content
    • data format checks
    • logging of each event
    • monitoring to detect overuse/unusual usage patterns.
    87111870Sep-11AAmustUD, PWhen exporting data, agencies must implement protective marking checks.
    87206692Sep-12AAmustC, S, TSWhen exporting formatted textual data with no free-text fields and all fields have a predefined set of permitted values, the following activities must be undertaken:
    • protective marking checks
    • logging of each event
    • monitoring to detect overuse/unusual usage patterns
    • data format checks
    • limitations on data types
    • keyword searches
    • size limits.
    87306623Sep-12AAshouldUD, PData transfers should be performed in accordance with procedures approved by the accreditation authority.
    87406633Sep-12AAmustC, S, TSData transfers must be performed in accordance with procedures approved by the accreditation authority.
    87506781Nov-10AAmustP, C, S, TSWhen exporting data from an AUSTEO or AGAO system, the following additional activities must be undertaken:
    • ensure that keyword searches are performed on all textual data
    • ensure that any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator
    • develop procedures to prevent AUSTEO and AGAO information in both textual and non-textual formats from being exported.
    87606593Sep-12AAmustC, S, TSWhen importing data to a security domain, or through a gateway, the data must be filtered by a product designed for that purpose.
    87706513Sep-12AAmustC, S, TSAgencies must block all suspicious data and malicious and active content from entering a security domain.
    87806521Sep-12AAmustUD, P, C, S, TSAgencies must block any data identified by a content filtering process as suspicious until reviewed and approved for transfer by a trusted source other than the originator.
    87913890Feb-14AAshouldUD, P, C, S, TSEmail and web content entering a security domain should be automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour.
    88012840Sep-12AAshouldUD, PAgencies should perform validation on all data passing through a content filter, blocking content which fails the validation.
    88112850Sep-12AAmustC, S, TSAgencies must perform validation on all data passing through a content filter, blocking content which fails the validation.
    88212860Sep-12AAshouldUD, P, C, S, TSAgencies should perform content/file conversion for all ingress or egress data transiting a security domain boundary.
    88312870Sep-12AAshouldUD, P, C, S, TSAgencies should perform content/file sanitisation on suitable file types if content/file conversion is not appropriate for data transiting a security domain boundary.
    88412880Sep-12AAshouldUD, P, C, S, TSAgencies should perform antivirus scans on all content using up-to-date engines and signatures, using multiple different scanning engines.
    88512890Sep-12AAshouldUD, P, C, S, TSAgencies should extract the contents from archive/container files and subject the extracted files to content filter tests.
    88612900Sep-12AAshouldUD, P, C, S, TSAgencies should perform controlled inspection of archive/container files to ensure that content filter performance or availability is not adversely affected.
    88712910Sep-12AAshouldUD, P, C, S, TSAgencies should block files that cannot be inspected and generate an alert or notification.
    88806492Sep-12AAshouldUD, PAgencies should identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment.
    88906502Sep-12AAmustC, S, TSAgencies must identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment.
    89012920Sep-12AAshouldUD, P, C, S, TSAgencies should verify the integrity of content where applicable, and block the content if verification fails.
    89106773Sep-12AAmustC, S, TSIf data is signed, agencies must ensure that the signature is validated before the data is exported.
    89212930Sep-12AAshouldUD, P, C, S, TSAgencies should decrypt and inspect all encrypted content, traffic and data to allow content filtering.
    89306673Sep-12AAmustUD, P, C, S, TSAgencies must use protective marking checks to restrict the export of data out of each security domain, including through a gateway.
    89406604Sep-12AAmustC, S, TSWhen importing data to each security domain, including through a gateway, agencies must audit the complete data transfer logs at least monthly.
    89506734Sep-12AAmustC, S, TSWhen exporting data out of each security domain, including through a gateway, agencies must audit the complete data transfer logs at least monthly.
    89612940Sep-12AAshouldUD, P, C, S, TSWhen importing content to a security domain, including through a gateway, agencies should perform monthly audits of the imported content.
    89712950Sep-12AAshouldUD, P, C, S, TSWhen exporting content out of a security domain, including through a gateway, agencies should perform monthly audits of the exported content.
    89810772Sep-12AAmustP, C, S, TSAgencies must implement content filtering to prevent the export of AUSTEO and AGAO data to foreign systems, ensuring that:
    • at a minimum, keyword searches are performed on all textual data
    • any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator.
    89910820Nov-10AAmustUD, P, C, S, TSAgencies must develop a policy governing the use of mobile devices.
    90013980Apr-15AAmustUD, PAgencies must assess and document the risks of using mobile devices, including against ASD's Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) publication.
    90111950Sep-11AAshouldUD, P, C, S, TSAgencies should use a Mobile Device Management solution to ensure their mobile device policy is applied to all mobile devices that are used with their systems.
    90206874Feb-14ASDmust notTSAgencies must not allow mobile devices to process or store TOP SECRET information unless explicitly approved by ASD to do so.
    90310831Sep-11AAmustUD, P, C, S, TSAgencies must advise personnel of the sensitivities and classifications permitted for data and voice communications when using mobile devices.
    90413990Apr-15AAshouldUDAgencies permitting personnel to access or store sensitive or official information using non-agency owned mobile devices should ensure an agency approved platform with an appropriate security configuration is used.
    90514000Apr-15AAmustPAgencies permitting personnel to access or store classified information using non-agency owned mobile devices must ensure an ASD approved platform with an appropriate security configuration in accordance with ASD's associated hardening guide for that device is used.
    90610475Apr-15AAshouldUDAgencies permitting personnel to access or store sensitive or official information using nonagency owned mobile devices should implement technical controls to enforce the separation of sensitive or official information from personal information.
    90706934Apr-15AAmustPAgencies permitting personnel to access or store classified information using non-agency owned mobile devices must implement technical controls to enforce the separation of sensitive information from personal information.
    90806943Apr-13AAmust notC, S, TSAgencies must not allow non-agency owned mobile devices to access highly classified systems.
    90901722Sep-11AAmust notTSAgencies must not permit non-agency owned mobile devices to be brought into TOP SECRET areas without prior approval from the accreditation authority.
    91012970Sep-12AAmustUD, P, C, S, TSPrior to allowing non-agency owned mobile devices to connect to an agency system, agencies must seek legal advice.
    91108692Feb-14AAshouldUD, P, C, S, TSAgencies should encrypt information on all mobile devices using at least an AACA
    91210841Sep-11AAmustUD, P, C, S, TSAgencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption must physically transfer the device as a sensitive or classified asset in a SCEC endorsed secure briefcase.
    91310851Sep-11AAmustUD, P, C, S, TSAgencies using mobile devices to communicate sensitive or classified information over public network infrastructure must use encryption approved for communicating such information over public network infrastructure.
    91411452Apr-13AAshouldC, S, TSAgencies should apply privacy filters to the screens of mobile devices.
    91506823Sep-11AAmust notC, S, TSAgencies must not enable Bluetooth functionality on mobile devices.
    91611960Sep-11AAmustUD, PAgencies must ensure mobile devices are configured to remain undiscoverable to all other Bluetooth devices except during pairing.
    91711980Sep-11AAmustUD, PAgencies must ensure Bluetooth pairing is performed so that a connection is only made to the device intended.
    91811990Sep-11AAshouldUD, PAgencies should ensure Bluetooth pairing is only performed for a device required for business needs and pairing that is no longer required is removed from the mobile device.
    91911970Sep-11AAshouldUD, PAgencies should ensure mobile devices are configured to allow only Bluetooth classes that are required.
    92012020Sep-11AAshouldUD, PAgencies should restrict the range of Bluetooth headsets to less than 10 metres by only using class 2 or class 3 devices.
    92112002Apr-13AAmustUD, PIf using Bluetooth on a mobile device, agencies must ensure both pairing devices use Bluetooth version 2.1 or later.
    92212012Apr-13AAmustUD, PIf using Bluetooth on a mobile device, agencies must ensure the device is configured to avoid supporting multiple Bluetooth headset connections.
    92308621Nov-10AAshouldUD, P, C, S, TSAgencies should control the configuration of mobile devices in the same manner as devices in the office environment.
    92408632Apr-13AAshouldUD, P, C, S, TSAgencies allowing mobile devices to access sensitive or classified information should prevent personnel from installing or uninstalling applications on a mobile device once provisioned.
    92508641Nov-10AAmustUD, P, C, S, TSAgencies must prevent personnel from disabling security functions on a mobile device once provisioned.
    92613650Feb-14AAshouldUD, P, C, S, TSAgencies should ensure their mobile carrier is able to provide security updates.
    92713660Feb-14AAshouldUD, P, C, S, TSAgencies should ensure that mobile devices are able to accept security updates from the mobile carrier as soon as they become available.
    92813670Feb-14AAshouldUD, P, C, S, TSAgencies should implement a policy enforcing compliance with an agency-defined security configuration for mobile devices.
    92908743Apr-13AAshouldUD, PAgencies should ensure that web browsing from a mobile device is through the agency's Internet gateway rather than via a direct connection to the Internet.
    93007053Feb-14AAmustUD, P, C, S, TSAgencies must disable split tunnelling on devices supporting this functionality when using an agency system via a VPN connection
    93113560Apr-13AAshould notUDAgencies should not use paging, Multimedia Message Service, Short Message Service or Instant Messaging to communicate sensitive information.
    93202404Apr-13AAmust notP, C, S, TSAgencies must not use paging, Multimedia Message Service, Short Message Service or Instant Messaging to communicate classified information.
    93307004Apr-13AAshouldUD, PAgencies should develop an emergency destruction plan for all agency owned mobile devices.
    93407012Nov-10AAmustC, S, TSAgencies must develop an emergency destruction plan for mobile devices.
    93507022Nov-10AAmustC, S, TSIf a cryptographic zeroise or sanitise function is provided for cryptographic keys on a mobile device, the function must be used as part of the emergency destruction procedures.
    93608662Sep-11AAshouldUD, P, C, S, TSAgencies should ensure personnel are aware not to access or communicate sensitive or classified information in public locations (e.g. public transport, transit lounges and coffee shops) unless extra care is taken to reduce the chance of being overheard or having the screen of the device observed.
    93708701Nov-10AAmustUD, P, C, S, TSAgencies must ensure mobile devices are carried in a secured state when not being actively used.
    93808711Nov-10AAmustUD, P, C, S, TSWhen in use mobile devices must be kept under continual direct supervision.
    93912980Sep-12AAshouldUD, P, C, S, TSAgencies should implement technical controls on mobile devices and conduct user education prior to personnel travelling overseas with a mobile device.
    94010870Nov-10AAmustUD, P, C, S, TSWhen travelling with mobile devices and media, personnel must retain control over them at all times, this includes not placing them in checked-in luggage or leaving them unattended for any period of time.
    94112990Sep-12AAshouldUD, P, C, S, TSPersonnel should take the following precautions when travelling overseas with a mobile device:
    • avoid storing authentication details or tokens and passphrases with the device
    • avoid connecting to open Wi-Fi networks
    • clear web browser after each session including history, cache, cookies, URL and temporary files
    • encrypt emails where possible
    • ensure login pages are encrypted before entering passphrases
    • avoid connecting to untrusted computers or inserting removable media.
    94210882Sep-12AAmustUD, P, C, S, TSIf personnel are requested to decrypt mobile devices for inspection by customs personnel, or their mobile device leaves their possession at any time, they must report the potential compromise of information on the device to an ITSM as soon as possible.
    94313001Sep-17AAshouldUD, P, C, S, TSAll passphrases associated with a mobile device should be changed upon returning from overseas.
    94408652Sep-11AAmustUD, P, C, S, TSAgencies must ensure that the area in which devices are used meets the requirements in the Australian Government Physical Security Management Protocol.
    94506853Sep-11AAmustUD, P, C, S, TSAgencies must ensure that when devices are not being actively used they are secured in accordance with the requirements in the Australian Government Physical Security Management Protocol.
    Built by hand back in 2016, and avaliable from http://Mouat.net.au/ism/compare/ - If you find this useful, please consider donating to fuel this project.