{"content":[{"title":"Using the Information Security Manual","type":"structure","qty_controls":0,"content":[{"title":"Executive summary","type":"section","context":"","qty_controls":0,"content":[{"title":"Purpose","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Intended audience","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Authority","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Legislation and legal considerations","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Cyber security principles","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Cyber security guidelines","type":"topic","context":"","qty_controls":0,"content":[],"reference":""}],"reference":""},{"title":"Applying a risk-based approach to cyber security","type":"section","context":"","qty_controls":0,"content":[{"title":"Using a risk management framework","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Define the system","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Select controls","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Implement controls","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Assess controls","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Authorise the system","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Monitor the system","type":"topic","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Further information","type":"topic","context":"","qty_controls":0,"content":[],"reference":""}],"reference":""}],"reference":""},{"title":"Cyber Security Principles","type":"structure","qty_controls":24,"content":[{"title":"The cyber security principles","type":"section","context":"","qty_controls":24,"content":[{"title":"Govern principles","type":"topic","context":"","qty_controls":5,"content":[{"index":"G1.0","name":"ISM-PRINCIPLE-G1","id":"G1","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A Chief Information Security Officer provides leadership and oversight of cyber security.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A Chief Information Security Officer provides leadership and oversight of cyber security.[\/p]"},{"index":"G2.0","name":"ISM-PRINCIPLE-G2","id":"G2","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The identity and value of systems, applications and data is determined and documented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The identity and value of systems, applications and data is determined and documented.[\/p]"},{"index":"G3.0","name":"ISM-PRINCIPLE-G3","id":"G3","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented.[\/p]"},{"index":"G4.0","name":"ISM-PRINCIPLE-G4","id":"G4","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security risk management processes are embedded into organisational risk management frameworks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security risk management processes are embedded into organisational risk management frameworks.[\/p]"},{"index":"G5.0","name":"ISM-PRINCIPLE-G5","id":"G5","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.[\/p]"}],"reference":""},{"title":"Protect principles","type":"topic","context":"","qty_controls":14,"content":[{"index":"P1.0","name":"ISM-PRINCIPLE-P1","id":"P1","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.[\/p]"},{"index":"P2.0","name":"ISM-PRINCIPLE-P2","id":"P2","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems and applications are delivered and supported by trusted suppliers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems and applications are delivered and supported by trusted suppliers.[\/p]"},{"index":"P3.0","name":"ISM-PRINCIPLE-P3","id":"P3","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems and applications are designed and configured to reduce their attack surface.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems and applications are designed and configured to reduce their attack surface.[\/p]"},{"index":"P4.0","name":"ISM-PRINCIPLE-P4","id":"P4","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems and applications are administered in a secure and accountable manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems and applications are administered in a secure and accountable manner.[\/p]"},{"index":"P5.0","name":"ISM-PRINCIPLE-P5","id":"P5","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Vulnerabilities in systems and applications are identified and mitigated in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Vulnerabilities in systems and applications are identified and mitigated in a timely manner.[\/p]"},{"index":"P6.0","name":"ISM-PRINCIPLE-P6","id":"P6","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only trusted and supported operating systems, applications and computer code can execute on systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only trusted and supported operating systems, applications and computer code can execute on systems.[\/p]"},{"index":"P7.0","name":"ISM-PRINCIPLE-P7","id":"P7","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data is encrypted at rest and in transit between different systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data is encrypted at rest and in transit between different systems.[\/p]"},{"index":"P8.0","name":"ISM-PRINCIPLE-P8","id":"P8","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data communicated between different systems is controlled and inspectable.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data communicated between different systems is controlled and inspectable.[\/p]"},{"index":"P9.0","name":"ISM-PRINCIPLE-P9","id":"P9","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data, applications and settings are backed up in a secure and proven manner on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data, applications and settings are backed up in a secure and proven manner on a regular basis.[\/p]"},{"index":"P10.0","name":"ISM-PRINCIPLE-P10","id":"P10","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only trusted and vetted personnel are granted access to systems, applications and data repositories.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only trusted and vetted personnel are granted access to systems, applications and data repositories.[\/p]"},{"index":"P11.0","name":"ISM-PRINCIPLE-P11","id":"P11","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are granted the minimum access to systems, applications and data repositories required for their duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are granted the minimum access to systems, applications and data repositories required for their duties.[\/p]"},{"index":"P12.0","name":"ISM-PRINCIPLE-P12","id":"P12","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.[\/p]"},{"index":"P13.0","name":"ISM-PRINCIPLE-P13","id":"P13","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are provided with ongoing cyber security awareness training.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are provided with ongoing cyber security awareness training.[\/p]"},{"index":"P14.0","name":"ISM-PRINCIPLE-P14","id":"P14","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.[\/p]"}],"reference":""},{"title":"Detect principles","type":"topic","context":"","qty_controls":2,"content":[{"index":"D1.0","name":"ISM-PRINCIPLE-D1","id":"D1","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs are collected and analysed in a timely manner to detect cyber security events.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs are collected and analysed in a timely manner to detect cyber security events.[\/p]"},{"index":"D2.0","name":"ISM-PRINCIPLE-D2","id":"D2","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security events are analysed in a timely manner to identify cyber security incidents.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security events are analysed in a timely manner to identify cyber security incidents.[\/p]"}],"reference":""},{"title":"Respond principles","type":"topic","context":"","qty_controls":3,"content":[{"index":"R1.0","name":"ISM-PRINCIPLE-R1","id":"R1","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security incidents are reported both internally and externally to relevant bodies in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security incidents are reported both internally and externally to relevant bodies in a timely manner.[\/p]"},{"index":"R2.0","name":"ISM-PRINCIPLE-R2","id":"R2","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security incidents are contained, eradicated and recovered from in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security incidents are contained, eradicated and recovered from in a timely manner.[\/p]"},{"index":"R3.0","name":"ISM-PRINCIPLE-R3","id":"R3","revision":0,"updated":"","timestamp":"","authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Business continuity and disaster recovery plans are enacted when required.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Business continuity and disaster recovery plans are enacted when required.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Cyber Security Roles","type":"guideline","qty_controls":24,"content":[{"title":"Chief Information Security Officer","type":"section","context":"","qty_controls":15,"content":[{"title":"Providing cyber security leadership and guidance","type":"topic","context":"","qty_controls":1,"content":[{"index":"0714.5","name":"ISM-0714","id":"0714","revision":5,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A CISO is appointed to provide cyber security leadership and guidance for their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A CISO is appointed to provide cyber security leadership and guidance for their organisation.[\/p]"}],"reference":""},{"title":"Overseeing the cyber security program","type":"topic","context":"","qty_controls":3,"content":[{"index":"1478.1","name":"ISM-1478","id":"1478","revision":1,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO oversees their organisation\u2019s cyber security program and ensures their organisation\u2019s compliance with cyber security policy, standards, regulations and legislation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO oversees their organisation\u2019s cyber security program and ensures their organisation\u2019s compliance with cyber security policy, standards, regulations and legislation.[\/p]"},{"index":"1617.0","name":"ISM-1617","id":"1617","revision":0,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO regularly reviews and updates their organisation\u2019s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO regularly reviews and updates their organisation\u2019s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.[\/p]"},{"index":"0724.2","name":"ISM-0724","id":"0724","revision":2,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO implements cyber security measurement metrics and key performance indicators for their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO implements cyber security measurement metrics and key performance indicators for their organisation.[\/p]"}],"reference":""},{"title":"Coordinating cyber security","type":"topic","context":"","qty_controls":2,"content":[{"index":"0725.3","name":"ISM-0725","id":"0725","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis.[\/p]"},{"index":"0726.2","name":"ISM-0726","id":"0726","revision":2,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO coordinates security risk management activities between cyber security and business teams.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO coordinates security risk management activities between cyber security and business teams.[\/p]"}],"reference":""},{"title":"Reporting on cyber security","type":"topic","context":"","qty_controls":1,"content":[{"index":"0718.3","name":"ISM-0718","id":"0718","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO reports directly to their organisation\u2019s senior executive or Board on cyber security matters.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO reports directly to their organisation\u2019s senior executive or Board on cyber security matters.[\/p]"}],"reference":""},{"title":"Overseeing cyber security incident response activities","type":"topic","context":"","qty_controls":2,"content":[{"index":"0733.2","name":"ISM-0733","id":"0733","revision":2,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO is fully aware of all cyber security incidents within their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO is fully aware of all cyber security incidents within their organisation.[\/p]"},{"index":"1618.0","name":"ISM-1618","id":"1618","revision":0,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO oversees their organisation\u2019s response to cyber security incidents.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO oversees their organisation\u2019s response to cyber security incidents.[\/p]"}],"reference":""},{"title":"Contributing to business continuity and disaster recovery planning","type":"topic","context":"","qty_controls":1,"content":[{"index":"0734.4","name":"ISM-0734","id":"0734","revision":4,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO contributes to the development, implementation and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO contributes to the development, implementation and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster.[\/p]"}],"reference":""},{"title":"Communicating a cyber security vision and strategy","type":"topic","context":"","qty_controls":1,"content":[{"index":"0720.3","name":"ISM-0720","id":"0720","revision":3,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO oversees the development, implementation and maintenance of a cyber security communications strategy to assist in communicating the cyber security vision and strategy for their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO oversees the development, implementation and maintenance of a cyber security communications strategy to assist in communicating the cyber security vision and strategy for their organisation.[\/p]"}],"reference":""},{"title":"Working with suppliers","type":"topic","context":"","qty_controls":1,"content":[{"index":"0731.2","name":"ISM-0731","id":"0731","revision":2,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO oversees cyber supply chain risk management activities for their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO oversees cyber supply chain risk management activities for their organisation.[\/p]"}],"reference":""},{"title":"Receiving and managing a dedicated cyber security budget","type":"topic","context":"","qty_controls":1,"content":[{"index":"0732.2","name":"ISM-0732","id":"0732","revision":2,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO receives and manages a dedicated cyber security budget for their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO receives and manages a dedicated cyber security budget for their organisation.[\/p]"}],"reference":""},{"title":"Overseeing cyber security personnel","type":"topic","context":"","qty_controls":1,"content":[{"index":"0717.2","name":"ISM-0717","id":"0717","revision":2,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO oversees the management of cyber security personnel within their organisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO oversees the management of cyber security personnel within their organisation.[\/p]"}],"reference":""},{"title":"Overseeing cyber security awareness raising","type":"topic","context":"","qty_controls":1,"content":[{"index":"0735.3","name":"ISM-0735","id":"0735","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The CISO oversees the development, implementation and maintenance of their organisation\u2019s cyber security awareness training program.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The CISO oversees the development, implementation and maintenance of their organisation\u2019s cyber security awareness training program.[\/p]"}],"reference":""}],"reference":""},{"title":"System owners","type":"section","context":"","qty_controls":9,"content":[{"title":"System ownership and oversight","type":"topic","context":"","qty_controls":2,"content":[{"index":"1071.1","name":"ISM-1071","id":"1071","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Each system has a designated system owner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Each system has a designated system owner.[\/p]"},{"index":"1525.1","name":"ISM-1525","id":"1525","revision":1,"updated":"Jan-21","timestamp":1611629743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners register each system with its authorising officer.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners register each system with its authorising officer.[\/p]"}],"reference":""},{"title":"Protecting systems and their resources","type":"topic","context":"","qty_controls":6,"content":[{"index":"1633.0","name":"ISM-1633","id":"1633","revision":0,"updated":"Jan-21","timestamp":1611629743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised.[\/p]"},{"index":"1634.1","name":"ISM-1634","id":"1634","revision":1,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners select controls for each system and tailor them to achieve desired security objectives.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners select controls for each system and tailor them to achieve desired security objectives.[\/p]"},{"index":"1635.2","name":"ISM-1635","id":"1635","revision":2,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners implement controls for each system and its operating environment.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners implement controls for each system and its operating environment.[\/p]"},{"index":"1636.1","name":"ISM-1636","id":"1636","revision":1,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended.[\/p]"},{"index":"0027.4","name":"ISM-0027","id":"0027","revision":4,"updated":"Jan-21","timestamp":1611629743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation.[\/p]"},{"index":"1526.2","name":"ISM-1526","id":"1526","revision":2,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners monitor each system, and associated cyber threats, security risks and controls, on an ongoing basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners monitor each system, and associated cyber threats, security risks and controls, on an ongoing basis.[\/p]"}],"reference":""},{"title":"Annual reporting of system security status","type":"topic","context":"","qty_controls":1,"content":[{"index":"1587.0","name":"ISM-1587","id":"1587","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners report the security status of each system to its authorising officer at least annually.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners report the security status of each system to its authorising officer at least annually.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Cyber Security Incidents","type":"guideline","qty_controls":20,"content":[{"title":"Managing cyber security incidents","type":"section","context":"","qty_controls":11,"content":[{"title":"Cyber security incident management policy","type":"topic","context":"","qty_controls":2,"content":[{"index":"0576.10","name":"ISM-0576","id":"0576","revision":10,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A cyber security incident management policy, and associated cyber security incident response plan, is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A cyber security incident management policy, and associated cyber security incident response plan, is developed, implemented and maintained.[\/p]"},{"index":"1784.1","name":"ISM-1784","id":"1784","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The cyber security incident management policy, including the associated cyber security incident response plan, is exercised at least annually.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The cyber security incident management policy, including the associated cyber security incident response plan, is exercised at least annually.[\/p]"}],"reference":""},{"title":"Cyber security incident register","type":"topic","context":"","qty_controls":2,"content":[{"index":"0125.6","name":"ISM-0125","id":"0125","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A cyber security incident register is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A cyber security incident register is developed, implemented and maintained.[\/p]"},{"index":"1803.0","name":"ISM-1803","id":"1803","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A cyber security incident register contains the following for each cyber security incident:[\/p][ul][li]the date the cyber security incident occurred[\/li][li]the date the cyber security incident was discovered[\/li][li]a description of the cyber security incident[\/li][li]any actions taken in response to the cyber security incident[\/li][li]to whom the cyber security incident was reported.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A cyber security incident register contains the following for each cyber security incident:[\/p][ul][li]the date the cyber security incident occurred[\/li][li]the date the cyber security incident was discovered[\/li][li]a description of the cyber security incident[\/li][li]any actions taken in response to the cyber security incident[\/li][li]to whom the cyber security incident was reported.[\/li][\/p]"}],"reference":""},{"title":"Trusted insider program","type":"topic","context":"","qty_controls":2,"content":[{"index":"1625.1","name":"ISM-1625","id":"1625","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A trusted insider program is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A trusted insider program is developed, implemented and maintained.[\/p]"},{"index":"1626.0","name":"ISM-1626","id":"1626","revision":0,"updated":"Nov-20","timestamp":1606359343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Legal advice is sought regarding the development and implementation of a trusted insider program.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Legal advice is sought regarding the development and implementation of a trusted insider program.[\/p]"}],"reference":""},{"title":"Access to sufficient data sources and tools","type":"topic","context":"","qty_controls":1,"content":[{"index":"0120.5","name":"ISM-0120","id":"0120","revision":5,"updated":"May-20","timestamp":1590465343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise.[\/p]"}],"reference":""},{"title":"Reporting cyber security incidents","type":"topic","context":"","qty_controls":1,"content":[{"index":"0123.4","name":"ISM-0123","id":"0123","revision":4,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.[\/p]"}],"reference":""},{"title":"Reporting cyber security incidents to ASD","type":"topic","context":"","qty_controls":1,"content":[{"index":"0140.8","name":"ISM-0140","id":"0140","revision":8,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.[\/p]"}],"reference":""},{"title":"Reporting cyber security incidents to customers and the public","type":"topic","context":"","qty_controls":2,"content":[{"index":"1880.0","name":"ISM-1880","id":"1880","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security incidents that involve customer data are reported to customers and the public in a timely manner after they occur or are discovered.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security incidents that involve customer data are reported to customers and the public in a timely manner after they occur or are discovered.[\/p]"},{"index":"1881.0","name":"ISM-1881","id":"1881","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security incidents that do not involve customer data are reported to customers and the public in a timely manner after they occur or are discovered.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security incidents that do not involve customer data are reported to customers and the public in a timely manner after they occur or are discovered.[\/p]"}],"reference":""}],"reference":""},{"title":"Responding to cyber security incidents","type":"section","context":"","qty_controls":9,"content":[{"title":"Enacting cyber security incident response plans","type":"topic","context":"","qty_controls":1,"content":[{"index":"1819.2","name":"ISM-1819","id":"1819","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following the identification of a cyber security incident, the cyber security incident response plan is enacted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Following the identification of a cyber security incident, the cyber security incident response plan is enacted.[\/p]"}],"reference":""},{"title":"Handling and containing data spills","type":"topic","context":"","qty_controls":1,"content":[{"index":"0133.2","name":"ISM-0133","id":"0133","revision":2,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When a data spill occurs, data owners are advised and access to the data is restricted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When a data spill occurs, data owners are advised and access to the data is restricted.[\/p]"}],"reference":""},{"title":"Handling and containing malicious code infections","type":"topic","context":"","qty_controls":1,"content":[{"index":"0917.7","name":"ISM-0917","id":"0917","revision":7,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When malicious code is detected, the following steps are taken to handle the infection:[\/p][ul][li]the infected systems are isolated[\/li][li]all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary[\/li][li]antivirus software is used to remove the infection from infected systems and media[\/li][li]if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When malicious code is detected, the following steps are taken to handle the infection:[\/p][ul][li]the infected systems are isolated[\/li][li]all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary[\/li][li]antivirus software is used to remove the infection from infected systems and media[\/li][li]if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.[\/li][\/p]"}],"reference":""},{"title":"Handling and containing intrusions","type":"topic","context":"","qty_controls":5,"content":[{"index":"0137.4","name":"ISM-0137","id":"0137","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.[\/p]"},{"index":"1609.2","name":"ISM-1609","id":"1609","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.[\/p]"},{"index":"1731.0","name":"ISM-1731","id":"1731","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised.[\/p]"},{"index":"1732.0","name":"ISM-1732","id":"1732","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage.[\/p]"},{"index":"1213.3","name":"ISM-1213","id":"1213","revision":3,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether malicious actors have been successfully removed from the system.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether malicious actors have been successfully removed from the system.[\/p]"}],"reference":""},{"title":"Maintaining the integrity of evidence","type":"topic","context":"","qty_controls":1,"content":[{"index":"0138.5","name":"ISM-0138","id":"0138","revision":5,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The integrity of evidence gathered during an investigation is maintained by investigators:[\/p][ul][li]recording all of their actions[\/li][li]maintaining a proper chain of custody[\/li][li]following all instructions provided by relevant law enforcement agencies.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The integrity of evidence gathered during an investigation is maintained by investigators:[\/p][ul][li]recording all of their actions[\/li][li]maintaining a proper chain of custody[\/li][li]following all instructions provided by relevant law enforcement agencies.[\/li][\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Procurement and Outsourcing","type":"guideline","qty_controls":36,"content":[{"title":"Cyber supply chain risk management","type":"section","context":"","qty_controls":15,"content":[{"title":"Cyber supply chain risk management activities","type":"topic","context":"","qty_controls":7,"content":[{"index":"1631.2","name":"ISM-1631","id":"1631","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Suppliers of applications, ICT equipment and services associated with systems are identified.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Suppliers of applications, ICT equipment and services associated with systems are identified.[\/p]"},{"index":"1452.4","name":"ISM-1452","id":"1452","revision":4,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a system\u2019s security risk profile.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a system\u2019s security risk profile.[\/p]"},{"index":"1567.2","name":"ISM-1567","id":"1567","revision":2,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Suppliers identified as high risk by a cyber supply chain risk assessment are not used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Suppliers identified as high risk by a cyber supply chain risk assessment are not used.[\/p]"},{"index":"1568.4","name":"ISM-1568","id":"1568","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications, ICT equipment and services are chosen from suppliers that have demonstrated a commitment to the security of their products and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications, ICT equipment and services are chosen from suppliers that have demonstrated a commitment to the security of their products and services.[\/p]"},{"index":"1882.0","name":"ISM-1882","id":"1882","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications, ICT equipment and services are chosen from suppliers that have demonstrated a commitment to transparency for their products and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications, ICT equipment and services are chosen from suppliers that have demonstrated a commitment to transparency for their products and services.[\/p]"},{"index":"1632.3","name":"ISM-1632","id":"1632","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications, ICT equipment and services are chosen from suppliers that have a strong track record of maintaining the security of their own systems and cyber supply chains.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications, ICT equipment and services are chosen from suppliers that have a strong track record of maintaining the security of their own systems and cyber supply chains.[\/p]"},{"index":"1569.2","name":"ISM-1569","id":"1569","revision":2,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A shared responsibility model is created, documented and shared between suppliers and their customers in order to articulate the security responsibilities of each party.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A shared responsibility model is created, documented and shared between suppliers and their customers in order to articulate the security responsibilities of each party.[\/p]"}],"reference":""},{"title":"Supplier relationship management","type":"topic","context":"","qty_controls":2,"content":[{"index":"1785.1","name":"ISM-1785","id":"1785","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A supplier relationship management policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A supplier relationship management policy is developed, implemented and maintained.[\/p]"},{"index":"1786.1","name":"ISM-1786","id":"1786","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An approved supplier list is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An approved supplier list is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Sourcing applications, ICT equipment and services","type":"topic","context":"","qty_controls":3,"content":[{"index":"1787.1","name":"ISM-1787","id":"1787","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications, ICT equipment and services are sourced from approved suppliers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications, ICT equipment and services are sourced from approved suppliers.[\/p]"},{"index":"1788.1","name":"ISM-1788","id":"1788","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multiple potential suppliers are identified for sourcing critical applications, ICT equipment and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multiple potential suppliers are identified for sourcing critical applications, ICT equipment and services.[\/p]"},{"index":"1789.1","name":"ISM-1789","id":"1789","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Sufficient spares of critical ICT equipment are sourced and kept in reserve.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Sufficient spares of critical ICT equipment are sourced and kept in reserve.[\/p]"}],"reference":""},{"title":"Delivery of applications, ICT equipment and services","type":"topic","context":"","qty_controls":3,"content":[{"index":"1790.0","name":"ISM-1790","id":"1790","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications, ICT equipment and services are delivered in a manner that maintains their integrity.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications, ICT equipment and services are delivered in a manner that maintains their integrity.[\/p]"},{"index":"1791.0","name":"ISM-1791","id":"1791","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The integrity of applications, ICT equipment and services are assessed as part of acceptance of products and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The integrity of applications, ICT equipment and services are assessed as part of acceptance of products and services.[\/p]"},{"index":"1792.0","name":"ISM-1792","id":"1792","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The authenticity of applications, ICT equipment and services are assessed as part of acceptance of products and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The authenticity of applications, ICT equipment and services are assessed as part of acceptance of products and services.[\/p]"}],"reference":""}],"reference":""},{"title":"Managed services and cloud services","type":"section","context":"","qty_controls":21,"content":[{"title":"Managed services","type":"topic","context":"","qty_controls":2,"content":[{"index":"1736.1","name":"ISM-1736","id":"1736","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A managed service register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A managed service register is developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"1737.1","name":"ISM-1737","id":"1737","revision":1,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A managed service register contains the following for each managed service:[\/p][ul][li]managed service provider\u2019s name[\/li][li]managed service\u2019s name[\/li][li]purpose for using the managed service[\/li][li]sensitivity or classification of data involved[\/li][li]due date for the next security assessment of the managed service[\/li][li]contractual arrangements for the managed service[\/li][li]point of contact for users of the managed service[\/li][li]24\/7 contact details for the managed service provider.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A managed service register contains the following for each managed service:[\/p][ul][li]managed service provider\u2019s name[\/li][li]managed service\u2019s name[\/li][li]purpose for using the managed service[\/li][li]sensitivity or classification of data involved[\/li][li]due date for the next security assessment of the managed service[\/li][li]contractual arrangements for the managed service[\/li][li]point of contact for users of the managed service[\/li][li]24\/7 contact details for the managed service provider.[\/li][\/p]"}],"reference":""},{"title":"Assessment of managed service providers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1793.0","name":"ISM-1793","id":"1793","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months.[\/p]"}],"reference":""},{"title":"Outsourced cloud services","type":"topic","context":"","qty_controls":3,"content":[{"index":"1637.2","name":"ISM-1637","id":"1637","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An outsourced cloud service register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An outsourced cloud service register is developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"1638.3","name":"ISM-1638","id":"1638","revision":3,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An outsourced cloud service register contains the following for each outsourced cloud service:[\/p][ul][li]cloud service provider\u2019s name[\/li][li]cloud service\u2019s name[\/li][li]purpose for using the cloud service[\/li][li]sensitivity or classification of data involved[\/li][li]due date for the next security assessment of the cloud service[\/li][li]contractual arrangements for the cloud service[\/li][li]point of contact for users of the cloud service[\/li][li]24\/7 contact details for the cloud service provider.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An outsourced cloud service register contains the following for each outsourced cloud service:[\/p][ul][li]cloud service provider\u2019s name[\/li][li]cloud service\u2019s name[\/li][li]purpose for using the cloud service[\/li][li]sensitivity or classification of data involved[\/li][li]due date for the next security assessment of the cloud service[\/li][li]contractual arrangements for the cloud service[\/li][li]point of contact for users of the cloud service[\/li][li]24\/7 contact details for the cloud service provider.[\/li][\/p]"},{"index":"1529.2","name":"ISM-1529","id":"1529","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services.[\/p]","classificationString":"S, TS","content":"[p]Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services.[\/p]"}],"reference":""},{"title":"Assessment of outsourced cloud service providers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1570.1","name":"ISM-1570","id":"1570","revision":1,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Outsourced cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Outsourced cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months.[\/p]"}],"reference":""},{"title":"Contractual security requirements with service providers","type":"topic","context":"","qty_controls":12,"content":[{"index":"1395.7","name":"ISM-1395","id":"1395","revision":7,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services.[\/p]"},{"index":"0072.9","name":"ISM-0072","id":"0072","revision":9,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose.[\/p]"},{"index":"1571.3","name":"ISM-1571","id":"1571","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The right to verify compliance with security requirements is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The right to verify compliance with security requirements is documented in contractual arrangements with service providers.[\/p]"},{"index":"1738.1","name":"ISM-1738","id":"1738","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis.[\/p]"},{"index":"1804.0","name":"ISM-1804","id":"1804","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Break clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Break clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers.[\/p]"},{"index":"0141.7","name":"ISM-0141","id":"0141","revision":7,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers.[\/p]"},{"index":"1794.1","name":"ISM-1794","id":"1794","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A minimum notification period of one month by service providers for significant changes to their own service provider arrangements is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A minimum notification period of one month by service providers for significant changes to their own service provider arrangements is documented in contractual arrangements with service providers.[\/p]"},{"index":"1451.4","name":"ISM-1451","id":"1451","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Types of data and its ownership is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Types of data and its ownership is documented in contractual arrangements with service providers.[\/p]"},{"index":"1572.3","name":"ISM-1572","id":"1572","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The regions or availability zones where data will be processed, stored and communicated, as well as a minimum notification period for any configuration changes, is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The regions or availability zones where data will be processed, stored and communicated, as well as a minimum notification period for any configuration changes, is documented in contractual arrangements with service providers.[\/p]"},{"index":"1573.3","name":"ISM-1573","id":"1573","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Access to all logs relating to an organisation\u2019s data and services is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Access to all logs relating to an organisation\u2019s data and services is documented in contractual arrangements with service providers.[\/p]"},{"index":"1574.3","name":"ISM-1574","id":"1574","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements with service providers.[\/p]"},{"index":"1575.1","name":"ISM-1575","id":"1575","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements with service providers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements with service providers.[\/p]"}],"reference":""},{"title":"Access to systems and data by service providers","type":"topic","context":"","qty_controls":2,"content":[{"index":"1073.5","name":"ISM-1073","id":"1073","revision":5,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An organisation\u2019s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An organisation\u2019s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.[\/p]"},{"index":"1576.2","name":"ISM-1576","id":"1576","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If an organisation\u2019s systems or data are accessed or administered by a service provider in an unauthorised manner, the organisation is immediately notified.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If an organisation\u2019s systems or data are accessed or administered by a service provider in an unauthorised manner, the organisation is immediately notified.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Security Documentation","type":"guideline","qty_controls":10,"content":[{"title":"Development and maintenance of security documentation","type":"section","context":"","qty_controls":5,"content":[{"title":"Cyber security strategy","type":"topic","context":"","qty_controls":1,"content":[{"index":"0039.6","name":"ISM-0039","id":"0039","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A cyber security strategy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A cyber security strategy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Approval of security documentation","type":"topic","context":"","qty_controls":2,"content":[{"index":"0047.4","name":"ISM-0047","id":"0047","revision":4,"updated":"May-19","timestamp":1558842943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system\u2019s authorising officer.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system\u2019s authorising officer.[\/p]"},{"index":"1739.0","name":"ISM-1739","id":"1739","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A system\u2019s security architecture is approved prior to the development of the system.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A system\u2019s security architecture is approved prior to the development of the system.[\/p]"}],"reference":""},{"title":"Maintenance of security documentation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0888.5","name":"ISM-0888","id":"0888","revision":5,"updated":"May-19","timestamp":1558842943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security documentation is reviewed at least annually and includes a \u2018current as at [date]\u2019 or equivalent statement.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security documentation is reviewed at least annually and includes a \u2018current as at [date]\u2019 or equivalent statement.[\/p]"}],"reference":""},{"title":"Communication of security documentation","type":"topic","context":"","qty_controls":1,"content":[{"index":"1602.0","name":"ISM-1602","id":"1602","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security documentation, including notification of subsequent changes, is communicated to all stakeholders.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security documentation, including notification of subsequent changes, is communicated to all stakeholders.[\/p]"}],"reference":""}],"reference":""},{"title":"System-specific security documentation","type":"section","context":"","qty_controls":5,"content":[{"title":"System security plan","type":"topic","context":"","qty_controls":1,"content":[{"index":"0041.5","name":"ISM-0041","id":"0041","revision":5,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems have a system security plan that includes a description of the system and an annex that covers both applicable controls from this document and any additional controls that have been identified.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems have a system security plan that includes a description of the system and an annex that covers both applicable controls from this document and any additional controls that have been identified.[\/p]"}],"reference":""},{"title":"Cyber security incident response plan","type":"topic","context":"","qty_controls":1,"content":[{"index":"0043.5","name":"ISM-0043","id":"0043","revision":5,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems have a cyber security incident response plan that covers the following:[\/p][ul][li]guidelines on what constitutes a cyber security incident[\/li][li]the types of cyber security incidents likely to be encountered and the expected response to each type[\/li][li]how to report cyber security incidents, internally to an organisation and externally to relevant authorities[\/li][li]other parties which need to be informed in the event of a cyber security incident[\/li][li]the authority, or authorities, responsible for investigating and responding to cyber security incidents[\/li][li]the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Signals Directorate or other relevant authority[\/li][li]the steps necessary to ensure the integrity of evidence relating to a cyber security incident[\/li][li]system contingency measures or a reference to such details if they are located in a separate document.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems have a cyber security incident response plan that covers the following:[\/p][ul][li]guidelines on what constitutes a cyber security incident[\/li][li]the types of cyber security incidents likely to be encountered and the expected response to each type[\/li][li]how to report cyber security incidents, internally to an organisation and externally to relevant authorities[\/li][li]other parties which need to be informed in the event of a cyber security incident[\/li][li]the authority, or authorities, responsible for investigating and responding to cyber security incidents[\/li][li]the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Signals Directorate or other relevant authority[\/li][li]the steps necessary to ensure the integrity of evidence relating to a cyber security incident[\/li][li]system contingency measures or a reference to such details if they are located in a separate document.[\/li][\/p]"}],"reference":""},{"title":"Continuous monitoring plan","type":"topic","context":"","qty_controls":1,"content":[{"index":"1163.10","name":"ISM-1163","id":"1163","revision":10,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems have a continuous monitoring plan that includes:[\/p][ul][li]conducting vulnerability scans for systems at least fortnightly[\/li][li]conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter[\/li][li]analysing identified vulnerabilities to determine their potential impact[\/li][li]implementing mitigations based on risk, effectiveness and cost.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems have a continuous monitoring plan that includes:[\/p][ul][li]conducting vulnerability scans for systems at least fortnightly[\/li][li]conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter[\/li][li]analysing identified vulnerabilities to determine their potential impact[\/li][li]implementing mitigations based on risk, effectiveness and cost.[\/li][\/p]"}],"reference":""},{"title":"Security assessment report","type":"topic","context":"","qty_controls":1,"content":[{"index":"1563.1","name":"ISM-1563","id":"1563","revision":1,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:[\/p][ul][li]the scope of the security assessment[\/li][li]the system\u2019s strengths and weaknesses[\/li][li]security risks associated with the operation of the system[\/li][li]the effectiveness of the implementation of controls[\/li][li]any recommended remediation actions.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:[\/p][ul][li]the scope of the security assessment[\/li][li]the system\u2019s strengths and weaknesses[\/li][li]security risks associated with the operation of the system[\/li][li]the effectiveness of the implementation of controls[\/li][li]any recommended remediation actions.[\/li][\/p]"}],"reference":""},{"title":"Plan of action and milestones","type":"topic","context":"","qty_controls":1,"content":[{"index":"1564.0","name":"ISM-1564","id":"1564","revision":0,"updated":"May-20","timestamp":1590465343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Physical Security","type":"guideline","qty_controls":11,"content":[{"title":"Facilities and systems","type":"section","context":"","qty_controls":10,"content":[{"title":"Physical access to systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"0810.6","name":"ISM-0810","id":"0810","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems are secured in facilities that meet the requirements for a security zone suitable for their classification.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Systems are secured in facilities that meet the requirements for a security zone suitable for their classification.[\/p]"}],"reference":""},{"title":"Physical access to servers, network devices and cryptographic equipment","type":"topic","context":"","qty_controls":4,"content":[{"index":"1053.4","name":"ISM-1053","id":"1053","revision":4,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their classification.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their classification.[\/p]"},{"index":"1530.2","name":"ISM-1530","id":"1530","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their classification taking into account the combination of security zones they reside in.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their classification taking into account the combination of security zones they reside in.[\/p]"},{"index":"0813.4","name":"ISM-0813","id":"0813","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states.[\/p]"},{"index":"1074.3","name":"ISM-1074","id":"1074","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled.[\/p]"}],"reference":""},{"title":"Physical access to network devices in public areas","type":"topic","context":"","qty_controls":1,"content":[{"index":"1296.4","name":"ISM-1296","id":"1296","revision":4,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access.[\/p]"}],"reference":""},{"title":"Bringing radio frequency and infrared devices into facilities","type":"topic","context":"","qty_controls":3,"content":[{"index":"1543.4","name":"ISM-1543","id":"1543","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An authorised RF and IR device register for SECRET and TOP SECRET areas is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"S, TS","content":"[p]An authorised RF and IR device register for SECRET and TOP SECRET areas is developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"0225.3","name":"ISM-0225","id":"0225","revision":3,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.[\/p]","classificationString":"S, TS","content":"[p]Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.[\/p]"},{"index":"0829.4","name":"ISM-0829","id":"0829","revision":4,"updated":"Mar-19","timestamp":1553568943,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.[\/p]","classificationString":"S, TS","content":"[p]Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.[\/p]"}],"reference":""},{"title":"Preventing observation by unauthorised people","type":"topic","context":"","qty_controls":1,"content":[{"index":"0164.3","name":"ISM-0164","id":"0164","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities.[\/p]"}],"reference":""}],"reference":""},{"title":"ICT equipment and media","type":"section","context":"","qty_controls":1,"content":[{"title":"Securing ICT equipment and media","type":"topic","context":"","qty_controls":1,"content":[{"index":"0161.5","name":"ISM-0161","id":"0161","revision":5,"updated":"Mar-19","timestamp":1553568943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment and media are secured when not in use.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment and media are secured when not in use.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Personnel Security","type":"guideline","qty_controls":50,"content":[{"title":"Cyber security awareness training","type":"section","context":"","qty_controls":8,"content":[{"title":"Providing cyber security awareness training","type":"topic","context":"","qty_controls":2,"content":[{"index":"0252.7","name":"ISM-0252","id":"0252","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security awareness training is undertaken annually by all personnel and covers:[\/p][ul][li]the purpose of the cyber security awareness training[\/li][li]security appointments and contacts[\/li][li]authorised use of systems and their resources[\/li][li]protection of systems and their resources[\/li][li]reporting of cyber security incidents and suspected compromises of systems and their resources.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security awareness training is undertaken annually by all personnel and covers:[\/p][ul][li]the purpose of the cyber security awareness training[\/li][li]security appointments and contacts[\/li][li]authorised use of systems and their resources[\/li][li]protection of systems and their resources[\/li][li]reporting of cyber security incidents and suspected compromises of systems and their resources.[\/li][\/p]"},{"index":"1565.0","name":"ISM-1565","id":"1565","revision":0,"updated":"Jun-20","timestamp":1593143743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Tailored privileged user training is undertaken annually by all privileged users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Tailored privileged user training is undertaken annually by all privileged users.[\/p]"}],"reference":""},{"title":"Managing and reporting suspicious changes to banking details or payment requests","type":"topic","context":"","qty_controls":1,"content":[{"index":"1740.0","name":"ISM-1740","id":"1740","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel dealing with banking details and payment requests are advised of what business email compromise is, how to manage such situations and how to report it.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel dealing with banking details and payment requests are advised of what business email compromise is, how to manage such situations and how to report it.[\/p]"}],"reference":""},{"title":"Reporting suspicious contact via online services","type":"topic","context":"","qty_controls":1,"content":[{"index":"0817.4","name":"ISM-0817","id":"0817","revision":4,"updated":"Jan-20","timestamp":1580007343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised of what suspicious contact via online services is and how to report it.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised of what suspicious contact via online services is and how to report it.[\/p]"}],"reference":""},{"title":"Posting work information to online services","type":"topic","context":"","qty_controls":2,"content":[{"index":"0820.5","name":"ISM-0820","id":"0820","revision":5,"updated":"Jan-20","timestamp":1580007343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted.[\/p]"},{"index":"1146.2","name":"ISM-1146","id":"1146","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised to maintain separate work and personal accounts for online services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised to maintain separate work and personal accounts for online services.[\/p]"}],"reference":""},{"title":"Posting personal information to online services","type":"topic","context":"","qty_controls":1,"content":[{"index":"0821.3","name":"ISM-0821","id":"0821","revision":3,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.[\/p]"}],"reference":""},{"title":"Sending and receiving files via online services","type":"topic","context":"","qty_controls":1,"content":[{"index":"0824.2","name":"ISM-0824","id":"0824","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised not to send or receive files via unauthorised online services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised not to send or receive files via unauthorised online services.[\/p]"}],"reference":""}],"reference":""},{"title":"Access to systems and their resources","type":"section","context":"","qty_controls":42,"content":[{"title":"System usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1864.0","name":"ISM-1864","id":"1864","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A system usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A system usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"System access requirements","type":"topic","context":"","qty_controls":4,"content":[{"index":"0432.7","name":"ISM-0432","id":"0432","revision":7,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Access requirements for a system and its resources are documented in its system security plan.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Access requirements for a system and its resources are documented in its system security plan.[\/p]"},{"index":"0434.7","name":"ISM-0434","id":"0434","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to a system and its resources.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to a system and its resources.[\/p]"},{"index":"0435.3","name":"ISM-0435","id":"0435","revision":3,"updated":"Aug-19","timestamp":1566791743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel receive any necessary briefings before being granted access to a system and its resources.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel receive any necessary briefings before being granted access to a system and its resources.[\/p]"},{"index":"1865.0","name":"ISM-1865","id":"1865","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel agree to abide by usage policies associated with a system and its resources before being granted access to the system and its resources.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel agree to abide by usage policies associated with a system and its resources before being granted access to the system and its resources.[\/p]"}],"reference":""},{"title":"User identification","type":"topic","context":"","qty_controls":4,"content":[{"index":"0414.4","name":"ISM-0414","id":"0414","revision":4,"updated":"Aug-19","timestamp":1566791743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel granted access to a system and its resources are uniquely identifiable.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel granted access to a system and its resources are uniquely identifiable.[\/p]"},{"index":"0415.3","name":"ISM-0415","id":"0415","revision":3,"updated":"Aug-19","timestamp":1566791743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.[\/p]"},{"index":"1583.0","name":"ISM-1583","id":"1583","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel who are contractors are identified as such.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel who are contractors are identified as such.[\/p]"},{"index":"0420.11","name":"ISM-0420","id":"0420","revision":11,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality.[\/p]","classificationString":"S, TS","content":"[p]Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality.[\/p]"}],"reference":""},{"title":"Unprivileged access to systems","type":"topic","context":"","qty_controls":3,"content":[{"index":"0405.7","name":"ISM-0405","id":"0405","revision":7,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Requests for unprivileged access to systems, applications and data repositories are validated when first requested.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Requests for unprivileged access to systems, applications and data repositories are validated when first requested.[\/p]"},{"index":"1852.0","name":"ISM-1852","id":"1852","revision":0,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.[\/p]"},{"index":"1566.3","name":"ISM-1566","id":"1566","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Use of unprivileged access is centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Use of unprivileged access is centrally logged.[\/p]"}],"reference":""},{"title":"Unprivileged access to systems by foreign nationals","type":"topic","context":"","qty_controls":2,"content":[{"index":"0409.8","name":"ISM-0409","id":"0409","revision":8,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective controls are in place to ensure such data is not accessible to them.[\/p]","classificationString":"S, TS","content":"[p]Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective controls are in place to ensure such data is not accessible to them.[\/p]"},{"index":"0411.7","name":"ISM-0411","id":"0411","revision":7,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective controls are in place to ensure such data is not accessible to them.[\/p]","classificationString":"S, TS","content":"[p]Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective controls are in place to ensure such data is not accessible to them.[\/p]"}],"reference":""},{"title":"Privileged access to systems","type":"topic","context":"","qty_controls":9,"content":[{"index":"1507.3","name":"ISM-1507","id":"1507","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Requests for privileged access to systems, applications and data repositories are validated when first requested.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Requests for privileged access to systems, applications and data repositories are validated when first requested.[\/p]"},{"index":"1508.3","name":"ISM-1508","id":"1508","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.[\/p]"},{"index":"1175.5","name":"ISM-1175","id":"1175","revision":5,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.[\/p]"},{"index":"1883.0","name":"ISM-1883","id":"1883","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.[\/p]"},{"index":"1649.0","name":"ISM-1649","id":"1649","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Just-in-time administration is used for administering systems and applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Just-in-time administration is used for administering systems and applications.[\/p]"},{"index":"0445.7","name":"ISM-0445","id":"0445","revision":7,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.[\/p]"},{"index":"1263.4","name":"ISM-1263","id":"1263","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unique privileged accounts are used for administering individual server applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unique privileged accounts are used for administering individual server applications.[\/p]"},{"index":"1509.3","name":"ISM-1509","id":"1509","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged access events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged access events are centrally logged.[\/p]"},{"index":"1650.2","name":"ISM-1650","id":"1650","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged account and group management events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged account and group management events are centrally logged.[\/p]"}],"reference":""},{"title":"Privileged access to systems by foreign nationals","type":"topic","context":"","qty_controls":2,"content":[{"index":"0446.5","name":"ISM-0446","id":"0446","revision":5,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data.[\/p]","classificationString":"S, TS","content":"[p]Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data.[\/p]"},{"index":"0447.4","name":"ISM-0447","id":"0447","revision":4,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data.[\/p]","classificationString":"S, TS","content":"[p]Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data.[\/p]"}],"reference":""},{"title":"Suspension of access to systems","type":"topic","context":"","qty_controls":6,"content":[{"index":"0430.7","name":"ISM-0430","id":"0430","revision":7,"updated":"Sep-19","timestamp":1569470143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.[\/p]"},{"index":"1591.0","name":"ISM-1591","id":"1591","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities.[\/p]"},{"index":"1404.4","name":"ISM-1404","id":"1404","revision":4,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged access to systems and applications is disabled after 45 days of inactivity.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged access to systems and applications is disabled after 45 days of inactivity.[\/p]"},{"index":"1648.1","name":"ISM-1648","id":"1648","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged access to systems and applications is disabled after 45 days of inactivity.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged access to systems and applications is disabled after 45 days of inactivity.[\/p]"},{"index":"1716.1","name":"ISM-1716","id":"1716","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Access to data repositories is disabled after 45 days of inactivity.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Access to data repositories is disabled after 45 days of inactivity.[\/p]"},{"index":"1647.1","name":"ISM-1647","id":"1647","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.[\/p]"}],"reference":""},{"title":"Recording authorisation for personnel to access systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"0407.5","name":"ISM-0407","id":"0407","revision":5,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A secure record is maintained for the life of each system covering the following for each user:[\/p][ul][li]their user identification[\/li][li]their signed agreement to abide by usage policies for the system and its resources[\/li][li]who provided authorisation for their access[\/li][li]when their access was granted[\/li][li]the level of access that they were granted[\/li][li]when their access, and their level of access, was last reviewed[\/li][li]when their level of access was changed, and to what extent (if applicable)[\/li][li]when their access was withdrawn (if applicable).[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A secure record is maintained for the life of each system covering the following for each user:[\/p][ul][li]their user identification[\/li][li]their signed agreement to abide by usage policies for the system and its resources[\/li][li]who provided authorisation for their access[\/li][li]when their access was granted[\/li][li]the level of access that they were granted[\/li][li]when their access, and their level of access, was last reviewed[\/li][li]when their level of access was changed, and to what extent (if applicable)[\/li][li]when their access was withdrawn (if applicable).[\/li][\/p]"}],"reference":""},{"title":"Temporary access to systems","type":"topic","context":"","qty_controls":2,"content":[{"index":"0441.8","name":"ISM-0441","id":"0441","revision":8,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When personnel are granted temporary access to a system, effective controls are put in place to restrict their access to only data required for them to undertake their duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When personnel are granted temporary access to a system, effective controls are put in place to restrict their access to only data required for them to undertake their duties.[\/p]"},{"index":"0443.3","name":"ISM-0443","id":"0443","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information.[\/p]","classificationString":"S, TS","content":"[p]Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information.[\/p]"}],"reference":""},{"title":"Emergency access to systems","type":"topic","context":"","qty_controls":6,"content":[{"index":"1610.0","name":"ISM-1610","id":"1610","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.[\/p]"},{"index":"1611.0","name":"ISM-1611","id":"1611","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Break glass accounts are only used when normal authentication processes cannot be used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Break glass accounts are only used when normal authentication processes cannot be used.[\/p]"},{"index":"1612.0","name":"ISM-1612","id":"1612","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Break glass accounts are only used for specific authorised activities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Break glass accounts are only used for specific authorised activities.[\/p]"},{"index":"1614.0","name":"ISM-1614","id":"1614","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Break glass account credentials are changed by the account custodian after they are accessed by any other party.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Break glass account credentials are changed by the account custodian after they are accessed by any other party.[\/p]"},{"index":"1615.0","name":"ISM-1615","id":"1615","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Break glass accounts are tested after credentials are changed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Break glass accounts are tested after credentials are changed.[\/p]"},{"index":"1613.2","name":"ISM-1613","id":"1613","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Use of break glass accounts is centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Use of break glass accounts is centrally logged.[\/p]"}],"reference":""},{"title":"Control of Australian systems","type":"topic","context":"","qty_controls":2,"content":[{"index":"0078.5","name":"ISM-0078","id":"0078","revision":5,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government.[\/p]","classificationString":"S, TS","content":"[p]Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government.[\/p]"},{"index":"0854.6","name":"ISM-0854","id":"0854","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government.[\/p]","classificationString":"S, TS","content":"[p]AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Communications Infrastructure","type":"guideline","qty_controls":54,"content":[{"title":"Cabling infrastructure","type":"section","context":"","qty_controls":47,"content":[{"title":"Cabling infrastructure standards","type":"topic","context":"","qty_controls":1,"content":[{"index":"0181.3","name":"ISM-0181","id":"0181","revision":3,"updated":"Mar-21","timestamp":1616727343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority.[\/p]"}],"reference":""},{"title":"Use of fibre-optic cables","type":"topic","context":"","qty_controls":1,"content":[{"index":"1111.3","name":"ISM-1111","id":"1111","revision":3,"updated":"Mar-21","timestamp":1616727343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Fibre-optic cables are used for cabling infrastructure instead of copper cables.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Fibre-optic cables are used for cabling infrastructure instead of copper cables.[\/p]"}],"reference":""},{"title":"Cable register","type":"topic","context":"","qty_controls":2,"content":[{"index":"0211.7","name":"ISM-0211","id":"0211","revision":7,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A cable register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A cable register is developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"0208.6","name":"ISM-0208","id":"0208","revision":6,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A cable register contains the following for each cable:[\/p][ul][li]cable identifier[\/li][li]cable colour[\/li][li]sensitivity\/classification[\/li][li]source[\/li][li]destination[\/li][li]location[\/li][li]seal numbers (if applicable).[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A cable register contains the following for each cable:[\/p][ul][li]cable identifier[\/li][li]cable colour[\/li][li]sensitivity\/classification[\/li][li]source[\/li][li]destination[\/li][li]location[\/li][li]seal numbers (if applicable).[\/li][\/p]"}],"reference":""},{"title":"Floor plan diagrams","type":"topic","context":"","qty_controls":2,"content":[{"index":"1645.2","name":"ISM-1645","id":"1645","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Floor plan diagrams are developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Floor plan diagrams are developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"1646.0","name":"ISM-1646","id":"1646","revision":0,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Floor plan diagrams contain the following:[\/p][ul][li]cable paths (including ingress and egress points between floors)[\/li][li]cable reticulation system and conduit paths[\/li][li]floor concentration boxes[\/li][li]wall outlet boxes[\/li][li]network cabinets.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Floor plan diagrams contain the following:[\/p][ul][li]cable paths (including ingress and egress points between floors)[\/li][li]cable reticulation system and conduit paths[\/li][li]floor concentration boxes[\/li][li]wall outlet boxes[\/li][li]network cabinets.[\/li][\/p]"}],"reference":""},{"title":"Cable labelling processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"0206.7","name":"ISM-0206","id":"0206","revision":7,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cable labelling processes, and supporting cable labelling procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cable labelling processes, and supporting cable labelling procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Labelling cables","type":"topic","context":"","qty_controls":1,"content":[{"index":"1096.2","name":"ISM-1096","id":"1096","revision":2,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.[\/p]"}],"reference":""},{"title":"Labelling building management cables","type":"topic","context":"","qty_controls":1,"content":[{"index":"1639.0","name":"ISM-1639","id":"1639","revision":0,"updated":"Mar-21","timestamp":1616727343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals.[\/p]"}],"reference":""},{"title":"Labelling cables for foreign systems in Australian facilities","type":"topic","context":"","qty_controls":1,"content":[{"index":"1640.0","name":"ISM-1640","id":"1640","revision":0,"updated":"Mar-21","timestamp":1616727343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cables for foreign systems installed in Australian facilities are labelled at inspection points.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cables for foreign systems installed in Australian facilities are labelled at inspection points.[\/p]"}],"reference":""},{"title":"Cable colours","type":"topic","context":"","qty_controls":4,"content":[{"index":"1820.0","name":"ISM-1820","id":"1820","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cables for individual systems use a consistent colour.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cables for individual systems use a consistent colour.[\/p]"},{"index":"0926.10","name":"ISM-0926","id":"0926","revision":10,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]OFFICIAL: Sensitive and PROTECTED cables are coloured neither salmon pink nor red.[\/p]","classificationString":"OS, P","content":"[p]OFFICIAL: Sensitive and PROTECTED cables are coloured neither salmon pink nor red.[\/p]"},{"index":"1718.1","name":"ISM-1718","id":"1718","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]SECRET cables are coloured salmon pink.[\/p]","classificationString":"S","content":"[p]SECRET cables are coloured salmon pink.[\/p]"},{"index":"1719.1","name":"ISM-1719","id":"1719","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]TOP SECRET cables are coloured red.[\/p]","classificationString":"TS","content":"[p]TOP SECRET cables are coloured red.[\/p]"}],"reference":""},{"title":"Cable colour non-conformance","type":"topic","context":"","qty_controls":1,"content":[{"index":"1216.3","name":"ISM-1216","id":"1216","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points.[\/p]","classificationString":"S, TS","content":"[p]SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points.[\/p]"}],"reference":""},{"title":"Cable inspectability","type":"topic","context":"","qty_controls":2,"content":[{"index":"1112.3","name":"ISM-1112","id":"1112","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cables are inspectable at a minimum of five-metre intervals.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cables are inspectable at a minimum of five-metre intervals.[\/p]"},{"index":"1119.2","name":"ISM-1119","id":"1119","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cables in TOP SECRET areas are fully inspectable for their entire length.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cables in TOP SECRET areas are fully inspectable for their entire length.[\/p]"}],"reference":""},{"title":"Common cable bundles and conduits","type":"topic","context":"","qty_controls":2,"content":[{"index":"0187.8","name":"ISM-0187","id":"0187","revision":8,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]SECRET cables, when bundled together or run in conduit, are run exclusively in their own individual cable bundle or conduit.[\/p]","classificationString":"S","content":"[p]SECRET cables, when bundled together or run in conduit, are run exclusively in their own individual cable bundle or conduit.[\/p]"},{"index":"1821.0","name":"ISM-1821","id":"1821","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]TOP SECRET cables, when bundled together or run in conduit, are run exclusively in their own individual cable bundle or conduit.[\/p]","classificationString":"TS","content":"[p]TOP SECRET cables, when bundled together or run in conduit, are run exclusively in their own individual cable bundle or conduit.[\/p]"}],"reference":""},{"title":"Common cable reticulation systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"1114.4","name":"ISM-1114","id":"1114","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cable bundles or conduits sharing a common cable reticulation system have a dividing partition or visible gap between each cable bundle and conduit.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cable bundles or conduits sharing a common cable reticulation system have a dividing partition or visible gap between each cable bundle and conduit.[\/p]"}],"reference":""},{"title":"Enclosed cable reticulation systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"1130.4","name":"ISM-1130","id":"1130","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]In shared facilities, cables are run in an enclosed cable reticulation system.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]In shared facilities, cables are run in an enclosed cable reticulation system.[\/p]"}],"reference":""},{"title":"Covers for enclosed cable reticulation systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"1164.3","name":"ISM-1164","id":"1164","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic.[\/p]"}],"reference":""},{"title":"Sealing cable reticulation systems and conduits","type":"topic","context":"","qty_controls":2,"content":[{"index":"0195.7","name":"ISM-0195","id":"0195","revision":7,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]In shared facilities, uniquely identifiable SCEC-approved tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems.[\/p]","classificationString":"TS","content":"[p]In shared facilities, uniquely identifiable SCEC-approved tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems.[\/p]"},{"index":"0194.3","name":"ISM-0194","id":"0194","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts.[\/p]","classificationString":"TS","content":"[p]In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts.[\/p]"}],"reference":""},{"title":"Labelling conduits","type":"topic","context":"","qty_controls":1,"content":[{"index":"0201.3","name":"ISM-0201","id":"0201","revision":3,"updated":"Mar-21","timestamp":1616727343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as \u2018TS RUN\u2019.[\/p]","classificationString":"TS","content":"[p]Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as \u2018TS RUN\u2019.[\/p]"}],"reference":""},{"title":"Cables in walls","type":"topic","context":"","qty_controls":1,"content":[{"index":"1115.4","name":"ISM-1115","id":"1115","revision":4,"updated":"Dec-19","timestamp":1577328943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.[\/p]"}],"reference":""},{"title":"Cables in party walls","type":"topic","context":"","qty_controls":1,"content":[{"index":"1133.3","name":"ISM-1133","id":"1133","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]In shared facilities, TOP SECRET cables are not run in party walls.[\/p]","classificationString":"TS","content":"[p]In shared facilities, TOP SECRET cables are not run in party walls.[\/p]"}],"reference":""},{"title":"Wall penetrations","type":"topic","context":"","qty_controls":1,"content":[{"index":"1122.2","name":"ISM-1122","id":"1122","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound.[\/p]","classificationString":"TS","content":"[p]Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound.[\/p]"}],"reference":""},{"title":"Wall outlet boxes","type":"topic","context":"","qty_controls":1,"content":[{"index":"1105.4","name":"ISM-1105","id":"1105","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SECRET and TOP SECRET wall outlet boxes contain exclusively SECRET or TOP SECRET cables.[\/p]","classificationString":"S, TS","content":"[p]SECRET and TOP SECRET wall outlet boxes contain exclusively SECRET or TOP SECRET cables.[\/p]"}],"reference":""},{"title":"Labelling wall outlet boxes","type":"topic","context":"","qty_controls":1,"content":[{"index":"1095.5","name":"ISM-1095","id":"1095","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier.[\/p]"}],"reference":""},{"title":"Wall outlet box colours","type":"topic","context":"","qty_controls":4,"content":[{"index":"1822.0","name":"ISM-1822","id":"1822","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Wall outlet boxes for individual systems use a consistent colour.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Wall outlet boxes for individual systems use a consistent colour.[\/p]"},{"index":"1107.6","name":"ISM-1107","id":"1107","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]OFFICIAL: Sensitive and PROTECTED wall outlet boxes are coloured neither salmon pink nor red.[\/p]","classificationString":"OS, P","content":"[p]OFFICIAL: Sensitive and PROTECTED wall outlet boxes are coloured neither salmon pink nor red.[\/p]"},{"index":"1720.0","name":"ISM-1720","id":"1720","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]SECRET wall outlet boxes are coloured salmon pink.[\/p]","classificationString":"S","content":"[p]SECRET wall outlet boxes are coloured salmon pink.[\/p]"},{"index":"1721.0","name":"ISM-1721","id":"1721","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]TOP SECRET wall outlet boxes are coloured red.[\/p]","classificationString":"TS","content":"[p]TOP SECRET wall outlet boxes are coloured red.[\/p]"}],"reference":""},{"title":"Wall outlet box covers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1109.3","name":"ISM-1109","id":"1109","revision":3,"updated":"Dec-19","timestamp":1577328943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Wall outlet box covers are clear plastic.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Wall outlet box covers are clear plastic.[\/p]"}],"reference":""},{"title":"Fly lead installation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0218.6","name":"ISM-0218","id":"0218","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box\u2019s identifier.[\/p]","classificationString":"TS","content":"[p]If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box\u2019s identifier.[\/p]"}],"reference":""},{"title":"Connecting cable reticulation systems to cabinets","type":"topic","context":"","qty_controls":3,"content":[{"index":"1102.3","name":"ISM-1102","id":"1102","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet.[\/p]"},{"index":"1101.3","name":"ISM-1101","id":"1101","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet.[\/p]"},{"index":"1103.3","name":"ISM-1103","id":"1103","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet.[\/p]"}],"reference":""},{"title":"Terminating cables in cabinets","type":"topic","context":"","qty_controls":2,"content":[{"index":"1098.5","name":"ISM-1098","id":"1098","revision":5,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]SECRET cables are terminated in an individual cabinet; or for small systems, a cabinet with a division plate between any SECRET cables and non-SECRET cables.[\/p]","classificationString":"S","content":"[p]SECRET cables are terminated in an individual cabinet; or for small systems, a cabinet with a division plate between any SECRET cables and non-SECRET cables.[\/p]"},{"index":"1100.1","name":"ISM-1100","id":"1100","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]TOP SECRET cables are terminated in an individual TOP SECRET cabinet.[\/p]","classificationString":"TS","content":"[p]TOP SECRET cables are terminated in an individual TOP SECRET cabinet.[\/p]"}],"reference":""},{"title":"Terminating cables on patch panels","type":"topic","context":"","qty_controls":1,"content":[{"index":"0213.4","name":"ISM-0213","id":"0213","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SECRET and TOP SECRET cables are terminated on their own individual patch panels.[\/p]","classificationString":"S, TS","content":"[p]SECRET and TOP SECRET cables are terminated on their own individual patch panels.[\/p]"}],"reference":""},{"title":"Physical separation of cabinets and patch panels","type":"topic","context":"","qty_controls":3,"content":[{"index":"0216.3","name":"ISM-0216","id":"0216","revision":3,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]TOP SECRET patch panels are installed in individual TOP SECRET cabinets.[\/p]","classificationString":"TS","content":"[p]TOP SECRET patch panels are installed in individual TOP SECRET cabinets.[\/p]"},{"index":"0217.5","name":"ISM-0217","id":"0217","revision":5,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]Where spatial constraints demand non-TOP SECRET patch panels be installed in the same cabinet as a TOP SECRET patch panel:[\/p][ul][li]a physical barrier in the cabinet is provided to separate patch panels[\/li][li]only personnel holding a Positive Vetting security clearance have access to the cabinet[\/li][li]approval from the TOP SECRET system\u2019s authorising officer is obtained prior to installation.[\/li][\/p]","classificationString":"TS","content":"[p]Where spatial constraints demand non-TOP SECRET patch panels be installed in the same cabinet as a TOP SECRET patch panel:[\/p][ul][li]a physical barrier in the cabinet is provided to separate patch panels[\/li][li]only personnel holding a Positive Vetting security clearance have access to the cabinet[\/li][li]approval from the TOP SECRET system\u2019s authorising officer is obtained prior to installation.[\/li][\/p]"},{"index":"1116.4","name":"ISM-1116","id":"1116","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]A visible gap exists between TOP SECRET cabinets and non-TOP SECRET cabinets.[\/p]","classificationString":"TS","content":"[p]A visible gap exists between TOP SECRET cabinets and non-TOP SECRET cabinets.[\/p]"}],"reference":""},{"title":"Audio secure rooms","type":"topic","context":"","qty_controls":1,"content":[{"index":"0198.3","name":"ISM-0198","id":"0198","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with.[\/p]","classificationString":"TS","content":"[p]When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with.[\/p]"}],"reference":""},{"title":"Power reticulation","type":"topic","context":"","qty_controls":1,"content":[{"index":"1123.3","name":"ISM-1123","id":"1123","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment.[\/p]","classificationString":"TS","content":"[p]A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment.[\/p]"}],"reference":""}],"reference":""},{"title":"Emanation security","type":"section","context":"","qty_controls":7,"content":[{"title":"Electromagnetic interference\/electromagnetic compatibility standards","type":"topic","context":"","qty_controls":1,"content":[{"index":"0250.4","name":"ISM-0250","id":"0250","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment meets industry and government standards relating to electromagnetic interference\/electromagnetic compatibility.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment meets industry and government standards relating to electromagnetic interference\/electromagnetic compatibility.[\/p]"}],"reference":""},{"title":"Emanation security doctrine","type":"topic","context":"","qty_controls":1,"content":[{"index":"1884.0","name":"ISM-1884","id":"1884","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Emanation security doctrine produced by ASD for the management of emanation security matters is complied with.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Emanation security doctrine produced by ASD for the management of emanation security matters is complied with.[\/p]"}],"reference":""},{"title":"Emanation security threat assessments","type":"topic","context":"","qty_controls":5,"content":[{"index":"1137.5","name":"ISM-1137","id":"1137","revision":5,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners deploying SECRET or TOP SECRET systems within fixed facilities contact ASD for an emanation security threat assessment.[\/p]","classificationString":"S, TS","content":"[p]System owners deploying SECRET or TOP SECRET systems within fixed facilities contact ASD for an emanation security threat assessment.[\/p]"},{"index":"0248.8","name":"ISM-0248","id":"0248","revision":8,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]System owners deploying OFFICIAL: Sensitive or PROTECTED systems with radio frequency transmitters (including any wireless capabilities) that will be located within 20 meters of SECRET or TOP SECRET systems contact ASD for an emanation security threat assessment.[\/p]","classificationString":"OS, P","content":"[p]System owners deploying OFFICIAL: Sensitive or PROTECTED systems with radio frequency transmitters (including any wireless capabilities) that will be located within 20 meters of SECRET or TOP SECRET systems contact ASD for an emanation security threat assessment.[\/p]"},{"index":"0249.6","name":"ISM-0249","id":"0249","revision":6,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System owners deploying SECRET or TOP SECRET systems in mobile platforms, or as a deployable capability, contact ASD for an emanation security threat assessment.[\/p]","classificationString":"S, TS","content":"[p]System owners deploying SECRET or TOP SECRET systems in mobile platforms, or as a deployable capability, contact ASD for an emanation security threat assessment.[\/p]"},{"index":"0246.5","name":"ISM-0246","id":"0246","revision":5,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When an emanation security threat assessment is required, it is sought as early as possible in a system\u2019s life cycle.[\/p]","classificationString":"OS, P, S, TS","content":"[p]When an emanation security threat assessment is required, it is sought as early as possible in a system\u2019s life cycle.[\/p]"},{"index":"1885.0","name":"ISM-1885","id":"1885","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Recommended actions contained within TEMPEST requirements statements issued for systems are implemented by system owners.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Recommended actions contained within TEMPEST requirements statements issued for systems are implemented by system owners.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Communications Systems","type":"guideline","qty_controls":35,"content":[{"title":"Telephone systems","type":"section","context":"","qty_controls":9,"content":[{"title":"Telephone system usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1078.4","name":"ISM-1078","id":"1078","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A telephone system usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A telephone system usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Personnel awareness","type":"topic","context":"","qty_controls":3,"content":[{"index":"0229.3","name":"ISM-0229","id":"0229","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems.[\/p]"},{"index":"0230.3","name":"ISM-0230","id":"0230","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.[\/p]"},{"index":"0231.2","name":"ISM-0231","id":"0231","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made.[\/p]"}],"reference":""},{"title":"Protecting conversations","type":"topic","context":"","qty_controls":1,"content":[{"index":"0232.3","name":"ISM-0232","id":"0232","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.[\/p]"}],"reference":""},{"title":"Cordless telephone systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"0233.4","name":"ISM-0233","id":"0233","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cordless telephone handsets and headsets are not used for sensitive or classified conversations unless all communications are encrypted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cordless telephone handsets and headsets are not used for sensitive or classified conversations unless all communications are encrypted.[\/p]"}],"reference":""},{"title":"Speakerphones","type":"topic","context":"","qty_controls":1,"content":[{"index":"0235.4","name":"ISM-0235","id":"0235","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room.[\/p]"}],"reference":""},{"title":"Off-hook audio protection","type":"topic","context":"","qty_controls":2,"content":[{"index":"0236.5","name":"ISM-0236","id":"0236","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating.[\/p]"},{"index":"0931.6","name":"ISM-0931","id":"0931","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements.[\/p]","classificationString":"OS, P, S, TS","content":"[p]In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements.[\/p]"}],"reference":""}],"reference":""},{"title":"Video conferencing and Internet Protocol telephony","type":"section","context":"","qty_controls":16,"content":[{"title":"Video conferencing and Internet Protocol telephony infrastructure hardening","type":"topic","context":"","qty_controls":1,"content":[{"index":"1562.0","name":"ISM-1562","id":"1562","revision":0,"updated":"Dec-19","timestamp":1577328943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Video conferencing and IP telephony infrastructure is hardened.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Video conferencing and IP telephony infrastructure is hardened.[\/p]"}],"reference":""},{"title":"Video-aware and voice-aware firewalls and proxies","type":"topic","context":"","qty_controls":1,"content":[{"index":"0546.9","name":"ISM-0546","id":"0546","revision":9,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When video conferencing or IP telephony traffic passes through a gateway containing a firewall or proxy, a video-aware or voice-aware firewall or proxy is used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When video conferencing or IP telephony traffic passes through a gateway containing a firewall or proxy, a video-aware or voice-aware firewall or proxy is used.[\/p]"}],"reference":""},{"title":"Protecting video conferencing and Internet Protocol telephony traffic","type":"topic","context":"","qty_controls":2,"content":[{"index":"0548.4","name":"ISM-0548","id":"0548","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Video conferencing and IP telephony calls are established using a secure session initiation protocol.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Video conferencing and IP telephony calls are established using a secure session initiation protocol.[\/p]"},{"index":"0547.4","name":"ISM-0547","id":"0547","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol.[\/p]"}],"reference":""},{"title":"Video conferencing unit and Internet Protocol phone authentication","type":"topic","context":"","qty_controls":5,"content":[{"index":"0554.1","name":"ISM-0554","id":"0554","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.[\/p]"},{"index":"0553.3","name":"ISM-0553","id":"0553","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.[\/p]"},{"index":"0555.3","name":"ISM-0555","id":"0555","revision":3,"updated":"Dec-19","timestamp":1577328943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.[\/p]"},{"index":"0551.7","name":"ISM-0551","id":"0551","revision":7,"updated":"Jan-20","timestamp":1580007343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]IP telephony is configured such that:[\/p][ul][li]IP phones authenticate themselves to the call controller upon registration[\/li][li]auto-registration is disabled and only authorised devices are allowed to access the network[\/li][li]unauthorised devices are blocked by default[\/li][li]all unused and prohibited functionality is disabled.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]IP telephony is configured such that:[\/p][ul][li]IP phones authenticate themselves to the call controller upon registration[\/li][li]auto-registration is disabled and only authorised devices are allowed to access the network[\/li][li]unauthorised devices are blocked by default[\/li][li]all unused and prohibited functionality is disabled.[\/li][\/p]"},{"index":"1014.6","name":"ISM-1014","id":"1014","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations.[\/p]","classificationString":"S, TS","content":"[p]Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations.[\/p]"}],"reference":""},{"title":"Traffic separation","type":"topic","context":"","qty_controls":2,"content":[{"index":"0549.4","name":"ISM-0549","id":"0549","revision":4,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.[\/p]"},{"index":"0556.5","name":"ISM-0556","id":"0556","revision":5,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.[\/p]"}],"reference":""},{"title":"Internet Protocol phones in public areas","type":"topic","context":"","qty_controls":1,"content":[{"index":"0558.6","name":"ISM-0558","id":"0558","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]IP phones used in public areas do not have the ability to access data networks, voicemail and directory services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]IP phones used in public areas do not have the ability to access data networks, voicemail and directory services.[\/p]"}],"reference":""},{"title":"Microphones and webcams","type":"topic","context":"","qty_controls":2,"content":[{"index":"0559.5","name":"ISM-0559","id":"0559","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.[\/p]","classificationString":"OS, P","content":"[p]Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.[\/p]"},{"index":"1450.2","name":"ISM-1450","id":"1450","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET"},"applicability":"","statement":"[p]Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.[\/p]","classificationString":"OS, P, S","content":"[p]Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.[\/p]"}],"reference":""},{"title":"Denial of service response plan","type":"topic","context":"","qty_controls":2,"content":[{"index":"1019.9","name":"ISM-1019","id":"1019","revision":9,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained.[\/p]"},{"index":"1805.0","name":"ISM-1805","id":"1805","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A denial of service response plan for video conferencing and IP telephony services contains the following:[\/p][ul][li]how to identify signs of a denial-of-service attack[\/li][li]how to identify the source of a denial-of-service attack[\/li][li]how capabilities can be maintained during a denial-of-service attack[\/li][li]what actions can be taken to respond to a denial-of-service attack.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A denial of service response plan for video conferencing and IP telephony services contains the following:[\/p][ul][li]how to identify signs of a denial-of-service attack[\/li][li]how to identify the source of a denial-of-service attack[\/li][li]how capabilities can be maintained during a denial-of-service attack[\/li][li]what actions can be taken to respond to a denial-of-service attack.[\/li][\/p]"}],"reference":""}],"reference":""},{"title":"Fax machines and multifunction devices","type":"section","context":"","qty_controls":10,"content":[{"title":"Fax machine and multifunction device usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"0588.4","name":"ISM-0588","id":"0588","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A fax machine and MFD usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A fax machine and MFD usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Sending fax messages","type":"topic","context":"","qty_controls":2,"content":[{"index":"1092.2","name":"ISM-1092","id":"1092","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages.[\/p]"},{"index":"0241.4","name":"ISM-0241","id":"0241","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure.[\/p]"}],"reference":""},{"title":"Receiving fax messages","type":"topic","context":"","qty_controls":1,"content":[{"index":"1075.2","name":"ISM-1075","id":"1075","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time.[\/p]"}],"reference":""},{"title":"Connecting multifunction devices to both networks and digital telephone systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"0245.5","name":"ISM-0245","id":"0245","revision":5,"updated":"Dec-19","timestamp":1577328943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected.[\/p]"}],"reference":""},{"title":"Authenticating to multifunction devices","type":"topic","context":"","qty_controls":2,"content":[{"index":"1854.0","name":"ISM-1854","id":"1854","revision":0,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Users authenticate to MFDs before they can print, scan or copy documents.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Users authenticate to MFDs before they can print, scan or copy documents.[\/p]"},{"index":"0590.8","name":"ISM-0590","id":"0590","revision":8,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Authentication measures for MFDs are the same strength as those used for workstations on networks they are connected to.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Authentication measures for MFDs are the same strength as those used for workstations on networks they are connected to.[\/p]"}],"reference":""},{"title":"Scanning and copying documents on multifunction devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"0589.7","name":"ISM-0589","id":"0589","revision":7,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]MFDs are not used to scan or copy documents above the sensitivity or classification of networks they are connected to.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]MFDs are not used to scan or copy documents above the sensitivity or classification of networks they are connected to.[\/p]"}],"reference":""},{"title":"Logging multifunction device use","type":"topic","context":"","qty_controls":1,"content":[{"index":"1855.1","name":"ISM-1855","id":"1855","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Use of MFDs for printing, scanning and copying purposes, including the capture of shadow copies of documents, are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Use of MFDs for printing, scanning and copying purposes, including the capture of shadow copies of documents, are centrally logged.[\/p]"}],"reference":""},{"title":"Observing fax machine and multifunction device use","type":"topic","context":"","qty_controls":1,"content":[{"index":"1036.3","name":"ISM-1036","id":"1036","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Fax machines and MFDs are located in areas where their use can be observed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Fax machines and MFDs are located in areas where their use can be observed.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Enterprise Mobility","type":"guideline","qty_controls":43,"content":[{"title":"Enterprise mobility","type":"section","context":"","qty_controls":7,"content":[{"title":"Privately-owned mobile devices and desktop computers","type":"topic","context":"","qty_controls":4,"content":[{"index":"1297.5","name":"ISM-1297","id":"1297","revision":5,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Legal advice is sought prior to allowing privately-owned mobile devices and desktop computers to access systems or data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Legal advice is sought prior to allowing privately-owned mobile devices and desktop computers to access systems or data.[\/p]"},{"index":"1400.8","name":"ISM-1400","id":"1400","revision":8,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data.[\/p]","classificationString":"OS, P","content":"[p]Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data.[\/p]"},{"index":"1866.0","name":"ISM-1866","id":"1866","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers are prevented from storing classified data on their privately-owned mobile devices and desktop computers.[\/p]","classificationString":"OS, P","content":"[p]Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers are prevented from storing classified data on their privately-owned mobile devices and desktop computers.[\/p]"},{"index":"0694.8","name":"ISM-0694","id":"0694","revision":8,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET systems or data.[\/p]","classificationString":"S, TS","content":"[p]Privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET systems or data.[\/p]"}],"reference":""},{"title":"Organisation-owned mobile devices and desktop computers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1482.7","name":"ISM-1482","id":"1482","revision":7,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel accessing systems or data using an organisation-owned mobile device or desktop computer are either prohibited from using it for personal purposes or have enforced separation of work data from any personal data.[\/p]","classificationString":"OS, P, S, TS","content":"[p]Personnel accessing systems or data using an organisation-owned mobile device or desktop computer are either prohibited from using it for personal purposes or have enforced separation of work data from any personal data.[\/p]"}],"reference":""},{"title":"Connecting mobile devices and desktop computers to the internet","type":"topic","context":"","qty_controls":2,"content":[{"index":"0874.6","name":"ISM-0874","id":"0874","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices and desktop computers access the internet via a VPN connection to an organisation\u2019s internet gateway rather than via a direct connection to the internet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices and desktop computers access the internet via a VPN connection to an organisation\u2019s internet gateway rather than via a direct connection to the internet.[\/p]"},{"index":"0705.4","name":"ISM-0705","id":"0705","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When accessing an organisation\u2019s network via a VPN connection, split tunnelling is disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When accessing an organisation\u2019s network via a VPN connection, split tunnelling is disabled.[\/p]"}],"reference":""}],"reference":""},{"title":"Mobile device management","type":"section","context":"","qty_controls":13,"content":[{"title":"Mobile device management policy","type":"topic","context":"","qty_controls":2,"content":[{"index":"1533.3","name":"ISM-1533","id":"1533","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A mobile device management policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A mobile device management policy is developed, implemented and maintained.[\/p]"},{"index":"1195.2","name":"ISM-1195","id":"1195","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile Device Management solutions that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Management, version 4.0 or later, are used to enforce mobile device management policy.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile Device Management solutions that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Management, version 4.0 or later, are used to enforce mobile device management policy.[\/p]"}],"reference":""},{"title":"Approved mobile platforms","type":"topic","context":"","qty_controls":2,"content":[{"index":"1867.1","name":"ISM-1867","id":"1867","revision":1,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile platforms that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Fundamentals, version 3.3 or later, and are operated in accordance with the latest version of their associated ASD security configuration guide.[\/p]","classificationString":"OS, P","content":"[p]Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile platforms that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Fundamentals, version 3.3 or later, and are operated in accordance with the latest version of their associated ASD security configuration guide.[\/p]"},{"index":"0687.10","name":"ISM-0687","id":"0687","revision":10,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated in accordance with the latest version of their associated Australian Communications Security Instruction.[\/p]","classificationString":"S, TS","content":"[p]Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated in accordance with the latest version of their associated Australian Communications Security Instruction.[\/p]"}],"reference":""},{"title":"Data storage","type":"topic","context":"","qty_controls":2,"content":[{"index":"0869.5","name":"ISM-0869","id":"0869","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices encrypt their internal storage and any removable media.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices encrypt their internal storage and any removable media.[\/p]"},{"index":"1868.0","name":"ISM-1868","id":"1868","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand by ASD.[\/p]","classificationString":"S, TS","content":"[p]SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand by ASD.[\/p]"}],"reference":""},{"title":"Data communications","type":"topic","context":"","qty_controls":1,"content":[{"index":"1085.4","name":"ISM-1085","id":"1085","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure.[\/p]"}],"reference":""},{"title":"Maintaining mobile device security","type":"topic","context":"","qty_controls":6,"content":[{"index":"1886.0","name":"ISM-1886","id":"1886","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices are configured to operate in a supervised (or equivalent) mode.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices are configured to operate in a supervised (or equivalent) mode.[\/p]"},{"index":"1887.0","name":"ISM-1887","id":"1887","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices are configured with remote locate and wipe functionality.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices are configured with remote locate and wipe functionality.[\/p]"},{"index":"1888.0","name":"ISM-1888","id":"1888","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices are configured with secure lock screens.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices are configured with secure lock screens.[\/p]"},{"index":"0863.5","name":"ISM-0863","id":"0863","revision":5,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices prevent personnel from installing non-approved applications once provisioned.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices prevent personnel from installing non-approved applications once provisioned.[\/p]"},{"index":"0864.4","name":"ISM-0864","id":"0864","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices prevent personnel from disabling or modifying security functionality once provisioned.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices prevent personnel from disabling or modifying security functionality once provisioned.[\/p]"},{"index":"1366.2","name":"ISM-1366","id":"1366","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security updates are applied to mobile devices as soon as they become available.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security updates are applied to mobile devices as soon as they become available.[\/p]"}],"reference":""}],"reference":""},{"title":"Mobile device usage","type":"section","context":"","qty_controls":23,"content":[{"title":"Mobile device usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1082.3","name":"ISM-1082","id":"1082","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A mobile device usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A mobile device usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Personnel awareness","type":"topic","context":"","qty_controls":2,"content":[{"index":"1083.2","name":"ISM-1083","id":"1083","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.[\/p]"},{"index":"1299.4","name":"ISM-1299","id":"1299","revision":4,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised to take the following precautions when using mobile devices:[\/p][ul][li]never leave mobile devices or removable media unattended, including by placing them in checked-in luggage or leaving them in hotel safes[\/li][li]never store credentials with mobile devices that they grant access to, such as in laptop computer bags[\/li][li]never lend mobile devices or removable media to untrusted people, even if briefly[\/li][li]never allow untrusted people to connect their mobile devices or removable media to your mobile devices, including for charging[\/li][li]never connect mobile devices to designated charging stations or wall outlet charging ports[\/li][li]never use gifted or unauthorised peripherals, chargers or removable media with mobile devices[\/li][li]never use removable media for data transfers or backups that have not been checked for malicious code beforehand[\/li][li]avoid reuse of removable media once used with other parties\u2019 systems or mobile devices[\/li][li]avoid connecting mobile devices to open or untrusted Wi-Fi networks[\/li][li]consider disabling any communications capabilities of mobile devices when not in use, such as Wi-Fi, Bluetooth, Near Field Communication and ultra-wideband[\/li][li]consider periodically rebooting mobile devices[\/li][li]consider using a VPN connection to encrypt all cellular and wireless communications[\/li][li]consider using encrypted email or messaging apps for all communications.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised to take the following precautions when using mobile devices:[\/p][ul][li]never leave mobile devices or removable media unattended, including by placing them in checked-in luggage or leaving them in hotel safes[\/li][li]never store credentials with mobile devices that they grant access to, such as in laptop computer bags[\/li][li]never lend mobile devices or removable media to untrusted people, even if briefly[\/li][li]never allow untrusted people to connect their mobile devices or removable media to your mobile devices, including for charging[\/li][li]never connect mobile devices to designated charging stations or wall outlet charging ports[\/li][li]never use gifted or unauthorised peripherals, chargers or removable media with mobile devices[\/li][li]never use removable media for data transfers or backups that have not been checked for malicious code beforehand[\/li][li]avoid reuse of removable media once used with other parties\u2019 systems or mobile devices[\/li][li]avoid connecting mobile devices to open or untrusted Wi-Fi networks[\/li][li]consider disabling any communications capabilities of mobile devices when not in use, such as Wi-Fi, Bluetooth, Near Field Communication and ultra-wideband[\/li][li]consider periodically rebooting mobile devices[\/li][li]consider using a VPN connection to encrypt all cellular and wireless communications[\/li][li]consider using encrypted email or messaging apps for all communications.[\/li][\/p]"}],"reference":""},{"title":"Using paging, message services and messaging apps","type":"topic","context":"","qty_controls":1,"content":[{"index":"0240.7","name":"ISM-0240","id":"0240","revision":7,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.[\/p]"}],"reference":""},{"title":"Using Bluetooth functionality","type":"topic","context":"","qty_controls":5,"content":[{"index":"1196.3","name":"ISM-1196","id":"1196","revision":3,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]OFFICIAL: Sensitive and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.[\/p]","classificationString":"OS, P","content":"[p]OFFICIAL: Sensitive and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.[\/p]"},{"index":"1200.6","name":"ISM-1200","id":"1200","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported.[\/p]","classificationString":"OS, P","content":"[p]Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported.[\/p]"},{"index":"1198.3","name":"ISM-1198","id":"1198","revision":3,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices.[\/p]","classificationString":"OS, P","content":"[p]Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices.[\/p]"},{"index":"1199.4","name":"ISM-1199","id":"1199","revision":4,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Bluetooth pairings for OFFICIAL: Sensitive and PROTECTED mobile devices are removed when there is no longer a requirement for their use.[\/p]","classificationString":"OS, P","content":"[p]Bluetooth pairings for OFFICIAL: Sensitive and PROTECTED mobile devices are removed when there is no longer a requirement for their use.[\/p]"},{"index":"0682.5","name":"ISM-0682","id":"0682","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices.[\/p]","classificationString":"S, TS","content":"[p]Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices.[\/p]"}],"reference":""},{"title":"Using mobile devices in public spaces","type":"topic","context":"","qty_controls":3,"content":[{"index":"0866.5","name":"ISM-0866","id":"0866","revision":5,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed.[\/p]"},{"index":"1145.4","name":"ISM-1145","id":"1145","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices.[\/p]","classificationString":"S, TS","content":"[p]Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices.[\/p]"},{"index":"1644.0","name":"ISM-1644","id":"1644","revision":0,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.[\/p]"}],"reference":""},{"title":"Maintaining control of mobile devices","type":"topic","context":"","qty_controls":3,"content":[{"index":"0871.3","name":"ISM-0871","id":"0871","revision":3,"updated":"Apr-19","timestamp":1556250943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices are kept under continual direct supervision when being actively used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices are kept under continual direct supervision when being actively used.[\/p]"},{"index":"0870.3","name":"ISM-0870","id":"0870","revision":3,"updated":"Apr-19","timestamp":1556250943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile devices are carried or stored in a secured state when not being actively used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile devices are carried or stored in a secured state when not being actively used.[\/p]"},{"index":"1084.4","name":"ISM-1084","id":"1084","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.[\/p]"}],"reference":""},{"title":"Mobile device emergency sanitisation processes and procedures","type":"topic","context":"","qty_controls":2,"content":[{"index":"0701.6","name":"ISM-0701","id":"0701","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed, implemented and maintained.[\/p]"},{"index":"0702.5","name":"ISM-0702","id":"0702","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures.[\/p]","classificationString":"S, TS","content":"[p]If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures.[\/p]"}],"reference":""},{"title":"Before travelling overseas with mobile devices","type":"topic","context":"","qty_controls":3,"content":[{"index":"1298.2","name":"ISM-1298","id":"1298","revision":2,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel are advised of privacy and security risks when travelling overseas with mobile devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel are advised of privacy and security risks when travelling overseas with mobile devices.[\/p]"},{"index":"1554.1","name":"ISM-1554","id":"1554","revision":1,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If travelling overseas with mobile devices to high or extreme risk countries, personnel are:[\/p][ul][li]issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities[\/li][li]advised on how to apply and inspect tamper seals to key areas of mobile devices[\/li][li]advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If travelling overseas with mobile devices to high or extreme risk countries, personnel are:[\/p][ul][li]issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities[\/li][li]advised on how to apply and inspect tamper seals to key areas of mobile devices[\/li][li]advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.[\/li][\/p]"},{"index":"1555.2","name":"ISM-1555","id":"1555","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Before travelling overseas with mobile devices, personnel take the following actions:[\/p][ul][li]record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers[\/li][li]update all operating systems and applications[\/li][li]remove all non-essential data, applications and accounts[\/li][li]backup all remaining data, applications and settings.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Before travelling overseas with mobile devices, personnel take the following actions:[\/p][ul][li]record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers[\/li][li]update all operating systems and applications[\/li][li]remove all non-essential data, applications and accounts[\/li][li]backup all remaining data, applications and settings.[\/li][\/p]"}],"reference":""},{"title":"While travelling overseas with mobile devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"1088.6","name":"ISM-1088","id":"1088","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:[\/p][ul][li]provide credentials to foreign government officials[\/li][li]decrypt mobile devices for foreign government officials[\/li][li]have mobile devices taken out of sight by foreign government officials[\/li][li]have mobile devices or removable media stolen, including if later returned[\/li][li]lose mobile devices or removable media, including if later found[\/li][li]observe unusual behaviour of mobile devices.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:[\/p][ul][li]provide credentials to foreign government officials[\/li][li]decrypt mobile devices for foreign government officials[\/li][li]have mobile devices taken out of sight by foreign government officials[\/li][li]have mobile devices or removable media stolen, including if later returned[\/li][li]lose mobile devices or removable media, including if later found[\/li][li]observe unusual behaviour of mobile devices.[\/li][\/p]"}],"reference":""},{"title":"After travelling overseas with mobile devices","type":"topic","context":"","qty_controls":2,"content":[{"index":"1300.6","name":"ISM-1300","id":"1300","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Upon returning from travelling overseas with mobile devices, personnel take the following actions:[\/p][ul][li]sanitise and reset mobile devices, including all removable media[\/li][li]decommission any credentials that left their possession during their travel[\/li][li]report if significant doubt exists as to the integrity of any mobile devices or removable media.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Upon returning from travelling overseas with mobile devices, personnel take the following actions:[\/p][ul][li]sanitise and reset mobile devices, including all removable media[\/li][li]decommission any credentials that left their possession during their travel[\/li][li]report if significant doubt exists as to the integrity of any mobile devices or removable media.[\/li][\/p]"},{"index":"1556.2","name":"ISM-1556","id":"1556","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:[\/p][ul][li]reset credentials used with mobile devices, including those used for remote access to their organisation\u2019s systems[\/li][li]monitor accounts for any indicators of compromise, such as failed logon attempts.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:[\/p][ul][li]reset credentials used with mobile devices, including those used for remote access to their organisation\u2019s systems[\/li][li]monitor accounts for any indicators of compromise, such as failed logon attempts.[\/li][\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Evaluated Products","type":"guideline","qty_controls":5,"content":[{"title":"Evaluated product procurement","type":"section","context":"","qty_controls":3,"content":[{"title":"Evaluated product selection","type":"topic","context":"","qty_controls":1,"content":[{"index":"0280.8","name":"ISM-0280","id":"0280","revision":8,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If procuring an evaluated product, a product that has completed a PP-based evaluation, including against all applicable PP modules, is selected in preference to one that has completed an EAL-based evaluation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If procuring an evaluated product, a product that has completed a PP-based evaluation, including against all applicable PP modules, is selected in preference to one that has completed an EAL-based evaluation.[\/p]"}],"reference":""},{"title":"Delivery of evaluated products","type":"topic","context":"","qty_controls":2,"content":[{"index":"0285.1","name":"ISM-0285","id":"0285","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.[\/p]"},{"index":"0286.7","name":"ISM-0286","id":"0286","revision":7,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When procuring high assurance ICT equipment, ASD is contacted for any equipment-specific delivery procedures.[\/p]","classificationString":"S, TS","content":"[p]When procuring high assurance ICT equipment, ASD is contacted for any equipment-specific delivery procedures.[\/p]"}],"reference":""}],"reference":""},{"title":"Evaluated product usage","type":"section","context":"","qty_controls":2,"content":[{"title":"Using evaluated products","type":"topic","context":"","qty_controls":2,"content":[{"index":"0289.3","name":"ISM-0289","id":"0289","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated products are installed, configured, administered and operated in an evaluated configuration and in accordance with vendor guidance.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated products are installed, configured, administered and operated in an evaluated configuration and in accordance with vendor guidance.[\/p]"},{"index":"0290.8","name":"ISM-0290","id":"0290","revision":8,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]High assurance ICT equipment is installed, configured, administered and operated in an evaluated configuration and in accordance with ASD guidance.[\/p]","classificationString":"S, TS","content":"[p]High assurance ICT equipment is installed, configured, administered and operated in an evaluated configuration and in accordance with ASD guidance.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for ICT Equipment","type":"guideline","qty_controls":38,"content":[{"title":"ICT equipment usage","type":"section","context":"","qty_controls":10,"content":[{"title":"ICT equipment management policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1551.1","name":"ISM-1551","id":"1551","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An ICT equipment management policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An ICT equipment management policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"ICT equipment selection","type":"topic","context":"","qty_controls":1,"content":[{"index":"1857.0","name":"ISM-1857","id":"1857","revision":0,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment is chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment is chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]"}],"reference":""},{"title":"Hardening ICT equipment configurations","type":"topic","context":"","qty_controls":2,"content":[{"index":"1913.0","name":"ISM-1913","id":"1913","revision":0,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Approved configurations for ICT equipment are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Approved configurations for ICT equipment are developed, implemented and maintained.[\/p]"},{"index":"1858.2","name":"ISM-1858","id":"1858","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]"}],"reference":""},{"title":"ICT equipment registers","type":"topic","context":"","qty_controls":2,"content":[{"index":"0336.8","name":"ISM-0336","id":"0336","revision":8,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A networked ICT equipment register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A networked ICT equipment register is developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"1869.0","name":"ISM-1869","id":"1869","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A non-networked ICT equipment register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A non-networked ICT equipment register is developed, implemented, maintained and verified on a regular basis.[\/p]"}],"reference":""},{"title":"Labelling ICT equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"0294.4","name":"ISM-0294","id":"0294","revision":4,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.[\/p]"}],"reference":""},{"title":"Labelling high assurance ICT equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"0296.6","name":"ISM-0296","id":"0296","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ASD\u2019s approval is sought before applying labels to external surfaces of high assurance ICT equipment.[\/p]","classificationString":"S, TS","content":"[p]ASD\u2019s approval is sought before applying labels to external surfaces of high assurance ICT equipment.[\/p]"}],"reference":""},{"title":"Classifying ICT equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"0293.5","name":"ISM-0293","id":"0293","revision":5,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating.[\/p]"}],"reference":""},{"title":"Handling ICT equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"1599.0","name":"ISM-1599","id":"1599","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment is handled in a manner suitable for its sensitivity or classification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment is handled in a manner suitable for its sensitivity or classification.[\/p]"}],"reference":""}],"reference":""},{"title":"ICT equipment maintenance and repairs","type":"section","context":"","qty_controls":6,"content":[{"title":"Maintenance and repairs of high assurance ICT equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"1079.6","name":"ISM-1079","id":"1079","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ASD\u2019s approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment.[\/p]","classificationString":"S, TS","content":"[p]ASD\u2019s approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment.[\/p]"}],"reference":""},{"title":"On-site maintenance and repairs","type":"topic","context":"","qty_controls":3,"content":[{"index":"0305.6","name":"ISM-0305","id":"0305","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician.[\/p]"},{"index":"0307.3","name":"ISM-0307","id":"0307","revision":3,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If an appropriately cleared technician is not used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If an appropriately cleared technician is not used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken.[\/p]"},{"index":"0306.6","name":"ISM-0306","id":"0306","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If an appropriately cleared technician is not used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:[\/p][ul][li]is appropriately cleared and briefed[\/li][li]takes due care to ensure that data is not disclosed[\/li][li]takes all responsible measures to ensure the integrity of the ICT equipment[\/li][li]has the authority to direct the technician[\/li][li]is sufficiently familiar with the ICT equipment to understand the work being performed.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If an appropriately cleared technician is not used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:[\/p][ul][li]is appropriately cleared and briefed[\/li][li]takes due care to ensure that data is not disclosed[\/li][li]takes all responsible measures to ensure the integrity of the ICT equipment[\/li][li]has the authority to direct the technician[\/li][li]is sufficiently familiar with the ICT equipment to understand the work being performed.[\/li][\/p]"}],"reference":""},{"title":"Off-site maintenance and repairs","type":"topic","context":"","qty_controls":1,"content":[{"index":"0310.7","name":"ISM-0310","id":"0310","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment maintained or repaired off site is done so at facilities approved for handling the sensitivity or classification of the ICT equipment.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment maintained or repaired off site is done so at facilities approved for handling the sensitivity or classification of the ICT equipment.[\/p]"}],"reference":""},{"title":"Inspection of ICT equipment following maintenance and repairs","type":"topic","context":"","qty_controls":1,"content":[{"index":"1598.0","name":"ISM-1598","id":"1598","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place.[\/p]"}],"reference":""}],"reference":""},{"title":"ICT equipment sanitisation and destruction","type":"section","context":"","qty_controls":18,"content":[{"title":"ICT equipment sanitisation processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"0313.6","name":"ISM-0313","id":"0313","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"ICT equipment destruction processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"1741.1","name":"ISM-1741","id":"1741","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment destruction processes, and supporting ICT equipment destruction procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment destruction processes, and supporting ICT equipment destruction procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Sanitising ICT equipment","type":"topic","context":"","qty_controls":2,"content":[{"index":"0311.6","name":"ISM-0311","id":"0311","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment containing media is sanitised by removing the media from the ICT equipment or by sanitising the media in situ.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment containing media is sanitised by removing the media from the ICT equipment or by sanitising the media in situ.[\/p]"},{"index":"1742.0","name":"ISM-1742","id":"1742","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment that cannot be sanitised is destroyed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment that cannot be sanitised is destroyed.[\/p]"}],"reference":""},{"title":"Sanitising highly sensitive ICT equipment","type":"topic","context":"","qty_controls":2,"content":[{"index":"1218.4","name":"ISM-1218","id":"1218","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ.[\/p]","classificationString":"S, TS","content":"[p]ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ.[\/p]"},{"index":"0312.6","name":"ISM-0312","id":"0312","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction.[\/p]","classificationString":"S, TS","content":"[p]ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction.[\/p]"}],"reference":""},{"title":"Destroying high assurance ICT equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"0315.8","name":"ISM-0315","id":"0315","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]High assurance ICT equipment is destroyed prior to its disposal.[\/p]","classificationString":"S, TS","content":"[p]High assurance ICT equipment is destroyed prior to its disposal.[\/p]"}],"reference":""},{"title":"Sanitising printers and multifunction devices","type":"topic","context":"","qty_controls":6,"content":[{"index":"0317.3","name":"ISM-0317","id":"0317","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum.[\/p]"},{"index":"1219.2","name":"ISM-1219","id":"1219","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller.[\/p]"},{"index":"1220.2","name":"ISM-1220","id":"1220","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen.[\/p]"},{"index":"1221.1","name":"ISM-1221","id":"1221","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam.[\/p]"},{"index":"0318.3","name":"ISM-0318","id":"0318","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices.[\/p]"},{"index":"1534.0","name":"ISM-1534","id":"1534","revision":0,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Printer ribbons in printers and MFDs are removed and destroyed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Printer ribbons in printers and MFDs are removed and destroyed.[\/p]"}],"reference":""},{"title":"Sanitising televisions and computer monitors","type":"topic","context":"","qty_controls":2,"content":[{"index":"1076.2","name":"ISM-1076","id":"1076","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time.[\/p]"},{"index":"1222.1","name":"ISM-1222","id":"1222","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Televisions and computer monitors that cannot be sanitised are destroyed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Televisions and computer monitors that cannot be sanitised are destroyed.[\/p]"}],"reference":""},{"title":"Sanitising network devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"1223.6","name":"ISM-1223","id":"1223","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Memory in network devices is sanitised using the following processes, in order of preference:[\/p][ul][li]following device-specific guidance provided in evaluation documentation[\/li][li]following vendor sanitisation guidance[\/li][li]loading a dummy configuration file, performing a factory reset and then reinstalling firmware.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Memory in network devices is sanitised using the following processes, in order of preference:[\/p][ul][li]following device-specific guidance provided in evaluation documentation[\/li][li]following vendor sanitisation guidance[\/li][li]loading a dummy configuration file, performing a factory reset and then reinstalling firmware.[\/li][\/p]"}],"reference":""},{"title":"Sanitising fax machines","type":"topic","context":"","qty_controls":2,"content":[{"index":"1225.2","name":"ISM-1225","id":"1225","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed.[\/p]"},{"index":"1226.2","name":"ISM-1226","id":"1226","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam.[\/p]"}],"reference":""}],"reference":""},{"title":"ICT equipment disposal","type":"section","context":"","qty_controls":4,"content":[{"title":"ICT equipment disposal processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"1550.2","name":"ISM-1550","id":"1550","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Disposal of ICT equipment","type":"topic","context":"","qty_controls":3,"content":[{"index":"1217.2","name":"ISM-1217","id":"1217","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal.[\/p]"},{"index":"0321.5","name":"ISM-0321","id":"0321","revision":5,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When disposing of ICT equipment that has been designed or modified to meet emanation security standards, ASD is contacted for requirements relating to its disposal.[\/p]","classificationString":"S, TS","content":"[p]When disposing of ICT equipment that has been designed or modified to meet emanation security standards, ASD is contacted for requirements relating to its disposal.[\/p]"},{"index":"0316.3","name":"ISM-0316","id":"0316","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Media","type":"guideline","qty_controls":54,"content":[{"title":"Media usage","type":"section","context":"","qty_controls":14,"content":[{"title":"Media management policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1549.1","name":"ISM-1549","id":"1549","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A media management policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A media management policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Removable media usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1359.4","name":"ISM-1359","id":"1359","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A removable media usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A removable media usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Removable media register","type":"topic","context":"","qty_controls":1,"content":[{"index":"1713.2","name":"ISM-1713","id":"1713","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A removable media register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A removable media register is developed, implemented, maintained and verified on a regular basis.[\/p]"}],"reference":""},{"title":"Labelling media","type":"topic","context":"","qty_controls":1,"content":[{"index":"0332.4","name":"ISM-0332","id":"0332","revision":4,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.[\/p]"}],"reference":""},{"title":"Classifying media","type":"topic","context":"","qty_controls":2,"content":[{"index":"0323.8","name":"ISM-0323","id":"0323","revision":8,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification.[\/p]"},{"index":"0337.6","name":"ISM-0337","id":"0337","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.[\/p]"}],"reference":""},{"title":"Reclassifying media","type":"topic","context":"","qty_controls":2,"content":[{"index":"0325.6","name":"ISM-0325","id":"0325","revision":6,"updated":"Apr-21","timestamp":1619409343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured.[\/p]"},{"index":"0330.7","name":"ISM-0330","id":"0330","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it.[\/p]"}],"reference":""},{"title":"Handling media","type":"topic","context":"","qty_controls":2,"content":[{"index":"0831.5","name":"ISM-0831","id":"0831","revision":5,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media is handled in a manner suitable for its sensitivity or classification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media is handled in a manner suitable for its sensitivity or classification.[\/p]"},{"index":"1059.4","name":"ISM-1059","id":"1059","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All data stored on media is encrypted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All data stored on media is encrypted.[\/p]"}],"reference":""},{"title":"Sanitising media before first use","type":"topic","context":"","qty_controls":2,"content":[{"index":"1600.1","name":"ISM-1600","id":"1600","revision":1,"updated":"Apr-21","timestamp":1619409343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media is sanitised before it is used for the first time.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media is sanitised before it is used for the first time.[\/p]"},{"index":"1642.0","name":"ISM-1642","id":"1642","revision":0,"updated":"Apr-21","timestamp":1619409343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media is sanitised before it is reused in a different security domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media is sanitised before it is reused in a different security domain.[\/p]"}],"reference":""},{"title":"Using media for data transfers","type":"topic","context":"","qty_controls":2,"content":[{"index":"0347.5","name":"ISM-0347","id":"0347","revision":5,"updated":"Apr-21","timestamp":1619409343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured.[\/p]"},{"index":"0947.6","name":"ISM-0947","id":"0947","revision":6,"updated":"Apr-21","timestamp":1619409343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer.[\/p]"}],"reference":""}],"reference":""},{"title":"Media sanitisation","type":"section","context":"","qty_controls":14,"content":[{"title":"Media sanitisation processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"0348.5","name":"ISM-0348","id":"0348","revision":5,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media sanitisation processes, and supporting media sanitisation procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media sanitisation processes, and supporting media sanitisation procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Volatile media sanitisation","type":"topic","context":"","qty_controls":2,"content":[{"index":"0351.6","name":"ISM-0351","id":"0351","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Volatile media is sanitised by removing its power for at least 10 minutes.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Volatile media is sanitised by removing its power for at least 10 minutes.[\/p]"},{"index":"0352.4","name":"ISM-0352","id":"0352","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.[\/p]","classificationString":"S, TS","content":"[p]SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.[\/p]"}],"reference":""},{"title":"Treatment of volatile media following sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0835.4","name":"ISM-0835","id":"0835","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time.[\/p]","classificationString":"TS","content":"[p]Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time.[\/p]"}],"reference":""},{"title":"Non-volatile magnetic media sanitisation","type":"topic","context":"","qty_controls":3,"content":[{"index":"0354.6","name":"ISM-0354","id":"0354","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification.[\/p]"},{"index":"1065.3","name":"ISM-1065","id":"1065","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives.[\/p]"},{"index":"1067.4","name":"ISM-1067","id":"1067","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten.[\/p]"}],"reference":""},{"title":"Treatment of non-volatile magnetic media following sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0356.6","name":"ISM-0356","id":"0356","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification.[\/p]","classificationString":"S, TS","content":"[p]Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification.[\/p]"}],"reference":""},{"title":"Non-volatile erasable programmable read-only memory media sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0357.5","name":"ISM-0357","id":"0357","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Non-volatile EPROM media is sanitised by applying three times the manufacturer\u2019s specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Non-volatile EPROM media is sanitised by applying three times the manufacturer\u2019s specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification.[\/p]"}],"reference":""},{"title":"Non-volatile electrically erasable programmable read-only memory media sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0836.3","name":"ISM-0836","id":"0836","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.[\/p]"}],"reference":""},{"title":"Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0358.6","name":"ISM-0358","id":"0358","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification.[\/p]","classificationString":"S, TS","content":"[p]Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification.[\/p]"}],"reference":""},{"title":"Non-volatile flash memory media sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0359.4","name":"ISM-0359","id":"0359","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification.[\/p]"}],"reference":""},{"title":"Treatment of non-volatile flash memory media following sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0360.6","name":"ISM-0360","id":"0360","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification.[\/p]","classificationString":"S, TS","content":"[p]Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification.[\/p]"}],"reference":""},{"title":"Media that cannot be successfully sanitised","type":"topic","context":"","qty_controls":1,"content":[{"index":"1735.0","name":"ISM-1735","id":"1735","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal.[\/p]"}],"reference":""}],"reference":""},{"title":"Media destruction","type":"section","context":"","qty_controls":23,"content":[{"title":"Media destruction processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"0363.4","name":"ISM-0363","id":"0363","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media destruction processes, and supporting media destruction procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media destruction processes, and supporting media destruction procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Media that cannot be sanitised","type":"topic","context":"","qty_controls":1,"content":[{"index":"0350.5","name":"ISM-0350","id":"0350","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The following media types are destroyed prior to their disposal:[\/p][ul][li]microfiche and microfilm[\/li][li]optical discs[\/li][li]programmable read-only memory[\/li][li]read-only memory[\/li][li]other types of media that cannot be sanitised.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The following media types are destroyed prior to their disposal:[\/p][ul][li]microfiche and microfilm[\/li][li]optical discs[\/li][li]programmable read-only memory[\/li][li]read-only memory[\/li][li]other types of media that cannot be sanitised.[\/li][\/p]"}],"reference":""},{"title":"Media destruction equipment","type":"topic","context":"","qty_controls":2,"content":[{"index":"1361.3","name":"ISM-1361","id":"1361","revision":3,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security Construction and Equipment Committee-approved equipment or ASIO-approved equipment is used when destroying media.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security Construction and Equipment Committee-approved equipment or ASIO-approved equipment is used when destroying media.[\/p]"},{"index":"1160.2","name":"ISM-1160","id":"1160","revision":2,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If using degaussers to destroy media, degaussers evaluated by the United States\u2019 National Security Agency are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If using degaussers to destroy media, degaussers evaluated by the United States\u2019 National Security Agency are used.[\/p]"}],"reference":""},{"title":"Media destruction methods","type":"topic","context":"","qty_controls":8,"content":[{"index":"1517.0","name":"ISM-1517","id":"1517","revision":0,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm.[\/p]"},{"index":"1722.1","name":"ISM-1722","id":"1722","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Electrostatic memory devices are destroyed using a furnace\/incinerator, hammer mill, disintegrator or grinder\/sander.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Electrostatic memory devices are destroyed using a furnace\/incinerator, hammer mill, disintegrator or grinder\/sander.[\/p]"},{"index":"1723.1","name":"ISM-1723","id":"1723","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Magnetic floppy disks are destroyed using a furnace\/incinerator, hammer mill, disintegrator, degausser or by cutting.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Magnetic floppy disks are destroyed using a furnace\/incinerator, hammer mill, disintegrator, degausser or by cutting.[\/p]"},{"index":"1724.1","name":"ISM-1724","id":"1724","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Magnetic hard disks are destroyed using a furnace\/incinerator, hammer mill, disintegrator, grinder\/sander or degausser.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Magnetic hard disks are destroyed using a furnace\/incinerator, hammer mill, disintegrator, grinder\/sander or degausser.[\/p]"},{"index":"1725.1","name":"ISM-1725","id":"1725","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Magnetic tapes are destroyed using a furnace\/incinerator, hammer mill, disintegrator, degausser or by cutting.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Magnetic tapes are destroyed using a furnace\/incinerator, hammer mill, disintegrator, degausser or by cutting.[\/p]"},{"index":"1726.1","name":"ISM-1726","id":"1726","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Optical disks are destroyed using a furnace\/incinerator, hammer mill, disintegrator, grinder\/sander or by cutting.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Optical disks are destroyed using a furnace\/incinerator, hammer mill, disintegrator, grinder\/sander or by cutting.[\/p]"},{"index":"1727.1","name":"ISM-1727","id":"1727","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Semiconductor memory is destroyed using a furnace\/incinerator, hammer mill or disintegrator.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Semiconductor memory is destroyed using a furnace\/incinerator, hammer mill or disintegrator.[\/p]"},{"index":"0368.8","name":"ISM-0368","id":"0368","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media destroyed using a hammer mill, disintegrator, grinder\/sander or by cutting results in media waste particles no larger than 9 mm.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media destroyed using a hammer mill, disintegrator, grinder\/sander or by cutting results in media waste particles no larger than 9 mm.[\/p]"}],"reference":""},{"title":"Treatment of media waste particles","type":"topic","context":"","qty_controls":2,"content":[{"index":"1728.0","name":"ISM-1728","id":"1728","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm.[\/p]","classificationString":"S","content":"[p]The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm.[\/p]"},{"index":"1729.0","name":"ISM-1729","id":"1729","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm.[\/p]","classificationString":"TS","content":"[p]The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm.[\/p]"}],"reference":""},{"title":"Degaussing magnetic media","type":"topic","context":"","qty_controls":3,"content":[{"index":"0361.4","name":"ISM-0361","id":"0361","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation.[\/p]"},{"index":"0362.4","name":"ISM-0362","id":"0362","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Product-specific directions provided by degausser manufacturers are followed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Product-specific directions provided by degausser manufacturers are followed.[\/p]"},{"index":"1641.2","name":"ISM-1641","id":"1641","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following the use of a degausser, magnetic media is physically damaged by deforming any internal platters.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Following the use of a degausser, magnetic media is physically damaged by deforming any internal platters.[\/p]"}],"reference":""},{"title":"Supervision of destruction","type":"topic","context":"","qty_controls":2,"content":[{"index":"0370.6","name":"ISM-0370","id":"0370","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The destruction of media is performed under the supervision of at least one cleared person.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The destruction of media is performed under the supervision of at least one cleared person.[\/p]"},{"index":"0371.4","name":"ISM-0371","id":"0371","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully.[\/p]"}],"reference":""},{"title":"Supervision of accountable material destruction","type":"topic","context":"","qty_controls":2,"content":[{"index":"0372.6","name":"ISM-0372","id":"0372","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The destruction of media storing accountable material is performed under the supervision of at least two cleared personnel.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The destruction of media storing accountable material is performed under the supervision of at least two cleared personnel.[\/p]"},{"index":"0373.4","name":"ISM-0373","id":"0373","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards.[\/p]"}],"reference":""},{"title":"Outsourcing media destruction","type":"topic","context":"","qty_controls":2,"content":[{"index":"0839.3","name":"ISM-0839","id":"0839","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The destruction of media storing accountable material is not outsourced.[\/p]","classificationString":"OS, P, S, TS","content":"[p]The destruction of media storing accountable material is not outsourced.[\/p]"},{"index":"0840.4","name":"ISM-0840","id":"0840","revision":4,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET"},"applicability":"","statement":"[p]When outsourcing the destruction of media storing non-accountable material, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO\u2019s Protective Security Circular-167, is used.[\/p]","classificationString":"OS, P, S","content":"[p]When outsourcing the destruction of media storing non-accountable material, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO\u2019s Protective Security Circular-167, is used.[\/p]"}],"reference":""}],"reference":""},{"title":"Media disposal","type":"section","context":"","qty_controls":3,"content":[{"title":"Media disposal processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"0374.4","name":"ISM-0374","id":"0374","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Media disposal processes, and supporting media disposal procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Media disposal processes, and supporting media disposal procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Disposal of media","type":"topic","context":"","qty_controls":2,"content":[{"index":"0378.4","name":"ISM-0378","id":"0378","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal.[\/p]"},{"index":"0375.6","name":"ISM-0375","id":"0375","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for System Hardening","type":"guideline","qty_controls":169,"content":[{"title":"Operating system hardening","type":"section","context":"","qty_controls":48,"content":[{"title":"Operating system selection","type":"topic","context":"","qty_controls":1,"content":[{"index":"1743.1","name":"ISM-1743","id":"1743","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Operating systems are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Operating systems are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]"}],"reference":""},{"title":"Operating system releases and versions","type":"topic","context":"","qty_controls":2,"content":[{"index":"1407.5","name":"ISM-1407","id":"1407","revision":5,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The latest release, or the previous release, of operating systems are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The latest release, or the previous release, of operating systems are used.[\/p]"},{"index":"1408.5","name":"ISM-1408","id":"1408","revision":5,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Where supported, 64-bit versions of operating systems are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Where supported, 64-bit versions of operating systems are used.[\/p]"}],"reference":""},{"title":"Standard Operating Environments","type":"topic","context":"","qty_controls":3,"content":[{"index":"1406.2","name":"ISM-1406","id":"1406","revision":2,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SOEs are used for workstations and servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SOEs are used for workstations and servers.[\/p]"},{"index":"1608.1","name":"ISM-1608","id":"1608","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SOEs provided by third parties are scanned for malicious code and configurations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SOEs provided by third parties are scanned for malicious code and configurations.[\/p]"},{"index":"1588.0","name":"ISM-1588","id":"1588","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SOEs are reviewed and updated at least annually.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SOEs are reviewed and updated at least annually.[\/p]"}],"reference":""},{"title":"Hardening operating system configurations","type":"topic","context":"","qty_controls":11,"content":[{"index":"1914.0","name":"ISM-1914","id":"1914","revision":0,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Approved configurations for operating systems are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Approved configurations for operating systems are developed, implemented and maintained.[\/p]"},{"index":"1409.4","name":"ISM-1409","id":"1409","revision":4,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]"},{"index":"0380.9","name":"ISM-0380","id":"0380","revision":9,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unneeded accounts, components, services and functionality of operating systems are disabled or removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unneeded accounts, components, services and functionality of operating systems are disabled or removed.[\/p]"},{"index":"0383.8","name":"ISM-0383","id":"0383","revision":8,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Default accounts or credentials for operating systems, including for any pre-configured accounts, are changed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Default accounts or credentials for operating systems, including for any pre-configured accounts, are changed.[\/p]"},{"index":"0341.4","name":"ISM-0341","id":"0341","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Automatic execution features for removable media are disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Automatic execution features for removable media are disabled.[\/p]"},{"index":"1654.0","name":"ISM-1654","id":"1654","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Internet Explorer 11 is disabled or removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Internet Explorer 11 is disabled or removed.[\/p]"},{"index":"1655.0","name":"ISM-1655","id":"1655","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p].NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p].NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.[\/p]"},{"index":"1492.2","name":"ISM-1492","id":"1492","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Operating system exploit protection functionality is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Operating system exploit protection functionality is enabled.[\/p]"},{"index":"1745.0","name":"ISM-1745","id":"1745","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled.[\/p]"},{"index":"1584.1","name":"ISM-1584","id":"1584","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems.[\/p]"},{"index":"1491.3","name":"ISM-1491","id":"1491","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged users are prevented from running script execution engines, including:[\/p][ul][li]Windows Script Host (cscript.exe and wscript.exe)[\/li][li]PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)[\/li][li]Command Prompt (cmd.exe)[\/li][li]Windows Management Instrumentation (wmic.exe)[\/li][li]Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged users are prevented from running script execution engines, including:[\/p][ul][li]Windows Script Host (cscript.exe and wscript.exe)[\/li][li]PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)[\/li][li]Command Prompt (cmd.exe)[\/li][li]Windows Management Instrumentation (wmic.exe)[\/li][li]Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).[\/li][\/p]"}],"reference":""},{"title":"Application management","type":"topic","context":"","qty_controls":2,"content":[{"index":"1592.1","name":"ISM-1592","id":"1592","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged users do not have the ability to install unapproved software.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged users do not have the ability to install unapproved software.[\/p]"},{"index":"0382.7","name":"ISM-0382","id":"0382","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged users do not have the ability to uninstall or disable approved software.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged users do not have the ability to uninstall or disable approved software.[\/p]"}],"reference":""},{"title":"Application control","type":"topic","context":"","qty_controls":16,"content":[{"index":"0843.9","name":"ISM-0843","id":"0843","revision":9,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control is implemented on workstations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control is implemented on workstations.[\/p]"},{"index":"1490.3","name":"ISM-1490","id":"1490","revision":3,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control is implemented on internet-facing servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control is implemented on internet-facing servers.[\/p]"},{"index":"1656.0","name":"ISM-1656","id":"1656","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control is implemented on non-internet-facing servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control is implemented on non-internet-facing servers.[\/p]"},{"index":"1870.0","name":"ISM-1870","id":"1870","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.[\/p]"},{"index":"1871.0","name":"ISM-1871","id":"1871","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.[\/p]"},{"index":"1657.0","name":"ISM-1657","id":"1657","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.[\/p]"},{"index":"1658.0","name":"ISM-1658","id":"1658","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control restricts the execution of drivers to an organisation-approved set.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control restricts the execution of drivers to an organisation-approved set.[\/p]"},{"index":"0955.6","name":"ISM-0955","id":"0955","revision":6,"updated":"Apr-20","timestamp":1587873343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules.[\/p]"},{"index":"1471.2","name":"ISM-1471","id":"1471","revision":2,"updated":"Apr-20","timestamp":1587873343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When implementing application control using publisher certificate rules, both publisher names and product names are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When implementing application control using publisher certificate rules, both publisher names and product names are used.[\/p]"},{"index":"1392.4","name":"ISM-1392","id":"1392","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When implementing application control using path rules, only approved users can modify approved files and write to approved folders.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When implementing application control using path rules, only approved users can modify approved files and write to approved folders.[\/p]"},{"index":"1746.1","name":"ISM-1746","id":"1746","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When implementing application control using path rules, only approved users can change file system permissions for approved files and folders.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When implementing application control using path rules, only approved users can change file system permissions for approved files and folders.[\/p]"},{"index":"1544.3","name":"ISM-1544","id":"1544","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft\u2019s recommended application blocklist is implemented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft\u2019s recommended application blocklist is implemented.[\/p]"},{"index":"1659.1","name":"ISM-1659","id":"1659","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft\u2019s vulnerable driver blocklist is implemented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft\u2019s vulnerable driver blocklist is implemented.[\/p]"},{"index":"1582.1","name":"ISM-1582","id":"1582","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Application control rulesets are validated on an annual or more frequent basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Application control rulesets are validated on an annual or more frequent basis.[\/p]"},{"index":"0846.8","name":"ISM-0846","id":"0846","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control.[\/p]"},{"index":"1660.2","name":"ISM-1660","id":"1660","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Allowed and blocked application control events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Allowed and blocked application control events are centrally logged.[\/p]"}],"reference":""},{"title":"Command Shell","type":"topic","context":"","qty_controls":1,"content":[{"index":"1889.0","name":"ISM-1889","id":"1889","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Command line process creation events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Command line process creation events are centrally logged.[\/p]"}],"reference":""},{"title":"PowerShell","type":"topic","context":"","qty_controls":4,"content":[{"index":"1621.1","name":"ISM-1621","id":"1621","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Windows PowerShell 2.0 is disabled or removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Windows PowerShell 2.0 is disabled or removed.[\/p]"},{"index":"1622.0","name":"ISM-1622","id":"1622","revision":0,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PowerShell is configured to use Constrained Language Mode.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PowerShell is configured to use Constrained Language Mode.[\/p]"},{"index":"1623.1","name":"ISM-1623","id":"1623","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PowerShell module logging, script block logging and transcription events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PowerShell module logging, script block logging and transcription events are centrally logged.[\/p]"},{"index":"1624.0","name":"ISM-1624","id":"1624","revision":0,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PowerShell script block logs are protected by Protected Event Logging functionality.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PowerShell script block logs are protected by Protected Event Logging functionality.[\/p]"}],"reference":""},{"title":"Host-based Intrusion Prevention System","type":"topic","context":"","qty_controls":2,"content":[{"index":"1341.2","name":"ISM-1341","id":"1341","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A HIPS is implemented on workstations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A HIPS is implemented on workstations.[\/p]"},{"index":"1034.7","name":"ISM-1034","id":"1034","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A HIPS is implemented on critical servers and high-value servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A HIPS is implemented on critical servers and high-value servers.[\/p]"}],"reference":""},{"title":"Software firewall","type":"topic","context":"","qty_controls":1,"content":[{"index":"1416.3","name":"ISM-1416","id":"1416","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services.[\/p]"}],"reference":""},{"title":"Antivirus software","type":"topic","context":"","qty_controls":1,"content":[{"index":"1417.4","name":"ISM-1417","id":"1417","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Antivirus software is implemented on workstations and servers with:[\/p][ul][li]signature-based detection functionality enabled and set to a high level[\/li][li]heuristic-based detection functionality enabled and set to a high level[\/li][li]reputation rating functionality enabled[\/li][li]ransomware protection functionality enabled[\/li][li]detection signatures configured to update on at least a daily basis[\/li][li]regular scanning configured for all fixed disks and removable media.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Antivirus software is implemented on workstations and servers with:[\/p][ul][li]signature-based detection functionality enabled and set to a high level[\/li][li]heuristic-based detection functionality enabled and set to a high level[\/li][li]reputation rating functionality enabled[\/li][li]ransomware protection functionality enabled[\/li][li]detection signatures configured to update on at least a daily basis[\/li][li]regular scanning configured for all fixed disks and removable media.[\/li][\/p]"}],"reference":""},{"title":"Device access control software","type":"topic","context":"","qty_controls":3,"content":[{"index":"1418.4","name":"ISM-1418","id":"1418","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces.[\/p]"},{"index":"0343.6","name":"ISM-0343","id":"0343","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces.[\/p]"},{"index":"0345.6","name":"ISM-0345","id":"0345","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]External communication interfaces that allow DMA are disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]External communication interfaces that allow DMA are disabled.[\/p]"}],"reference":""},{"title":"Operating system event logging","type":"topic","context":"","qty_controls":1,"content":[{"index":"0582.8","name":"ISM-0582","id":"0582","revision":8,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The following events are centrally logged for operating systems:[\/p][ul][li]application and operating system crashes and error messages[\/li][li]changes to security policies and system configurations[\/li][li]successful user logons and logoffs, failed user logons and account lockouts[\/li][li]failures, restarts and changes to important processes and services[\/li][li]requests to access internet resources[\/li][li]security product-related events[\/li][li]system startups and shutdowns.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The following events are centrally logged for operating systems:[\/p][ul][li]application and operating system crashes and error messages[\/li][li]changes to security policies and system configurations[\/li][li]successful user logons and logoffs, failed user logons and account lockouts[\/li][li]failures, restarts and changes to important processes and services[\/li][li]requests to access internet resources[\/li][li]security product-related events[\/li][li]system startups and shutdowns.[\/li][\/p]"}],"reference":""}],"reference":""},{"title":"User application hardening","type":"section","context":"","qty_controls":34,"content":[{"title":"User application selection","type":"topic","context":"","qty_controls":1,"content":[{"index":"0938.6","name":"ISM-0938","id":"0938","revision":6,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]User applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]User applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]"}],"reference":""},{"title":"User application releases","type":"topic","context":"","qty_controls":1,"content":[{"index":"1467.3","name":"ISM-1467","id":"1467","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used.[\/p]"}],"reference":""},{"title":"Hardening user application configurations","type":"topic","context":"","qty_controls":20,"content":[{"index":"1915.0","name":"ISM-1915","id":"1915","revision":0,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Approved configurations for user applications are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Approved configurations for user applications are developed, implemented and maintained.[\/p]"},{"index":"1806.1","name":"ISM-1806","id":"1806","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Default accounts or credentials for user applications, including for any pre-configured accounts, are changed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Default accounts or credentials for user applications, including for any pre-configured accounts, are changed.[\/p]"},{"index":"1470.5","name":"ISM-1470","id":"1470","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed.[\/p]"},{"index":"1235.4","name":"ISM-1235","id":"1235","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set.[\/p]"},{"index":"1667.0","name":"ISM-1667","id":"1667","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office is blocked from creating child processes.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office is blocked from creating child processes.[\/p]"},{"index":"1668.0","name":"ISM-1668","id":"1668","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office is blocked from creating executable content.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office is blocked from creating executable content.[\/p]"},{"index":"1669.0","name":"ISM-1669","id":"1669","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office is blocked from injecting code into other processes.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office is blocked from injecting code into other processes.[\/p]"},{"index":"1542.0","name":"ISM-1542","id":"1542","revision":0,"updated":"Jan-19","timestamp":1548471343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.[\/p]"},{"index":"1859.2","name":"ISM-1859","id":"1859","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]"},{"index":"1823.0","name":"ISM-1823","id":"1823","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Office productivity suite security settings cannot be changed by users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Office productivity suite security settings cannot be changed by users.[\/p]"},{"index":"1486.1","name":"ISM-1486","id":"1486","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web browsers do not process Java from the internet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web browsers do not process Java from the internet.[\/p]"},{"index":"1485.1","name":"ISM-1485","id":"1485","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web browsers do not process web advertisements from the internet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web browsers do not process web advertisements from the internet.[\/p]"},{"index":"1412.6","name":"ISM-1412","id":"1412","revision":6,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]"},{"index":"1585.2","name":"ISM-1585","id":"1585","revision":2,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web browser security settings cannot be changed by users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web browser security settings cannot be changed by users.[\/p]"},{"index":"1670.0","name":"ISM-1670","id":"1670","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PDF software is blocked from creating child processes.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PDF software is blocked from creating child processes.[\/p]"},{"index":"1860.2","name":"ISM-1860","id":"1860","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]"},{"index":"1824.0","name":"ISM-1824","id":"1824","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PDF software security settings cannot be changed by users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PDF software security settings cannot be changed by users.[\/p]"},{"index":"1601.1","name":"ISM-1601","id":"1601","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft\u2019s attack surface reduction rules are implemented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft\u2019s attack surface reduction rules are implemented.[\/p]"},{"index":"1748.1","name":"ISM-1748","id":"1748","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Email client security settings cannot be changed by users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Email client security settings cannot be changed by users.[\/p]"},{"index":"1825.0","name":"ISM-1825","id":"1825","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security product security settings cannot be changed by users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security product security settings cannot be changed by users.[\/p]"}],"reference":""},{"title":"Microsoft Office macros","type":"topic","context":"","qty_controls":12,"content":[{"index":"1671.0","name":"ISM-1671","id":"1671","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.[\/p]"},{"index":"1488.1","name":"ISM-1488","id":"1488","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macros in files originating from the internet are blocked.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macros in files originating from the internet are blocked.[\/p]"},{"index":"1672.0","name":"ISM-1672","id":"1672","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macro antivirus scanning is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macro antivirus scanning is enabled.[\/p]"},{"index":"1673.0","name":"ISM-1673","id":"1673","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macros are blocked from making Win32 API calls.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macros are blocked from making Win32 API calls.[\/p]"},{"index":"1674.0","name":"ISM-1674","id":"1674","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.[\/p]"},{"index":"1890.0","name":"ISM-1890","id":"1890","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.[\/p]"},{"index":"1487.2","name":"ISM-1487","id":"1487","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.[\/p]"},{"index":"1675.0","name":"ISM-1675","id":"1675","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.[\/p]"},{"index":"1891.0","name":"ISM-1891","id":"1891","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View.[\/p]"},{"index":"1676.0","name":"ISM-1676","id":"1676","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office\u2019s list of trusted publishers is validated on an annual or more frequent basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office\u2019s list of trusted publishers is validated on an annual or more frequent basis.[\/p]"},{"index":"1489.0","name":"ISM-1489","id":"1489","revision":0,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft Office macro security settings cannot be changed by users.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft Office macro security settings cannot be changed by users.[\/p]"},{"index":"1677.2","name":"ISM-1677","id":"1677","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Allowed and blocked Microsoft Office macro execution events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Allowed and blocked Microsoft Office macro execution events are centrally logged.[\/p]"}],"reference":""}],"reference":""},{"title":"Server application hardening","type":"section","context":"","qty_controls":29,"content":[{"title":"Server application selection","type":"topic","context":"","qty_controls":1,"content":[{"index":"1826.0","name":"ISM-1826","id":"1826","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Server applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Server applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]"}],"reference":""},{"title":"Server application releases","type":"topic","context":"","qty_controls":1,"content":[{"index":"1483.2","name":"ISM-1483","id":"1483","revision":2,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The latest release of internet-facing server applications are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The latest release of internet-facing server applications are used.[\/p]"}],"reference":""},{"title":"Hardening server application configurations","type":"topic","context":"","qty_controls":5,"content":[{"index":"1916.0","name":"ISM-1916","id":"1916","revision":0,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Approved configurations for server applications are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Approved configurations for server applications are developed, implemented and maintained.[\/p]"},{"index":"1246.6","name":"ISM-1246","id":"1246","revision":6,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Server applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Server applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.[\/p]"},{"index":"1260.4","name":"ISM-1260","id":"1260","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Default accounts or credentials for server applications, including for any pre-configured accounts, are changed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Default accounts or credentials for server applications, including for any pre-configured accounts, are changed.[\/p]"},{"index":"1247.4","name":"ISM-1247","id":"1247","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unneeded accounts, components, services and functionality of server applications are disabled or removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unneeded accounts, components, services and functionality of server applications are disabled or removed.[\/p]"},{"index":"1245.3","name":"ISM-1245","id":"1245","revision":3,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All temporary installation files and logs created during server application installation processes are removed after server applications have been installed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All temporary installation files and logs created during server application installation processes are removed after server applications have been installed.[\/p]"}],"reference":""},{"title":"Restricting privileges for server applications","type":"topic","context":"","qty_controls":2,"content":[{"index":"1249.3","name":"ISM-1249","id":"1249","revision":3,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Server applications are configured to run as a separate account with the minimum privileges needed to perform their functions.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Server applications are configured to run as a separate account with the minimum privileges needed to perform their functions.[\/p]"},{"index":"1250.2","name":"ISM-1250","id":"1250","revision":2,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The accounts under which server applications run have limited access to their underlying server\u2019s file system.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The accounts under which server applications run have limited access to their underlying server\u2019s file system.[\/p]"}],"reference":""},{"title":"Microsoft Active Directory Domain Services domain controllers","type":"topic","context":"","qty_controls":4,"content":[{"index":"1827.0","name":"ISM-1827","id":"1827","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Microsoft AD DS domain controllers are administered using dedicated domain administrator user accounts that are not used to administer other systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Microsoft AD DS domain controllers are administered using dedicated domain administrator user accounts that are not used to administer other systems.[\/p]"},{"index":"1828.0","name":"ISM-1828","id":"1828","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The Print Spooler service is disabled on Microsoft AD DS domain controllers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The Print Spooler service is disabled on Microsoft AD DS domain controllers.[\/p]"},{"index":"1829.0","name":"ISM-1829","id":"1829","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Passwords and cpasswords are not used in Group Policy Preferences.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Passwords and cpasswords are not used in Group Policy Preferences.[\/p]"},{"index":"1830.1","name":"ISM-1830","id":"1830","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security-related events for Microsoft AD DS are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security-related events for Microsoft AD DS are centrally logged.[\/p]"}],"reference":""},{"title":"Microsoft Active Directory Domain Services account hardening","type":"topic","context":"","qty_controls":13,"content":[{"index":"1832.0","name":"ISM-1832","id":"1832","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only service accounts and computer accounts are configured with Service Principal Names (SPNs).[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only service accounts and computer accounts are configured with Service Principal Names (SPNs).[\/p]"},{"index":"1833.0","name":"ISM-1833","id":"1833","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Service accounts are provisioned with the minimum privileges required and are not members of the domain administrators group or similar highly privileged groups.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Service accounts are provisioned with the minimum privileges required and are not members of the domain administrators group or similar highly privileged groups.[\/p]"},{"index":"1834.0","name":"ISM-1834","id":"1834","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Duplicate SPNs do not exist within the domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Duplicate SPNs do not exist within the domain.[\/p]"},{"index":"1835.0","name":"ISM-1835","id":"1835","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged user accounts are configured as sensitive and cannot be delegated.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged user accounts are configured as sensitive and cannot be delegated.[\/p]"},{"index":"1836.0","name":"ISM-1836","id":"1836","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]User accounts require Kerberos pre-authentication.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]User accounts require Kerberos pre-authentication.[\/p]"},{"index":"1837.0","name":"ISM-1837","id":"1837","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]User accounts are not configured with password never expires or password not required.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]User accounts are not configured with password never expires or password not required.[\/p]"},{"index":"1838.0","name":"ISM-1838","id":"1838","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The UserPassword attribute for user accounts is not used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The UserPassword attribute for user accounts is not used.[\/p]"},{"index":"1839.0","name":"ISM-1839","id":"1839","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Account properties accessible by unprivileged users are not used to store passwords.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Account properties accessible by unprivileged users are not used to store passwords.[\/p]"},{"index":"1840.0","name":"ISM-1840","id":"1840","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]User account passwords do not use reversible encryption.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]User account passwords do not use reversible encryption.[\/p]"},{"index":"1841.0","name":"ISM-1841","id":"1841","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged user accounts cannot add machines to the domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged user accounts cannot add machines to the domain.[\/p]"},{"index":"1842.0","name":"ISM-1842","id":"1842","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Dedicated service accounts are used to add machines to the domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Dedicated service accounts are used to add machines to the domain.[\/p]"},{"index":"1843.0","name":"ISM-1843","id":"1843","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]User accounts with unconstrained delegation are reviewed at least annually, and those without an associated Kerberos SPN or demonstrated business requirement are removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]User accounts with unconstrained delegation are reviewed at least annually, and those without an associated Kerberos SPN or demonstrated business requirement are removed.[\/p]"},{"index":"1844.0","name":"ISM-1844","id":"1844","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Computer accounts that are not Microsoft AD DS domain controllers are not trusted for delegation to services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Computer accounts that are not Microsoft AD DS domain controllers are not trusted for delegation to services.[\/p]"}],"reference":""},{"title":"Microsoft Active Directory Domain Services security group memberships","type":"topic","context":"","qty_controls":3,"content":[{"index":"1620.1","name":"ISM-1620","id":"1620","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged user accounts are members of the Protected Users security group.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged user accounts are members of the Protected Users security group.[\/p]"},{"index":"1845.0","name":"ISM-1845","id":"1845","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When a user account is disabled, it is removed from all security group memberships.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When a user account is disabled, it is removed from all security group memberships.[\/p]"},{"index":"1846.0","name":"ISM-1846","id":"1846","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The Pre-Windows 2000 Compatible Access security group does not contain user accounts.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The Pre-Windows 2000 Compatible Access security group does not contain user accounts.[\/p]"}],"reference":""}],"reference":""},{"title":"Authentication hardening","type":"section","context":"","qty_controls":51,"content":[{"title":"Authenticating to systems","type":"topic","context":"","qty_controls":1,"content":[{"index":"1546.0","name":"ISM-1546","id":"1546","revision":0,"updated":"Aug-19","timestamp":1566791743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Users are authenticated before they are granted access to a system and its resources.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Users are authenticated before they are granted access to a system and its resources.[\/p]"}],"reference":""},{"title":"Insecure authentication methods","type":"topic","context":"","qty_controls":2,"content":[{"index":"1603.0","name":"ISM-1603","id":"1603","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Authentication methods susceptible to replay attacks are disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Authentication methods susceptible to replay attacks are disabled.[\/p]"},{"index":"1055.4","name":"ISM-1055","id":"1055","revision":4,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]LAN Manager and NT LAN Manager authentication methods are disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]LAN Manager and NT LAN Manager authentication methods are disabled.[\/p]"}],"reference":""},{"title":"Multi-factor authentication","type":"topic","context":"","qty_controls":19,"content":[{"index":"1504.3","name":"ISM-1504","id":"1504","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate users to their organisation\u2019s online services that process, store or communicate their organisation\u2019s sensitive data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate users to their organisation\u2019s online services that process, store or communicate their organisation\u2019s sensitive data.[\/p]"},{"index":"1679.1","name":"ISM-1679","id":"1679","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation\u2019s sensitive data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation\u2019s sensitive data.[\/p]"},{"index":"1680.1","name":"ISM-1680","id":"1680","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation\u2019s non-sensitive data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation\u2019s non-sensitive data.[\/p]"},{"index":"1892.0","name":"ISM-1892","id":"1892","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate users to their organisation\u2019s online customer services that process, store or communicate their organisation\u2019s sensitive customer data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate users to their organisation\u2019s online customer services that process, store or communicate their organisation\u2019s sensitive customer data.[\/p]"},{"index":"1893.0","name":"ISM-1893","id":"1893","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation\u2019s sensitive customer data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation\u2019s sensitive customer data.[\/p]"},{"index":"1681.3","name":"ISM-1681","id":"1681","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.[\/p]"},{"index":"1173.4","name":"ISM-1173","id":"1173","revision":4,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate privileged users of systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate privileged users of systems.[\/p]"},{"index":"0974.6","name":"ISM-0974","id":"0974","revision":6,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate unprivileged users of systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate unprivileged users of systems.[\/p]"},{"index":"1505.3","name":"ISM-1505","id":"1505","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication is used to authenticate users of data repositories.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication is used to authenticate users of data repositories.[\/p]"},{"index":"1401.5","name":"ISM-1401","id":"1401","revision":5,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.[\/p]"},{"index":"1872.1","name":"ISM-1872","id":"1872","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication used for authenticating users of online services is phishing-resistant.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication used for authenticating users of online services is phishing-resistant.[\/p]"},{"index":"1873.1","name":"ISM-1873","id":"1873","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant option.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant option.[\/p]"},{"index":"1874.1","name":"ISM-1874","id":"1874","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.[\/p]"},{"index":"1682.3","name":"ISM-1682","id":"1682","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication used for authenticating users of systems is phishing-resistant.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication used for authenticating users of systems is phishing-resistant.[\/p]"},{"index":"1894.0","name":"ISM-1894","id":"1894","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Multi-factor authentication used for authenticating users of data repositories is phishing-resistant.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Multi-factor authentication used for authenticating users of data repositories is phishing-resistant.[\/p]"},{"index":"1559.2","name":"ISM-1559","id":"1559","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply.[\/p]"},{"index":"1560.2","name":"ISM-1560","id":"1560","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters.[\/p]","classificationString":"S","content":"[p]Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters.[\/p]"},{"index":"1561.2","name":"ISM-1561","id":"1561","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.[\/p]","classificationString":"TS","content":"[p]Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.[\/p]"},{"index":"1683.2","name":"ISM-1683","id":"1683","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Successful and unsuccessful multi-factor authentication events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Successful and unsuccessful multi-factor authentication events are centrally logged.[\/p]"}],"reference":""},{"title":"Single-factor authentication","type":"topic","context":"","qty_controls":6,"content":[{"index":"0417.5","name":"ISM-0417","id":"0417","revision":5,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.[\/p]"},{"index":"0421.8","name":"ISM-0421","id":"0421","revision":8,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply.[\/p]"},{"index":"1557.2","name":"ISM-1557","id":"1557","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters.[\/p]","classificationString":"S","content":"[p]Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters.[\/p]"},{"index":"0422.8","name":"ISM-0422","id":"0422","revision":8,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters.[\/p]","classificationString":"TS","content":"[p]Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters.[\/p]"},{"index":"1558.2","name":"ISM-1558","id":"1558","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material.[\/p]"},{"index":"1895.0","name":"ISM-1895","id":"1895","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Successful and unsuccessful single-factor authentication events are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Successful and unsuccessful single-factor authentication events are centrally logged.[\/p]"}],"reference":""},{"title":"Setting credentials for user accounts","type":"topic","context":"","qty_controls":5,"content":[{"index":"1593.1","name":"ISM-1593","id":"1593","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Users provide sufficient evidence to verify their identity when requesting new credentials.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Users provide sufficient evidence to verify their identity when requesting new credentials.[\/p]"},{"index":"1227.5","name":"ISM-1227","id":"1227","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials set for user accounts are randomly generated.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials set for user accounts are randomly generated.[\/p]"},{"index":"1594.1","name":"ISM-1594","id":"1594","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors.[\/p]"},{"index":"1595.1","name":"ISM-1595","id":"1595","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials provided to users are changed on first use.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials provided to users are changed on first use.[\/p]"},{"index":"1596.2","name":"ISM-1596","id":"1596","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials, in the form of memorised secrets, are not reused by users across different systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials, in the form of memorised secrets, are not reused by users across different systems.[\/p]"}],"reference":""},{"title":"Setting credentials for break glass accounts, local administrator accounts and service accounts","type":"topic","context":"","qty_controls":3,"content":[{"index":"1685.2","name":"ISM-1685","id":"1685","revision":2,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.[\/p]"},{"index":"1795.1","name":"ISM-1795","id":"1795","revision":1,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials for break glass accounts, local administrator accounts and service accounts are a minimum of 30 characters.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials for break glass accounts, local administrator accounts and service accounts are a minimum of 30 characters.[\/p]"},{"index":"1619.0","name":"ISM-1619","id":"1619","revision":0,"updated":"Oct-20","timestamp":1603680943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Service accounts are created as group Managed Service Accounts.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Service accounts are created as group Managed Service Accounts.[\/p]"}],"reference":""},{"title":"Changing credentials","type":"topic","context":"","qty_controls":2,"content":[{"index":"1590.2","name":"ISM-1590","id":"1590","revision":2,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials are changed if:[\/p][ul][li]they are compromised[\/li][li]they are suspected of being compromised[\/li][li]they are discovered stored on networks in the clear[\/li][li]they are discovered being transferred across networks in the clear[\/li][li]membership of a shared account changes[\/li][li]they have not been changed in the past 12 months.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials are changed if:[\/p][ul][li]they are compromised[\/li][li]they are suspected of being compromised[\/li][li]they are discovered stored on networks in the clear[\/li][li]they are discovered being transferred across networks in the clear[\/li][li]membership of a shared account changes[\/li][li]they have not been changed in the past 12 months.[\/li][\/p]"},{"index":"1847.0","name":"ISM-1847","id":"1847","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials for the Kerberos Key Distribution Center\u2019s service account (KRBTGT) are changed twice, allowing for replication to all Microsoft Active Directory Domain Services domain controllers in-between each change, if:[\/p][ul][li]the domain has been directly compromised[\/li][li]the domain is suspected of being compromised[\/li][li]they have not been changed in the past 12 months.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials for the Kerberos Key Distribution Center\u2019s service account (KRBTGT) are changed twice, allowing for replication to all Microsoft Active Directory Domain Services domain controllers in-between each change, if:[\/p][ul][li]the domain has been directly compromised[\/li][li]the domain is suspected of being compromised[\/li][li]they have not been changed in the past 12 months.[\/li][\/p]"}],"reference":""},{"title":"Protecting credentials","type":"topic","context":"","qty_controls":9,"content":[{"index":"0418.6","name":"ISM-0418","id":"0418","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.[\/p]"},{"index":"1597.0","name":"ISM-1597","id":"1597","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials are obscured as they are entered into systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials are obscured as they are entered into systems.[\/p]"},{"index":"1896.0","name":"ISM-1896","id":"1896","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Memory integrity functionality is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Memory integrity functionality is enabled.[\/p]"},{"index":"1861.2","name":"ISM-1861","id":"1861","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Local Security Authority protection functionality is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Local Security Authority protection functionality is enabled.[\/p]"},{"index":"1686.1","name":"ISM-1686","id":"1686","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credential Guard functionality is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credential Guard functionality is enabled.[\/p]"},{"index":"1897.0","name":"ISM-1897","id":"1897","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Remote Credential Guard functionality is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Remote Credential Guard functionality is enabled.[\/p]"},{"index":"1749.0","name":"ISM-1749","id":"1749","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cached credentials are limited to one previous logon.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cached credentials are limited to one previous logon.[\/p]"},{"index":"1402.6","name":"ISM-1402","id":"1402","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database.[\/p]"},{"index":"1875.0","name":"ISM-1875","id":"1875","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Networks are scanned at least monthly to identify any credentials that are being stored in the clear.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Networks are scanned at least monthly to identify any credentials that are being stored in the clear.[\/p]"}],"reference":""},{"title":"Account lockouts","type":"topic","context":"","qty_controls":1,"content":[{"index":"1403.3","name":"ISM-1403","id":"1403","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.[\/p]"}],"reference":""},{"title":"Session termination","type":"topic","context":"","qty_controls":1,"content":[{"index":"0853.3","name":"ISM-0853","id":"0853","revision":3,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted.[\/p]"}],"reference":""},{"title":"Session and screen locking","type":"topic","context":"","qty_controls":1,"content":[{"index":"0428.9","name":"ISM-0428","id":"0428","revision":9,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems are configured with a session or screen lock that:[\/p][ul][li]activates after a maximum of 15 minutes of user inactivity, or if manually activated by users[\/li][li]conceals all session content on the screen[\/li][li]ensures that the screen does not enter a power saving state before the session or screen lock is activated[\/li][li]requires users to authenticate to unlock the session[\/li][li]denies users the ability to disable the session or screen locking mechanism.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems are configured with a session or screen lock that:[\/p][ul][li]activates after a maximum of 15 minutes of user inactivity, or if manually activated by users[\/li][li]conceals all session content on the screen[\/li][li]ensures that the screen does not enter a power saving state before the session or screen lock is activated[\/li][li]requires users to authenticate to unlock the session[\/li][li]denies users the ability to disable the session or screen locking mechanism.[\/li][\/p]"}],"reference":""},{"title":"Logon banner","type":"topic","context":"","qty_controls":1,"content":[{"index":"0408.5","name":"ISM-0408","id":"0408","revision":5,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Systems have a logon banner that reminds users of their security responsibilities when accessing the system and its resources.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Systems have a logon banner that reminds users of their security responsibilities when accessing the system and its resources.[\/p]"}],"reference":""}],"reference":""},{"title":"Virtualisation hardening","type":"section","context":"","qty_controls":7,"content":[{"title":"Functional separation between computing environments","type":"topic","context":"","qty_controls":7,"content":[{"index":"1460.4","name":"ISM-1460","id":"1460","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.[\/p]"},{"index":"1604.0","name":"ISM-1604","id":"1604","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism.[\/p]"},{"index":"1605.1","name":"ISM-1605","id":"1605","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the underlying operating system is hardened.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the underlying operating system is hardened.[\/p]"},{"index":"1606.2","name":"ISM-1606","id":"1606","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, patches, updates or vendor mitigations for vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, patches, updates or vendor mitigations for vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner.[\/p]"},{"index":"1848.0","name":"ISM-1848","id":"1848","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the isolation mechanism or underlying operating system is replaced when it is no longer supported by a vendor.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, the isolation mechanism or underlying operating system is replaced when it is no longer supported by a vendor.[\/p]"},{"index":"1607.0","name":"ISM-1607","id":"1607","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.[\/p]"},{"index":"1461.5","name":"ISM-1461","id":"1461","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain.[\/p]","classificationString":"S, TS","content":"[p]When using a software-based isolation mechanism to share a physical server\u2019s hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for System Management","type":"guideline","qty_controls":64,"content":[{"title":"System administration","type":"section","context":"","qty_controls":12,"content":[{"title":"System administration processes and procedures","type":"topic","context":"","qty_controls":2,"content":[{"index":"0042.6","name":"ISM-0042","id":"0042","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administration processes, and supporting system administration procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System administration processes, and supporting system administration procedures, are developed, implemented and maintained.[\/p]"},{"index":"1211.5","name":"ISM-1211","id":"1211","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation.[\/p]"}],"reference":""},{"title":"Separate privileged operating environments","type":"topic","context":"","qty_controls":5,"content":[{"index":"1898.0","name":"ISM-1898","id":"1898","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Secure Admin Workstations are used in the performance of administrative activities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Secure Admin Workstations are used in the performance of administrative activities.[\/p]"},{"index":"1380.5","name":"ISM-1380","id":"1380","revision":5,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged users use separate privileged and unprivileged operating environments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged users use separate privileged and unprivileged operating environments.[\/p]"},{"index":"1687.0","name":"ISM-1687","id":"1687","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged operating environments are not virtualised within unprivileged operating environments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged operating environments are not virtualised within unprivileged operating environments.[\/p]"},{"index":"1688.0","name":"ISM-1688","id":"1688","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged accounts cannot logon to privileged operating environments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged accounts cannot logon to privileged operating environments.[\/p]"},{"index":"1689.0","name":"ISM-1689","id":"1689","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.[\/p]"}],"reference":""},{"title":"Administrative infrastructure","type":"topic","context":"","qty_controls":5,"content":[{"index":"1385.4","name":"ISM-1385","id":"1385","revision":4,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Administrative infrastructure is segregated from the wider network and the internet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Administrative infrastructure is segregated from the wider network and the internet.[\/p]"},{"index":"1750.0","name":"ISM-1750","id":"1750","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Administrative infrastructure for critical servers, high-value servers and regular servers is segregated from each other.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Administrative infrastructure for critical servers, high-value servers and regular servers is segregated from each other.[\/p]"},{"index":"1386.5","name":"ISM-1386","id":"1386","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network management traffic can only originate from administrative infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network management traffic can only originate from administrative infrastructure.[\/p]"},{"index":"1387.2","name":"ISM-1387","id":"1387","revision":2,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Administrative activities are conducted through jump servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Administrative activities are conducted through jump servers.[\/p]"},{"index":"1899.0","name":"ISM-1899","id":"1899","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices that do not belong to administrative infrastructure cannot initiate connections with administrative infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices that do not belong to administrative infrastructure cannot initiate connections with administrative infrastructure.[\/p]"}],"reference":""}],"reference":""},{"title":"System patching","type":"section","context":"","qty_controls":38,"content":[{"title":"Patch management processes and procedures","type":"topic","context":"","qty_controls":2,"content":[{"index":"1143.9","name":"ISM-1143","id":"1143","revision":9,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patch management processes, and supporting patch management procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patch management processes, and supporting patch management procedures, are developed, implemented and maintained.[\/p]"},{"index":"0298.8","name":"ISM-0298","id":"0298","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware.[\/p]"}],"reference":""},{"title":"Software register","type":"topic","context":"","qty_controls":2,"content":[{"index":"1493.4","name":"ISM-1493","id":"1493","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis.[\/p]"},{"index":"1643.0","name":"ISM-1643","id":"1643","revision":0,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Software registers contain versions and patch histories of applications, drivers, operating systems and firmware.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Software registers contain versions and patch histories of applications, drivers, operating systems and firmware.[\/p]"}],"reference":""},{"title":"Scanning for missing patches or updates","type":"topic","context":"","qty_controls":10,"content":[{"index":"1807.0","name":"ISM-1807","id":"1807","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.[\/p]"},{"index":"1808.0","name":"ISM-1808","id":"1808","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.[\/p]"},{"index":"1698.1","name":"ISM-1698","id":"1698","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.[\/p]"},{"index":"1699.1","name":"ISM-1699","id":"1699","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.[\/p]"},{"index":"1700.2","name":"ISM-1700","id":"1700","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.[\/p]"},{"index":"1701.1","name":"ISM-1701","id":"1701","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.[\/p]"},{"index":"1702.2","name":"ISM-1702","id":"1702","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.[\/p]"},{"index":"1752.3","name":"ISM-1752","id":"1752","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices.[\/p]"},{"index":"1703.2","name":"ISM-1703","id":"1703","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.[\/p]"},{"index":"1900.0","name":"ISM-1900","id":"1900","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.[\/p]"}],"reference":""},{"title":"When to patch vulnerabilities","type":"topic","context":"","qty_controls":18,"content":[{"index":"1876.0","name":"ISM-1876","id":"1876","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1690.2","name":"ISM-1690","id":"1690","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"1691.1","name":"ISM-1691","id":"1691","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.[\/p]"},{"index":"1692.1","name":"ISM-1692","id":"1692","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1901.0","name":"ISM-1901","id":"1901","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"1693.2","name":"ISM-1693","id":"1693","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.[\/p]"},{"index":"1877.0","name":"ISM-1877","id":"1877","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1694.2","name":"ISM-1694","id":"1694","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"1695.2","name":"ISM-1695","id":"1695","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.[\/p]"},{"index":"1696.1","name":"ISM-1696","id":"1696","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1902.0","name":"ISM-1902","id":"1902","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"1878.0","name":"ISM-1878","id":"1878","revision":0,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1751.3","name":"ISM-1751","id":"1751","revision":3,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"1879.1","name":"ISM-1879","id":"1879","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1697.2","name":"ISM-1697","id":"1697","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"1903.0","name":"ISM-1903","id":"1903","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.[\/p]"},{"index":"1904.0","name":"ISM-1904","id":"1904","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.[\/p]"},{"index":"0300.9","name":"ISM-0300","id":"0300","revision":9,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Patches, updates or other vendor mitigations for vulnerabilities in high assurance ICT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.[\/p]","classificationString":"S, TS","content":"[p]Patches, updates or other vendor mitigations for vulnerabilities in high assurance ICT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.[\/p]"}],"reference":""},{"title":"Cessation of support","type":"topic","context":"","qty_controls":6,"content":[{"index":"1905.0","name":"ISM-1905","id":"1905","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Online services that are no longer supported by vendors are removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Online services that are no longer supported by vendors are removed.[\/p]"},{"index":"1704.2","name":"ISM-1704","id":"1704","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.[\/p]"},{"index":"0304.7","name":"ISM-0304","id":"0304","revision":7,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.[\/p]"},{"index":"1501.1","name":"ISM-1501","id":"1501","revision":1,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Operating systems that are no longer supported by vendors are replaced.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Operating systems that are no longer supported by vendors are replaced.[\/p]"},{"index":"1753.0","name":"ISM-1753","id":"1753","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices and other ICT equipment that are no longer supported by vendors are replaced.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices and other ICT equipment that are no longer supported by vendors are replaced.[\/p]"},{"index":"1809.0","name":"ISM-1809","id":"1809","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When applications, operating systems, network devices or other ICT equipment that are no longer supported by vendors cannot be immediately removed or replaced, compensating controls are implemented until such time that they can be removed or replaced.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When applications, operating systems, network devices or other ICT equipment that are no longer supported by vendors cannot be immediately removed or replaced, compensating controls are implemented until such time that they can be removed or replaced.[\/p]"}],"reference":""}],"reference":""},{"title":"Data backup and restoration","type":"section","context":"","qty_controls":14,"content":[{"title":"Digital preservation policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1510.2","name":"ISM-1510","id":"1510","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A digital preservation policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A digital preservation policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Data backup and restoration processes and procedures","type":"topic","context":"","qty_controls":2,"content":[{"index":"1547.2","name":"ISM-1547","id":"1547","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data backup processes, and supporting data backup procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data backup processes, and supporting data backup procedures, are developed, implemented and maintained.[\/p]"},{"index":"1548.2","name":"ISM-1548","id":"1548","revision":2,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data restoration processes, and supporting data restoration procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data restoration processes, and supporting data restoration procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Performing and retaining backups","type":"topic","context":"","qty_controls":3,"content":[{"index":"1511.4","name":"ISM-1511","id":"1511","revision":4,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.[\/p]"},{"index":"1810.1","name":"ISM-1810","id":"1810","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Backups of data, applications and settings are synchronised to enable restoration to a common point in time.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Backups of data, applications and settings are synchronised to enable restoration to a common point in time.[\/p]"},{"index":"1811.1","name":"ISM-1811","id":"1811","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Backups of data, applications and settings are retained in a secure and resilient manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Backups of data, applications and settings are retained in a secure and resilient manner.[\/p]"}],"reference":""},{"title":"Backup access","type":"topic","context":"","qty_controls":4,"content":[{"index":"1812.0","name":"ISM-1812","id":"1812","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged accounts cannot access backups belonging to other accounts.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged accounts cannot access backups belonging to other accounts.[\/p]"},{"index":"1813.0","name":"ISM-1813","id":"1813","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged accounts cannot access their own backups.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged accounts cannot access their own backups.[\/p]"},{"index":"1705.1","name":"ISM-1705","id":"1705","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.[\/p]"},{"index":"1706.1","name":"ISM-1706","id":"1706","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged accounts (excluding backup administrator accounts) cannot access their own backups.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged accounts (excluding backup administrator accounts) cannot access their own backups.[\/p]"}],"reference":""},{"title":"Backup modification and deletion","type":"topic","context":"","qty_controls":3,"content":[{"index":"1814.0","name":"ISM-1814","id":"1814","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unprivileged accounts are prevented from modifying and deleting backups.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unprivileged accounts are prevented from modifying and deleting backups.[\/p]"},{"index":"1707.1","name":"ISM-1707","id":"1707","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.[\/p]"},{"index":"1708.2","name":"ISM-1708","id":"1708","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Backup administrator accounts are prevented from modifying and deleting backups during their retention period.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Backup administrator accounts are prevented from modifying and deleting backups during their retention period.[\/p]"}],"reference":""},{"title":"Testing restoration of backups","type":"topic","context":"","qty_controls":1,"content":[{"index":"1515.4","name":"ISM-1515","id":"1515","revision":4,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for System Monitoring","type":"guideline","qty_controls":11,"content":[{"title":"Event logging and monitoring","type":"section","context":"","qty_controls":11,"content":[{"title":"Event logging policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"0580.7","name":"ISM-0580","id":"0580","revision":7,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An event logging policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An event logging policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Event log details","type":"topic","context":"","qty_controls":1,"content":[{"index":"0585.5","name":"ISM-0585","id":"0585","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded.[\/p]"}],"reference":""},{"title":"Centralised event logging facility","type":"topic","context":"","qty_controls":3,"content":[{"index":"1405.3","name":"ISM-1405","id":"1405","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur.[\/p]"},{"index":"1815.1","name":"ISM-1815","id":"1815","revision":1,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs are protected from unauthorised modification and deletion.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs are protected from unauthorised modification and deletion.[\/p]"},{"index":"0988.6","name":"ISM-0988","id":"0988","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An accurate time source is established and used consistently across systems to assist with identifying connections between events.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An accurate time source is established and used consistently across systems to assist with identifying connections between events.[\/p]"}],"reference":""},{"title":"Event log monitoring","type":"topic","context":"","qty_controls":4,"content":[{"index":"1906.0","name":"ISM-1906","id":"1906","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.[\/p]"},{"index":"1907.0","name":"ISM-1907","id":"1907","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.[\/p]"},{"index":"0109.9","name":"ISM-0109","id":"0109","revision":9,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs from workstations are analysed in a timely manner to detect cyber security events.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs from workstations are analysed in a timely manner to detect cyber security events.[\/p]"},{"index":"1228.3","name":"ISM-1228","id":"1228","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cyber security events are analysed in a timely manner to identify cyber security incidents.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cyber security events are analysed in a timely manner to identify cyber security incidents.[\/p]"}],"reference":""},{"title":"Event log retention","type":"topic","context":"","qty_controls":2,"content":[{"index":"0859.4","name":"ISM-0859","id":"0859","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years.[\/p]"},{"index":"0991.6","name":"ISM-0991","id":"0991","revision":6,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Event logs for Domain Name System services and web proxies are retained for at least 18 months.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Event logs for Domain Name System services and web proxies are retained for at least 18 months.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Software Development","type":"guideline","qty_controls":38,"content":[{"title":"Application development","type":"section","context":"","qty_controls":20,"content":[{"title":"Development, testing and production environments","type":"topic","context":"","qty_controls":5,"content":[{"index":"0400.5","name":"ISM-0400","id":"0400","revision":5,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Development, testing and production environments are segregated.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Development, testing and production environments are segregated.[\/p]"},{"index":"1419.1","name":"ISM-1419","id":"1419","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Development and modification of software only takes place in development environments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Development and modification of software only takes place in development environments.[\/p]"},{"index":"1420.4","name":"ISM-1420","id":"1420","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.[\/p]"},{"index":"1422.3","name":"ISM-1422","id":"1422","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unauthorised access to the authoritative source for software is prevented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unauthorised access to the authoritative source for software is prevented.[\/p]"},{"index":"1816.0","name":"ISM-1816","id":"1816","revision":0,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unauthorised modification of the authoritative source for software is prevented.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unauthorised modification of the authoritative source for software is prevented.[\/p]"}],"reference":""},{"title":"Secure software design and development","type":"topic","context":"","qty_controls":6,"content":[{"index":"0401.6","name":"ISM-0401","id":"0401","revision":6,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.[\/p]"},{"index":"1780.0","name":"ISM-1780","id":"1780","revision":0,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SecDevOps practices are used for application development.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SecDevOps practices are used for application development.[\/p]"},{"index":"1238.4","name":"ISM-1238","id":"1238","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Threat modelling is used in support of application development.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Threat modelling is used in support of application development.[\/p]"},{"index":"1796.0","name":"ISM-1796","id":"1796","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files containing executable content are digitally signed as part of application development.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files containing executable content are digitally signed as part of application development.[\/p]"},{"index":"1797.0","name":"ISM-1797","id":"1797","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development.[\/p]"},{"index":"1798.0","name":"ISM-1798","id":"1798","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Secure configuration guidance is produced as part of application development.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Secure configuration guidance is produced as part of application development.[\/p]"}],"reference":""},{"title":"Software bill of materials","type":"topic","context":"","qty_controls":1,"content":[{"index":"1730.0","name":"ISM-1730","id":"1730","revision":0,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A software bill of materials is produced and made available to consumers of software.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A software bill of materials is produced and made available to consumers of software.[\/p]"}],"reference":""},{"title":"Application security testing","type":"topic","context":"","qty_controls":1,"content":[{"index":"0402.6","name":"ISM-0402","id":"0402","revision":6,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Applications are comprehensively tested for vulnerabilities, using both static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Applications are comprehensively tested for vulnerabilities, using both static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.[\/p]"}],"reference":""},{"title":"Vulnerability disclosure program","type":"topic","context":"","qty_controls":4,"content":[{"index":"1616.0","name":"ISM-1616","id":"1616","revision":0,"updated":"Aug-20","timestamp":1598414143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.[\/p]"},{"index":"1755.1","name":"ISM-1755","id":"1755","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A vulnerability disclosure policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A vulnerability disclosure policy is developed, implemented and maintained.[\/p]"},{"index":"1756.1","name":"ISM-1756","id":"1756","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained.[\/p]"},{"index":"1717.2","name":"ISM-1717","id":"1717","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A \u2018security.txt\u2019 file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation\u2019s products and services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A \u2018security.txt\u2019 file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation\u2019s products and services.[\/p]"}],"reference":""},{"title":"Reporting and resolving vulnerabilities","type":"topic","context":"","qty_controls":3,"content":[{"index":"1908.0","name":"ISM-1908","id":"1908","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Vulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Vulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner.[\/p]"},{"index":"1754.2","name":"ISM-1754","id":"1754","revision":2,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Vulnerabilities identified in applications are resolved by software developers in a timely manner.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Vulnerabilities identified in applications are resolved by software developers in a timely manner.[\/p]"},{"index":"1909.0","name":"ISM-1909","id":"1909","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]In resolving vulnerabilities, software developers perform root cause analysis and, to the greatest extent possible, seek to remediate entire vulnerability classes.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]In resolving vulnerabilities, software developers perform root cause analysis and, to the greatest extent possible, seek to remediate entire vulnerability classes.[\/p]"}],"reference":""}],"reference":""},{"title":"Web application development","type":"section","context":"","qty_controls":18,"content":[{"title":"Open Web Application Security Projects","type":"topic","context":"","qty_controls":3,"content":[{"index":"0971.8","name":"ISM-0971","id":"0971","revision":8,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The OWASP Application Security Verification Standard is used in the development of web applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The OWASP Application Security Verification Standard is used in the development of web applications.[\/p]"},{"index":"1849.0","name":"ISM-1849","id":"1849","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The OWASP Top 10 Proactive Controls are used in the development of web applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The OWASP Top 10 Proactive Controls are used in the development of web applications.[\/p]"},{"index":"1850.0","name":"ISM-1850","id":"1850","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The OWASP Top 10 are mitigated in the development of web applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The OWASP Top 10 are mitigated in the development of web applications.[\/p]"}],"reference":""},{"title":"Web application frameworks","type":"topic","context":"","qty_controls":1,"content":[{"index":"1239.4","name":"ISM-1239","id":"1239","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Robust web application frameworks are used in the development of web applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Robust web application frameworks are used in the development of web applications.[\/p]"}],"reference":""},{"title":"Web application interactions","type":"topic","context":"","qty_controls":1,"content":[{"index":"1552.0","name":"ISM-1552","id":"1552","revision":0,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All web application content is offered exclusively using HTTPS.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All web application content is offered exclusively using HTTPS.[\/p]"}],"reference":""},{"title":"Web application programming interfaces","type":"topic","context":"","qty_controls":4,"content":[{"index":"1851.0","name":"ISM-1851","id":"1851","revision":0,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The OWASP API Security Top 10 are mitigated in the development of web APIs.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The OWASP API Security Top 10 are mitigated in the development of web APIs.[\/p]"},{"index":"1818.1","name":"ISM-1818","id":"1818","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Authentication and authorisation of clients is performed when clients call web APIs that facilitate modification of data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Authentication and authorisation of clients is performed when clients call web APIs that facilitate modification of data.[\/p]"},{"index":"1817.1","name":"ISM-1817","id":"1817","revision":1,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Authentication and authorisation of clients is performed when clients call web APIs that facilitate access to data not authorised for release into the public domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Authentication and authorisation of clients is performed when clients call web APIs that facilitate access to data not authorised for release into the public domain.[\/p]"},{"index":"1910.0","name":"ISM-1910","id":"1910","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web API calls that facilitate modification of data, or access to data not authorised for release into the public domain, are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web API calls that facilitate modification of data, or access to data not authorised for release into the public domain, are centrally logged.[\/p]"}],"reference":""},{"title":"Web application input handling","type":"topic","context":"","qty_controls":1,"content":[{"index":"1240.3","name":"ISM-1240","id":"1240","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Validation or sanitisation is performed on all input handled by web applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Validation or sanitisation is performed on all input handled by web applications.[\/p]"}],"reference":""},{"title":"Web application output encoding","type":"topic","context":"","qty_controls":1,"content":[{"index":"1241.4","name":"ISM-1241","id":"1241","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Output encoding is performed on all output produced by web applications.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Output encoding is performed on all output produced by web applications.[\/p]"}],"reference":""},{"title":"Web browser-based controls","type":"topic","context":"","qty_controls":1,"content":[{"index":"1424.4","name":"ISM-1424","id":"1424","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers.[\/p]"}],"reference":""},{"title":"Web application firewalls","type":"topic","context":"","qty_controls":1,"content":[{"index":"1862.0","name":"ISM-1862","id":"1862","revision":0,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If using a WAF, disclosing the IP addresses of web servers under an organisation\u2019s control (referred to as origin servers) is avoided and access to the origin servers is restricted to the WAF and authorised management networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If using a WAF, disclosing the IP addresses of web servers under an organisation\u2019s control (referred to as origin servers) is avoided and access to the origin servers is restricted to the WAF and authorised management networks.[\/p]"}],"reference":""},{"title":"Web application interaction with databases","type":"topic","context":"","qty_controls":4,"content":[{"index":"1275.1","name":"ISM-1275","id":"1275","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All queries to databases from web applications are filtered for legitimate content and correct syntax.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All queries to databases from web applications are filtered for legitimate content and correct syntax.[\/p]"},{"index":"1276.4","name":"ISM-1276","id":"1276","revision":4,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Parameterised queries or stored procedures, instead of dynamically generated queries, are used by web applications for database interactions.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Parameterised queries or stored procedures, instead of dynamically generated queries, are used by web applications for database interactions.[\/p]"},{"index":"1278.4","name":"ISM-1278","id":"1278","revision":4,"updated":"Mar-23","timestamp":1679799343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web applications are designed or configured to provide as little error information as possible about the structure of databases.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web applications are designed or configured to provide as little error information as possible about the structure of databases.[\/p]"},{"index":"1536.2","name":"ISM-1536","id":"1536","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All queries to databases from web applications that are initiated by users, and any resulting crash or error messages, are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All queries to databases from web applications that are initiated by users, and any resulting crash or error messages, are centrally logged.[\/p]"}],"reference":""},{"title":"Web application event logging","type":"topic","context":"","qty_controls":1,"content":[{"index":"1911.0","name":"ISM-1911","id":"1911","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web application crashes and error messages are centrally logged.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web application crashes and error messages are centrally logged.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Database Systems","type":"guideline","qty_controls":13,"content":[{"title":"Database servers","type":"section","context":"","qty_controls":6,"content":[{"title":"Functional separation between database servers and web servers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1269.3","name":"ISM-1269","id":"1269","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Database servers and web servers are functionally separated.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Database servers and web servers are functionally separated.[\/p]"}],"reference":""},{"title":"Communications between database servers and web servers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1277.4","name":"ISM-1277","id":"1277","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data communicated between database servers and web servers is encrypted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data communicated between database servers and web servers is encrypted.[\/p]"}],"reference":""},{"title":"Network environment","type":"topic","context":"","qty_controls":3,"content":[{"index":"1270.3","name":"ISM-1270","id":"1270","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Database servers are placed on a different network segment to user workstations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Database servers are placed on a different network segment to user workstations.[\/p]"},{"index":"1271.2","name":"ISM-1271","id":"1271","revision":2,"updated":"Jan-20","timestamp":1580007343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network access controls are implemented to restrict database server communications to strictly defined network resources, such as web servers, application servers and storage area networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network access controls are implemented to restrict database server communications to strictly defined network resources, such as web servers, application servers and storage area networks.[\/p]"},{"index":"1272.1","name":"ISM-1272","id":"1272","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If only local access to a database is required, networking functionality of database management system software is disabled or directed to listen solely to the localhost interface.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If only local access to a database is required, networking functionality of database management system software is disabled or directed to listen solely to the localhost interface.[\/p]"}],"reference":""},{"title":"Separation of development, testing and production database servers","type":"topic","context":"","qty_controls":1,"content":[{"index":"1273.3","name":"ISM-1273","id":"1273","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Development and testing environments do not use the same database servers as production environments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Development and testing environments do not use the same database servers as production environments.[\/p]"}],"reference":""}],"reference":""},{"title":"Databases","type":"section","context":"","qty_controls":7,"content":[{"title":"Database register","type":"topic","context":"","qty_controls":1,"content":[{"index":"1243.6","name":"ISM-1243","id":"1243","revision":6,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A database register is developed, implemented, maintained and verified on a regular basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A database register is developed, implemented, maintained and verified on a regular basis.[\/p]"}],"reference":""},{"title":"Protecting databases","type":"topic","context":"","qty_controls":1,"content":[{"index":"1256.3","name":"ISM-1256","id":"1256","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]File-based access controls are applied to database files.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]File-based access controls are applied to database files.[\/p]"}],"reference":""},{"title":"Protecting database contents","type":"topic","context":"","qty_controls":3,"content":[{"index":"0393.8","name":"ISM-0393","id":"0393","revision":8,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Databases and their contents are classified based on the sensitivity or classification of data that they contain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Databases and their contents are classified based on the sensitivity or classification of data that they contain.[\/p]"},{"index":"1255.4","name":"ISM-1255","id":"1255","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Database users\u2019 ability to access, insert, modify and remove database contents is restricted based on their work duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Database users\u2019 ability to access, insert, modify and remove database contents is restricted based on their work duties.[\/p]"},{"index":"1268.1","name":"ISM-1268","id":"1268","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles.[\/p]"}],"reference":""},{"title":"Separation of development, testing and production databases","type":"topic","context":"","qty_controls":1,"content":[{"index":"1274.6","name":"ISM-1274","id":"1274","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Database contents from production environments are not used in development or testing environments unless the environment is secured to the same level as the production environment.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Database contents from production environments are not used in development or testing environments unless the environment is secured to the same level as the production environment.[\/p]"}],"reference":""},{"title":"Database event logging","type":"topic","context":"","qty_controls":1,"content":[{"index":"1537.4","name":"ISM-1537","id":"1537","revision":4,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The following events are centrally logged for databases:[\/p][ul][li]access or modification of particularly important content[\/li][li]addition of new users, especially privileged users[\/li][li]changes to user roles or privileges[\/li][li]attempts to elevate user privileges[\/li][li]queries containing comments[\/li][li]queries containing multiple embedded queries[\/li][li]database and query alerts or failures[\/li][li]database structure changes[\/li][li]database administrator actions[\/li][li]use of executable commands[\/li][li]database logons and logoffs.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The following events are centrally logged for databases:[\/p][ul][li]access or modification of particularly important content[\/li][li]addition of new users, especially privileged users[\/li][li]changes to user roles or privileges[\/li][li]attempts to elevate user privileges[\/li][li]queries containing comments[\/li][li]queries containing multiple embedded queries[\/li][li]database and query alerts or failures[\/li][li]database structure changes[\/li][li]database administrator actions[\/li][li]use of executable commands[\/li][li]database logons and logoffs.[\/li][\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Email","type":"guideline","qty_controls":26,"content":[{"title":"Email usage","type":"section","context":"","qty_controls":9,"content":[{"title":"Email usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"0264.4","name":"ISM-0264","id":"0264","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An email usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An email usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Webmail services","type":"topic","context":"","qty_controls":1,"content":[{"index":"0267.7","name":"ISM-0267","id":"0267","revision":7,"updated":"Mar-19","timestamp":1553568943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Access to non-approved webmail services is blocked.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Access to non-approved webmail services is blocked.[\/p]"}],"reference":""},{"title":"Protective markings for emails","type":"topic","context":"","qty_controls":1,"content":[{"index":"0270.6","name":"ISM-0270","id":"0270","revision":6,"updated":"Jun-21","timestamp":1624679743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments.[\/p]"}],"reference":""},{"title":"Protective marking tools","type":"topic","context":"","qty_controls":3,"content":[{"index":"0271.3","name":"ISM-0271","id":"0271","revision":3,"updated":"Mar-19","timestamp":1553568943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Protective marking tools do not automatically insert protective markings into emails.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Protective marking tools do not automatically insert protective markings into emails.[\/p]"},{"index":"0272.4","name":"ISM-0272","id":"0272","revision":4,"updated":"Mar-19","timestamp":1553568943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate.[\/p]"},{"index":"1089.5","name":"ISM-1089","id":"1089","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used.[\/p]"}],"reference":""},{"title":"Handling emails with inappropriate, invalid or missing protective markings","type":"topic","context":"","qty_controls":2,"content":[{"index":"0565.4","name":"ISM-0565","id":"0565","revision":4,"updated":"Mar-19","timestamp":1553568943,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Email servers are configured to block, log and report emails with inappropriate protective markings.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Email servers are configured to block, log and report emails with inappropriate protective markings.[\/p]"},{"index":"1023.6","name":"ISM-1023","id":"1023","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified.[\/p]"}],"reference":""},{"title":"Email distribution lists","type":"topic","context":"","qty_controls":1,"content":[{"index":"0269.5","name":"ISM-0269","id":"0269","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are not sent to email distribution lists unless the nationality of all members of email distribution lists can be confirmed.[\/p]","classificationString":"S, TS","content":"[p]Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are not sent to email distribution lists unless the nationality of all members of email distribution lists can be confirmed.[\/p]"}],"reference":""}],"reference":""},{"title":"Email gateways and servers","type":"section","context":"","qty_controls":17,"content":[{"title":"Centralised email gateways","type":"topic","context":"","qty_controls":2,"content":[{"index":"0569.5","name":"ISM-0569","id":"0569","revision":5,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Emails are routed via centralised email gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Emails are routed via centralised email gateways.[\/p]"},{"index":"0571.7","name":"ISM-0571","id":"0571","revision":7,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When users send or receive emails, an authenticated and encrypted channel is used to route emails via their organisation\u2019s centralised email gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When users send or receive emails, an authenticated and encrypted channel is used to route emails via their organisation\u2019s centralised email gateways.[\/p]"}],"reference":""},{"title":"Email gateway maintenance activities","type":"topic","context":"","qty_controls":1,"content":[{"index":"0570.4","name":"ISM-0570","id":"0570","revision":4,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway.[\/p]"}],"reference":""},{"title":"Open relay email servers","type":"topic","context":"","qty_controls":1,"content":[{"index":"0567.5","name":"ISM-0567","id":"0567","revision":5,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Email servers only relay emails destined for or originating from their domains (including subdomains).[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Email servers only relay emails destined for or originating from their domains (including subdomains).[\/p]"}],"reference":""},{"title":"Email server transport encryption","type":"topic","context":"","qty_controls":2,"content":[{"index":"0572.4","name":"ISM-0572","id":"0572","revision":4,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure.[\/p]"},{"index":"1589.2","name":"ISM-1589","id":"1589","revision":2,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]MTA-STS is enabled to prevent the unencrypted transfer of emails between complying servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]MTA-STS is enabled to prevent the unencrypted transfer of emails between complying servers.[\/p]"}],"reference":""},{"title":"Sender Policy Framework","type":"topic","context":"","qty_controls":3,"content":[{"index":"0574.7","name":"ISM-0574","id":"0574","revision":7,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SPF is used to specify authorised email servers (or lack thereof) for an organisation\u2019s domains (including subdomains).[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SPF is used to specify authorised email servers (or lack thereof) for an organisation\u2019s domains (including subdomains).[\/p]"},{"index":"1183.3","name":"ISM-1183","id":"1183","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A hard fail SPF record is used when specifying authorised email servers (or lack thereof) for an organisation\u2019s domains (including subdomains).[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A hard fail SPF record is used when specifying authorised email servers (or lack thereof) for an organisation\u2019s domains (including subdomains).[\/p]"},{"index":"1151.3","name":"ISM-1151","id":"1151","revision":3,"updated":"Oct-19","timestamp":1572058543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SPF is used to verify the authenticity of incoming emails.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SPF is used to verify the authenticity of incoming emails.[\/p]"}],"reference":""},{"title":"DomainKeys Identified Mail","type":"topic","context":"","qty_controls":3,"content":[{"index":"0861.3","name":"ISM-0861","id":"0861","revision":3,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]DKIM signing is enabled on emails originating from an organisation\u2019s domains (including subdomains).[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]DKIM signing is enabled on emails originating from an organisation\u2019s domains (including subdomains).[\/p]"},{"index":"1026.6","name":"ISM-1026","id":"1026","revision":6,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]DKIM signatures on incoming emails are verified.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]DKIM signatures on incoming emails are verified.[\/p]"},{"index":"1027.4","name":"ISM-1027","id":"1027","revision":4,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Email distribution list software used by external senders is configured such that it does not break the validity of the sender\u2019s DKIM signature.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Email distribution list software used by external senders is configured such that it does not break the validity of the sender\u2019s DKIM signature.[\/p]"}],"reference":""},{"title":"Domain-based Message Authentication, Reporting and Conformance","type":"topic","context":"","qty_controls":2,"content":[{"index":"1540.3","name":"ISM-1540","id":"1540","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]DMARC records are configured for an organisation\u2019s domains (including subdomains) such that emails are rejected if they do not pass DMARC checks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]DMARC records are configured for an organisation\u2019s domains (including subdomains) such that emails are rejected if they do not pass DMARC checks.[\/p]"},{"index":"1799.0","name":"ISM-1799","id":"1799","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Incoming emails are rejected if they do not pass DMARC checks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Incoming emails are rejected if they do not pass DMARC checks.[\/p]"}],"reference":""},{"title":"Email content filtering","type":"topic","context":"","qty_controls":1,"content":[{"index":"1234.5","name":"ISM-1234","id":"1234","revision":5,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Email content filtering is implemented to filter potentially harmful content in email bodies and attachments.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Email content filtering is implemented to filter potentially harmful content in email bodies and attachments.[\/p]"}],"reference":""},{"title":"Blocking suspicious emails","type":"topic","context":"","qty_controls":1,"content":[{"index":"1502.2","name":"ISM-1502","id":"1502","revision":2,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Emails arriving via an external connection where the email source address uses an internal domain, or internal subdomain, are blocked at the email gateway.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Emails arriving via an external connection where the email source address uses an internal domain, or internal subdomain, are blocked at the email gateway.[\/p]"}],"reference":""},{"title":"Notifications of undeliverable emails","type":"topic","context":"","qty_controls":1,"content":[{"index":"1024.5","name":"ISM-1024","id":"1024","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Notifications of undeliverable emails are only sent to senders that can be verified via SPF or other trusted means.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Notifications of undeliverable emails are only sent to senders that can be verified via SPF or other trusted means.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Networking","type":"guideline","qty_controls":66,"content":[{"title":"Network design and configuration","type":"section","context":"","qty_controls":34,"content":[{"title":"Network documentation","type":"topic","context":"","qty_controls":4,"content":[{"index":"0518.6","name":"ISM-0518","id":"0518","revision":6,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network documentation is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network documentation is developed, implemented and maintained.[\/p]"},{"index":"0516.5","name":"ISM-0516","id":"0516","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances.[\/p]"},{"index":"1912.0","name":"ISM-1912","id":"1912","revision":0,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network documentation includes device settings for all critical servers, high-value servers, network devices and network security appliances.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network documentation includes device settings for all critical servers, high-value servers, network devices and network security appliances.[\/p]"},{"index":"1178.3","name":"ISM-1178","id":"1178","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.[\/p]"}],"reference":""},{"title":"Network encryption","type":"topic","context":"","qty_controls":1,"content":[{"index":"1781.0","name":"ISM-1781","id":"1781","revision":0,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All data communicated over network infrastructure is encrypted.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All data communicated over network infrastructure is encrypted.[\/p]"}],"reference":""},{"title":"Network segmentation and segregation","type":"topic","context":"","qty_controls":2,"content":[{"index":"1181.5","name":"ISM-1181","id":"1181","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Networks are segregated into multiple network zones according to the criticality of servers, services and data.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Networks are segregated into multiple network zones according to the criticality of servers, services and data.[\/p]"},{"index":"1577.1","name":"ISM-1577","id":"1577","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An organisation\u2019s networks are segregated from their service providers\u2019 networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An organisation\u2019s networks are segregated from their service providers\u2019 networks.[\/p]"}],"reference":""},{"title":"Using Virtual Local Area Networks","type":"topic","context":"","qty_controls":5,"content":[{"index":"1532.3","name":"ISM-1532","id":"1532","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]VLANs are not used to separate network traffic between an organisation\u2019s networks and public network infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]VLANs are not used to separate network traffic between an organisation\u2019s networks and public network infrastructure.[\/p]"},{"index":"0529.6","name":"ISM-0529","id":"0529","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]VLANs are not used to separate network traffic between networks belonging to different security domains.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]VLANs are not used to separate network traffic between networks belonging to different security domains.[\/p]"},{"index":"0530.6","name":"ISM-0530","id":"0530","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices managing VLANs are administered from the most trusted security domain.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices managing VLANs are administered from the most trusted security domain.[\/p]"},{"index":"0535.6","name":"ISM-0535","id":"0535","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices managing VLANs belonging to different security domains do not share VLAN trunks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices managing VLANs belonging to different security domains do not share VLAN trunks.[\/p]"},{"index":"1364.3","name":"ISM-1364","id":"1364","revision":3,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces.[\/p]"}],"reference":""},{"title":"Using Internet Protocol version 6","type":"topic","context":"","qty_controls":5,"content":[{"index":"0521.6","name":"ISM-0521","id":"0521","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]IPv6 functionality is disabled in dual-stack network devices unless it is being used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]IPv6 functionality is disabled in dual-stack network devices unless it is being used.[\/p]"},{"index":"1186.4","name":"ISM-1186","id":"1186","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]IPv6 capable network security appliances are used on IPv6 and dual-stack networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]IPv6 capable network security appliances are used on IPv6 and dual-stack networks.[\/p]"},{"index":"1428.2","name":"ISM-1428","id":"1428","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unless explicitly required, IPv6 tunnelling is disabled on all network devices.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unless explicitly required, IPv6 tunnelling is disabled on all network devices.[\/p]"},{"index":"1429.3","name":"ISM-1429","id":"1429","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]IPv6 tunnelling is blocked by network security appliances at externally-connected network boundaries.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]IPv6 tunnelling is blocked by network security appliances at externally-connected network boundaries.[\/p]"},{"index":"1430.3","name":"ISM-1430","id":"1430","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility.[\/p]"}],"reference":""},{"title":"Network access controls","type":"topic","context":"","qty_controls":2,"content":[{"index":"0520.7","name":"ISM-0520","id":"0520","revision":7,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network access controls are implemented on networks to prevent the connection of unauthorised network devices and other ICT equipment.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network access controls are implemented on networks to prevent the connection of unauthorised network devices and other ICT equipment.[\/p]"},{"index":"1182.5","name":"ISM-1182","id":"1182","revision":5,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network access controls are implemented to limit the flow of network traffic within and between network segments to only that required for business purposes.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network access controls are implemented to limit the flow of network traffic within and between network segments to only that required for business purposes.[\/p]"}],"reference":""},{"title":"Functional separation between servers","type":"topic","context":"","qty_controls":2,"content":[{"index":"0385.6","name":"ISM-0385","id":"0385","revision":6,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Servers maintain effective functional separation with other servers allowing them to operate independently.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Servers maintain effective functional separation with other servers allowing them to operate independently.[\/p]"},{"index":"1479.0","name":"ISM-1479","id":"1479","revision":0,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Servers minimise communications with other servers at both the network and file system level.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Servers minimise communications with other servers at both the network and file system level.[\/p]"}],"reference":""},{"title":"Networked management interfaces","type":"topic","context":"","qty_controls":1,"content":[{"index":"1863.0","name":"ISM-1863","id":"1863","revision":0,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Networked management interfaces for ICT equipment are not directly exposed to the internet.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Networked management interfaces for ICT equipment are not directly exposed to the internet.[\/p]"}],"reference":""},{"title":"Network management traffic","type":"topic","context":"","qty_controls":1,"content":[{"index":"1006.6","name":"ISM-1006","id":"1006","revision":6,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Security measures are implemented to prevent unauthorised access to network management traffic.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Security measures are implemented to prevent unauthorised access to network management traffic.[\/p]"}],"reference":""},{"title":"Use of Simple Network Management Protocol","type":"topic","context":"","qty_controls":2,"content":[{"index":"1311.3","name":"ISM-1311","id":"1311","revision":3,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SNMP version 1 and SNMP version 2 are not used on networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SNMP version 1 and SNMP version 2 are not used on networks.[\/p]"},{"index":"1312.3","name":"ISM-1312","id":"1312","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All default SNMP community strings on network devices are changed and write access is disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All default SNMP community strings on network devices are changed and write access is disabled.[\/p]"}],"reference":""},{"title":"Using Network-based Intrusion Detection and Prevention Systems","type":"topic","context":"","qty_controls":2,"content":[{"index":"1028.8","name":"ISM-1028","id":"1028","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A NIDS or NIPS is deployed in gateways between an organisation\u2019s networks and other networks they do not manage.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A NIDS or NIPS is deployed in gateways between an organisation\u2019s networks and other networks they do not manage.[\/p]"},{"index":"1030.8","name":"ISM-1030","id":"1030","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A NIDS or NIPS is located immediately inside the outermost firewall for gateways and configured to generate event logs and alerts for network traffic that contravenes any rule in a firewall ruleset.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A NIDS or NIPS is located immediately inside the outermost firewall for gateways and configured to generate event logs and alerts for network traffic that contravenes any rule in a firewall ruleset.[\/p]"}],"reference":""},{"title":"Blocking anonymity network traffic","type":"topic","context":"","qty_controls":2,"content":[{"index":"1627.1","name":"ISM-1627","id":"1627","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Inbound network connections from anonymity networks are blocked.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Inbound network connections from anonymity networks are blocked.[\/p]"},{"index":"1628.0","name":"ISM-1628","id":"1628","revision":0,"updated":"Nov-20","timestamp":1606359343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Outbound network connections to anonymity networks are blocked.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Outbound network connections to anonymity networks are blocked.[\/p]"}],"reference":""},{"title":"Protective Domain Name System Services","type":"topic","context":"","qty_controls":1,"content":[{"index":"1782.1","name":"ISM-1782","id":"1782","revision":1,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A protective DNS service is used to block access to known malicious domain names.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A protective DNS service is used to block access to known malicious domain names.[\/p]"}],"reference":""},{"title":"Flashing network devices with trusted firmware before first use","type":"topic","context":"","qty_controls":1,"content":[{"index":"1800.0","name":"ISM-1800","id":"1800","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices are flashed with trusted firmware before they are used for the first time.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices are flashed with trusted firmware before they are used for the first time.[\/p]"}],"reference":""},{"title":"Default accounts and credentials for network devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"1304.4","name":"ISM-1304","id":"1304","revision":4,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Default accounts or credentials for network devices including for any pre-configured accounts, are changed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Default accounts or credentials for network devices including for any pre-configured accounts, are changed.[\/p]"}],"reference":""},{"title":"Disabling unused physical ports on network devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"0534.2","name":"ISM-0534","id":"0534","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Unused physical ports on network devices are disabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Unused physical ports on network devices are disabled.[\/p]"}],"reference":""},{"title":"Regularly restarting network devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"1801.0","name":"ISM-1801","id":"1801","revision":0,"updated":"Sep-22","timestamp":1664164543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Network devices are restarted on at least a monthly basis.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Network devices are restarted on at least a monthly basis.[\/p]"}],"reference":""}],"reference":""},{"title":"Wireless networks","type":"section","context":"","qty_controls":23,"content":[{"title":"Choosing wireless devices","type":"topic","context":"","qty_controls":1,"content":[{"index":"1314.2","name":"ISM-1314","id":"1314","revision":2,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All wireless devices are Wi-Fi Alliance certified.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All wireless devices are Wi-Fi Alliance certified.[\/p]"}],"reference":""},{"title":"Public wireless networks","type":"topic","context":"","qty_controls":1,"content":[{"index":"0536.7","name":"ISM-0536","id":"0536","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Public wireless networks provided for general public use are segregated from all other organisation networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Public wireless networks provided for general public use are segregated from all other organisation networks.[\/p]"}],"reference":""},{"title":"Administrative interfaces for wireless access points","type":"topic","context":"","qty_controls":1,"content":[{"index":"1315.2","name":"ISM-1315","id":"1315","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The administrative interface on wireless access points is disabled for wireless network connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The administrative interface on wireless access points is disabled for wireless network connections.[\/p]"}],"reference":""},{"title":"Default settings","type":"topic","context":"","qty_controls":4,"content":[{"index":"1710.2","name":"ISM-1710","id":"1710","revision":2,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Settings for wireless access points are hardened.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Settings for wireless access points are hardened.[\/p]"},{"index":"1316.3","name":"ISM-1316","id":"1316","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Default SSIDs of wireless access points are changed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Default SSIDs of wireless access points are changed.[\/p]"},{"index":"1317.3","name":"ISM-1317","id":"1317","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SSIDs of non-public wireless networks are not readily associated with an organisation, the location of their premises or the functionality of wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SSIDs of non-public wireless networks are not readily associated with an organisation, the location of their premises or the functionality of wireless networks.[\/p]"},{"index":"1318.3","name":"ISM-1318","id":"1318","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SSID broadcasting is not disabled on wireless access points.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SSID broadcasting is not disabled on wireless access points.[\/p]"}],"reference":""},{"title":"Media Access Control address filtering","type":"topic","context":"","qty_controls":1,"content":[{"index":"1320.2","name":"ISM-1320","id":"1320","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]MAC address filtering is not used to restrict which devices can connect to wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]MAC address filtering is not used to restrict which devices can connect to wireless networks.[\/p]"}],"reference":""},{"title":"Static addressing","type":"topic","context":"","qty_controls":1,"content":[{"index":"1319.2","name":"ISM-1319","id":"1319","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Static addressing is not used for assigning IP addresses on wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Static addressing is not used for assigning IP addresses on wireless networks.[\/p]"}],"reference":""},{"title":"Confidentiality and integrity of wireless network traffic","type":"topic","context":"","qty_controls":1,"content":[{"index":"1332.3","name":"ISM-1332","id":"1332","revision":3,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic.[\/p]"}],"reference":""},{"title":"802.1X authentication","type":"topic","context":"","qty_controls":2,"content":[{"index":"1321.2","name":"ISM-1321","id":"1321","revision":2,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers.[\/p]"},{"index":"1711.0","name":"ISM-1711","id":"1711","revision":0,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]User identity confidentiality is used if available with EAP-TLS implementations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]User identity confidentiality is used if available with EAP-TLS implementations.[\/p]"}],"reference":""},{"title":"Evaluation of 802.1X authentication implementation","type":"topic","context":"","qty_controls":1,"content":[{"index":"1322.4","name":"ISM-1322","id":"1322","revision":4,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks.[\/p]"}],"reference":""},{"title":"Generating and issuing certificates for authentication","type":"topic","context":"","qty_controls":3,"content":[{"index":"1324.4","name":"ISM-1324","id":"1324","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Certificates are generated using an evaluated certificate authority or hardware security module.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Certificates are generated using an evaluated certificate authority or hardware security module.[\/p]"},{"index":"1323.3","name":"ISM-1323","id":"1323","revision":3,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Certificates are required for both devices and users accessing wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Certificates are required for both devices and users accessing wireless networks.[\/p]"},{"index":"1327.2","name":"ISM-1327","id":"1327","revision":2,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Certificates are protected by encryption, user authentication, and both logical and physical access controls.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Certificates are protected by encryption, user authentication, and both logical and physical access controls.[\/p]"}],"reference":""},{"title":"Caching 802.1X authentication outcomes","type":"topic","context":"","qty_controls":1,"content":[{"index":"1330.1","name":"ISM-1330","id":"1330","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The PMK caching period is not set to greater than 1440 minutes (24 hours).[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The PMK caching period is not set to greater than 1440 minutes (24 hours).[\/p]"}],"reference":""},{"title":"Fast Basic Service Set Transition","type":"topic","context":"","qty_controls":1,"content":[{"index":"1712.1","name":"ISM-1712","id":"1712","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD-Approved Cryptographic Protocol.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD-Approved Cryptographic Protocol.[\/p]"}],"reference":""},{"title":"Remote Authentication Dial-In User Service authentication","type":"topic","context":"","qty_controls":1,"content":[{"index":"1454.2","name":"ISM-1454","id":"1454","revision":2,"updated":"Sep-21","timestamp":1632628543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security.[\/p]"}],"reference":""},{"title":"Interference between wireless networks","type":"topic","context":"","qty_controls":1,"content":[{"index":"1334.2","name":"ISM-1334","id":"1334","revision":2,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Wireless networks implement sufficient frequency separation from other wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Wireless networks implement sufficient frequency separation from other wireless networks.[\/p]"}],"reference":""},{"title":"Protecting management frames on wireless networks","type":"topic","context":"","qty_controls":1,"content":[{"index":"1335.1","name":"ISM-1335","id":"1335","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Wireless access points enable the use of the 802.11w amendment to protect management frames.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Wireless access points enable the use of the 802.11w amendment to protect management frames.[\/p]"}],"reference":""},{"title":"Wireless network footprint","type":"topic","context":"","qty_controls":2,"content":[{"index":"1338.2","name":"ISM-1338","id":"1338","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint for wireless networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint for wireless networks.[\/p]"},{"index":"1013.6","name":"ISM-1013","id":"1013","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The effective range of wireless communications outside an organisation\u2019s area of control is limited by implementing RF shielding on facilities in which SECRET or TOP SECRET wireless networks are used.[\/p]","classificationString":"S, TS","content":"[p]The effective range of wireless communications outside an organisation\u2019s area of control is limited by implementing RF shielding on facilities in which SECRET or TOP SECRET wireless networks are used.[\/p]"}],"reference":""}],"reference":""},{"title":"Service continuity for online services","type":"section","context":"","qty_controls":9,"content":[{"title":"Cloud-based hosting of online services","type":"topic","context":"","qty_controls":1,"content":[{"index":"1437.5","name":"ISM-1437","id":"1437","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cloud service providers are used for hosting online services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cloud service providers are used for hosting online services.[\/p]"}],"reference":""},{"title":"Capacity and availability planning and monitoring for online services","type":"topic","context":"","qty_controls":3,"content":[{"index":"1579.2","name":"ISM-1579","id":"1579","revision":2,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cloud service providers\u2019 ability to dynamically scale resources in response to a genuine spike in demand is discussed and verified as part of capacity and availability planning for online services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cloud service providers\u2019 ability to dynamically scale resources in response to a genuine spike in demand is discussed and verified as part of capacity and availability planning for online services.[\/p]"},{"index":"1580.1","name":"ISM-1580","id":"1580","revision":1,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Where a high availability requirement exists for online services, the services are architected to automatically transition between availability zones.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Where a high availability requirement exists for online services, the services are architected to automatically transition between availability zones.[\/p]"},{"index":"1581.3","name":"ISM-1581","id":"1581","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Continuous real-time monitoring of the capacity and availability of online services is performed.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Continuous real-time monitoring of the capacity and availability of online services is performed.[\/p]"}],"reference":""},{"title":"Using content delivery networks","type":"topic","context":"","qty_controls":2,"content":[{"index":"1438.2","name":"ISM-1438","id":"1438","revision":2,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Where a high availability requirement exists for website hosting, CDNs that cache websites are used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Where a high availability requirement exists for website hosting, CDNs that cache websites are used.[\/p]"},{"index":"1439.3","name":"ISM-1439","id":"1439","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If using CDNs, disclosing the IP addresses of web servers under an organisation\u2019s control (referred to as origin servers) is avoided and access to the origin servers is restricted to the CDNs and authorised management networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If using CDNs, disclosing the IP addresses of web servers under an organisation\u2019s control (referred to as origin servers) is avoided and access to the origin servers is restricted to the CDNs and authorised management networks.[\/p]"}],"reference":""},{"title":"Denial-of-service attack mitigation strategies","type":"topic","context":"","qty_controls":3,"content":[{"index":"1431.5","name":"ISM-1431","id":"1431","revision":5,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Denial-of-service attack mitigation strategies are discussed with cloud service providers, specifically:[\/p][ul][li]their capacity to withstand denial-of-service attacks[\/li][li]costs likely to be incurred as a result of denial-of-service attacks[\/li][li]availability monitoring and thresholds for notification of denial-of-service attacks[\/li][li]thresholds for turning off any online services or functionality during denial-of-service attacks[\/li][li]pre-approved actions that can be undertaken during denial-of-service attacks[\/li][li]any arrangements with upstream service providers to block malicious network traffic as far upstream as possible.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Denial-of-service attack mitigation strategies are discussed with cloud service providers, specifically:[\/p][ul][li]their capacity to withstand denial-of-service attacks[\/li][li]costs likely to be incurred as a result of denial-of-service attacks[\/li][li]availability monitoring and thresholds for notification of denial-of-service attacks[\/li][li]thresholds for turning off any online services or functionality during denial-of-service attacks[\/li][li]pre-approved actions that can be undertaken during denial-of-service attacks[\/li][li]any arrangements with upstream service providers to block malicious network traffic as far upstream as possible.[\/li][\/p]"},{"index":"1436.3","name":"ISM-1436","id":"1436","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Critical online services are segregated from other online services that are more likely to be targeted as part of denial-of-service attacks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Critical online services are segregated from other online services that are more likely to be targeted as part of denial-of-service attacks.[\/p]"},{"index":"1432.3","name":"ISM-1432","id":"1432","revision":3,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Domain names for online services are protected via registrar locking and confirming that domain registration details are correct.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Domain names for online services are protected via registrar locking and confirming that domain registration details are correct.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Cryptography","type":"guideline","qty_controls":65,"content":[{"title":"Cryptographic fundamentals","type":"section","context":"","qty_controls":15,"content":[{"title":"Communications security doctrine","type":"topic","context":"","qty_controls":1,"content":[{"index":"0499.11","name":"ISM-0499","id":"0499","revision":11,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Communications security doctrine produced by ASD for the management and operation of HACE is complied with.[\/p]","classificationString":"S, TS","content":"[p]Communications security doctrine produced by ASD for the management and operation of HACE is complied with.[\/p]"}],"reference":""},{"title":"Approved High Assurance Cryptographic Equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"1802.1","name":"ISM-1802","id":"1802","revision":1,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]HACE are issued an Approval for Use by ASD and operated in accordance with the latest version of their associated Australian Communications Security Instructions.[\/p]","classificationString":"S, TS","content":"[p]HACE are issued an Approval for Use by ASD and operated in accordance with the latest version of their associated Australian Communications Security Instructions.[\/p]"}],"reference":""},{"title":"Cryptographic key management processes and procedures","type":"topic","context":"","qty_controls":1,"content":[{"index":"0507.5","name":"ISM-0507","id":"0507","revision":5,"updated":"Dec-22","timestamp":1672023343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Encrypting data at rest","type":"topic","context":"","qty_controls":4,"content":[{"index":"1080.5","name":"ISM-1080","id":"1080","revision":5,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm is used when encrypting media.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm is used when encrypting media.[\/p]"},{"index":"0457.9","name":"ISM-0457","id":"0457","revision":9,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.[\/p]","classificationString":"OS, P","content":"[p]Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.[\/p]"},{"index":"0460.13","name":"ISM-0460","id":"0460","revision":13,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]HACE is used when encrypting media that contains SECRET or TOP SECRET data.[\/p]","classificationString":"S, TS","content":"[p]HACE is used when encrypting media that contains SECRET or TOP SECRET data.[\/p]"},{"index":"0459.4","name":"ISM-0459","id":"0459","revision":4,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest.[\/p]"}],"reference":""},{"title":"Encrypting data in transit","type":"topic","context":"","qty_controls":3,"content":[{"index":"0469.6","name":"ISM-0469","id":"0469","revision":6,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure.[\/p]"},{"index":"0465.9","name":"ISM-0465","id":"0465","revision":9,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.[\/p]","classificationString":"OS, P","content":"[p]Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.[\/p]"},{"index":"0467.12","name":"ISM-0467","id":"0467","revision":12,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.[\/p]","classificationString":"S, TS","content":"[p]HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.[\/p]"}],"reference":""},{"title":"Data recovery","type":"topic","context":"","qty_controls":1,"content":[{"index":"0455.3","name":"ISM-0455","id":"0455","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Where practical, cryptographic equipment and software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Where practical, cryptographic equipment and software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.[\/p]"}],"reference":""},{"title":"Handling encrypted ICT equipment and media","type":"topic","context":"","qty_controls":1,"content":[{"index":"0462.7","name":"ISM-0462","id":"0462","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When a user authenticates to the encryption functionality of ICT equipment or media, it is treated in accordance with its original sensitivity or classification until the user deauthenticates from the encryption functionality.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When a user authenticates to the encryption functionality of ICT equipment or media, it is treated in accordance with its original sensitivity or classification until the user deauthenticates from the encryption functionality.[\/p]"}],"reference":""},{"title":"Transporting cryptographic equipment","type":"topic","context":"","qty_controls":1,"content":[{"index":"0501.6","name":"ISM-0501","id":"0501","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material.[\/p]"}],"reference":""},{"title":"Reporting cryptographic-related cyber security incidents","type":"topic","context":"","qty_controls":2,"content":[{"index":"0142.5","name":"ISM-0142","id":"0142","revision":5,"updated":"Jun-23","timestamp":1687751743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.[\/p]"},{"index":"1091.6","name":"ISM-1091","id":"1091","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Keying material is changed when compromised or suspected of being compromised.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Keying material is changed when compromised or suspected of being compromised.[\/p]"}],"reference":""}],"reference":""},{"title":"ASD-Approved Cryptographic Algorithms","type":"section","context":"","qty_controls":22,"content":[{"title":"Using ASD-Approved Cryptographic Algorithms","type":"topic","context":"","qty_controls":1,"content":[{"index":"0471.7","name":"ISM-0471","id":"0471","revision":7,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software.[\/p]"}],"reference":""},{"title":"Asymmetric\/public key algorithms","type":"topic","context":"","qty_controls":1,"content":[{"index":"0994.7","name":"ISM-0994","id":"0994","revision":7,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ECDH is used in preference to DH.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ECDH is used in preference to DH.[\/p]"}],"reference":""},{"title":"Using Diffie-Hellman","type":"topic","context":"","qty_controls":3,"content":[{"index":"0472.6","name":"ISM-0472","id":"0472","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits.[\/p]","classificationString":"OS, P","content":"[p]When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits.[\/p]"},{"index":"1759.0","name":"ISM-1759","id":"1759","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits.[\/p]","classificationString":"S, TS","content":"[p]When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits.[\/p]"},{"index":"1629.1","name":"ISM-1629","id":"1629","revision":1,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3.[\/p]"}],"reference":""},{"title":"Using Elliptic Curve Cryptography","type":"topic","context":"","qty_controls":1,"content":[{"index":"1446.3","name":"ISM-1446","id":"1446","revision":3,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using elliptic curve cryptography, a suitable curve from NIST SP 800-186 is used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using elliptic curve cryptography, a suitable curve from NIST SP 800-186 is used.[\/p]"}],"reference":""},{"title":"Using Elliptic Curve Diffie-Hellman","type":"topic","context":"","qty_controls":3,"content":[{"index":"0474.6","name":"ISM-0474","id":"0474","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve.[\/p]","classificationString":"OS, P","content":"[p]When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve.[\/p]"},{"index":"1761.0","name":"ISM-1761","id":"1761","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]","classificationString":"S","content":"[p]When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]"},{"index":"1762.0","name":"ISM-1762","id":"1762","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]","classificationString":"TS","content":"[p]When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]"}],"reference":""},{"title":"Using the Elliptic Curve Digital Signature Algorithm","type":"topic","context":"","qty_controls":3,"content":[{"index":"0475.6","name":"ISM-0475","id":"0475","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve.[\/p]","classificationString":"OS, P","content":"[p]When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve.[\/p]"},{"index":"1763.0","name":"ISM-1763","id":"1763","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]","classificationString":"S","content":"[p]When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]"},{"index":"1764.0","name":"ISM-1764","id":"1764","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]","classificationString":"TS","content":"[p]When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve.[\/p]"}],"reference":""},{"title":"Using Rivest-Shamir-Adleman","type":"topic","context":"","qty_controls":3,"content":[{"index":"0476.7","name":"ISM-0476","id":"0476","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used, preferably 3072 bits.[\/p]","classificationString":"OS, P","content":"[p]When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used, preferably 3072 bits.[\/p]"},{"index":"1765.0","name":"ISM-1765","id":"1765","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 3072 bits is used, preferably 3072 bits.[\/p]","classificationString":"S, TS","content":"[p]When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 3072 bits is used, preferably 3072 bits.[\/p]"},{"index":"0477.8","name":"ISM-0477","id":"0477","revision":8,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using RSA for digital signatures, and for passing encryption session keys or similar keys, a different key pair is used for digital signatures and passing encrypted session keys.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using RSA for digital signatures, and for passing encryption session keys or similar keys, a different key pair is used for digital signatures and passing encrypted session keys.[\/p]"}],"reference":""},{"title":"Using hashing algorithms","type":"topic","context":"","qty_controls":3,"content":[{"index":"1766.0","name":"ISM-1766","id":"1766","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED"},"applicability":"","statement":"[p]When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384.[\/p]","classificationString":"OS, P","content":"[p]When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384.[\/p]"},{"index":"1767.0","name":"ISM-1767","id":"1767","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET"},"applicability":"","statement":"[p]When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-384.[\/p]","classificationString":"S","content":"[p]When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-384.[\/p]"},{"index":"1768.0","name":"ISM-1768","id":"1768","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-384.[\/p]","classificationString":"TS","content":"[p]When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-384.[\/p]"}],"reference":""},{"title":"Using symmetric encryption algorithms","type":"topic","context":"","qty_controls":3,"content":[{"index":"1769.0","name":"ISM-1769","id":"1769","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET"},"applicability":"","statement":"[p]When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256.[\/p]","classificationString":"OS, P, S","content":"[p]When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256.[\/p]"},{"index":"1770.0","name":"ISM-1770","id":"1770","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"TS":"TOP SECRET"},"applicability":"","statement":"[p]When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256.[\/p]","classificationString":"TS","content":"[p]When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256.[\/p]"},{"index":"0479.5","name":"ISM-0479","id":"0479","revision":5,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.[\/p]"}],"reference":""},{"title":"Planning for post-quantum cryptography standards","type":"topic","context":"","qty_controls":1,"content":[{"index":"1917.0","name":"ISM-1917","id":"1917","revision":0,"updated":"Mar-24","timestamp":1711421743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Future cryptographic requirements and dependencies are considered during the transition to post-quantum cryptographic standards.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Future cryptographic requirements and dependencies are considered during the transition to post-quantum cryptographic standards.[\/p]"}],"reference":""}],"reference":""},{"title":"ASD-Approved Cryptographic Protocols","type":"section","context":"","qty_controls":1,"content":[{"title":"Using ASD-Approved Cryptographic Protocols","type":"topic","context":"","qty_controls":1,"content":[{"index":"0481.6","name":"ISM-0481","id":"0481","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software.[\/p]"}],"reference":""}],"reference":""},{"title":"Transport Layer Security","type":"section","context":"","qty_controls":10,"content":[{"title":"Configuring Transport Layer Security","type":"topic","context":"","qty_controls":10,"content":[{"index":"1139.6","name":"ISM-1139","id":"1139","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only the latest version of TLS is used for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only the latest version of TLS is used for TLS connections.[\/p]"},{"index":"1369.3","name":"ISM-1369","id":"1369","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]AES-GCM is used for encryption of TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]AES-GCM is used for encryption of TLS connections.[\/p]"},{"index":"1370.3","name":"ISM-1370","id":"1370","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Only server-initiated secure renegotiation is used for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Only server-initiated secure renegotiation is used for TLS connections.[\/p]"},{"index":"1372.3","name":"ISM-1372","id":"1372","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]DH or ECDH is used for key establishment of TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]DH or ECDH is used for key establishment of TLS connections.[\/p]"},{"index":"1448.2","name":"ISM-1448","id":"1448","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used.[\/p]"},{"index":"1373.2","name":"ISM-1373","id":"1373","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Anonymous DH is not used for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Anonymous DH is not used for TLS connections.[\/p]"},{"index":"1374.3","name":"ISM-1374","id":"1374","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SHA-2-based certificates are used for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SHA-2-based certificates are used for TLS connections.[\/p]"},{"index":"1375.4","name":"ISM-1375","id":"1375","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom function (PRF) for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom function (PRF) for TLS connections.[\/p]"},{"index":"1553.1","name":"ISM-1553","id":"1553","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]TLS compression is disabled for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]TLS compression is disabled for TLS connections.[\/p]"},{"index":"1453.1","name":"ISM-1453","id":"1453","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Perfect Forward Secrecy (PFS) is used for TLS connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Perfect Forward Secrecy (PFS) is used for TLS connections.[\/p]"}],"reference":""}],"reference":""},{"title":"Secure Shell","type":"section","context":"","qty_controls":7,"content":[{"title":"Configuring Secure Shell","type":"topic","context":"","qty_controls":2,"content":[{"index":"1506.1","name":"ISM-1506","id":"1506","revision":1,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The use of SSH version 1 is disabled for SSH connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The use of SSH version 1 is disabled for SSH connections.[\/p]"},{"index":"0484.6","name":"ISM-0484","id":"0484","revision":6,"updated":"Dec-21","timestamp":1640487343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The SSH daemon is configured to:[\/p][ul][li]only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)[\/li][li]have a suitable login banner (Banner x)[\/li][li]have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)[\/li][li]disable host-based authentication (HostbasedAuthentication no)[\/li][li]disable rhosts-based authentication (IgnoreRhosts yes)[\/li][li]disable the ability to login directly as root (PermitRootLogin no)[\/li][li]disable empty passwords (PermitEmptyPasswords no)[\/li][li]disable connection forwarding (AllowTCPForwarding no)[\/li][li]disable gateway ports (GatewayPorts no)[\/li][li]disable X11 forwarding (X11Forwarding no).[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The SSH daemon is configured to:[\/p][ul][li]only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)[\/li][li]have a suitable login banner (Banner x)[\/li][li]have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)[\/li][li]disable host-based authentication (HostbasedAuthentication no)[\/li][li]disable rhosts-based authentication (IgnoreRhosts yes)[\/li][li]disable the ability to login directly as root (PermitRootLogin no)[\/li][li]disable empty passwords (PermitEmptyPasswords no)[\/li][li]disable connection forwarding (AllowTCPForwarding no)[\/li][li]disable gateway ports (GatewayPorts no)[\/li][li]disable X11 forwarding (X11Forwarding no).[\/li][\/p]"}],"reference":""},{"title":"Authentication mechanisms","type":"topic","context":"","qty_controls":2,"content":[{"index":"0485.3","name":"ISM-0485","id":"0485","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Public key-based authentication is used for SSH connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Public key-based authentication is used for SSH connections.[\/p]"},{"index":"1449.1","name":"ISM-1449","id":"1449","revision":1,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]SSH private keys are protected with a passphrase or a key encryption key.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]SSH private keys are protected with a passphrase or a key encryption key.[\/p]"}],"reference":""},{"title":"Automated remote access","type":"topic","context":"","qty_controls":2,"content":[{"index":"0487.4","name":"ISM-0487","id":"0487","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When using logins without a passphrase for SSH connections, the following are disabled:[\/p][ul][li]access from IP addresses that do not require access[\/li][li]port forwarding[\/li][li]agent credential forwarding[\/li][li]X11 display remoting[\/li][li]console access.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When using logins without a passphrase for SSH connections, the following are disabled:[\/p][ul][li]access from IP addresses that do not require access[\/li][li]port forwarding[\/li][li]agent credential forwarding[\/li][li]X11 display remoting[\/li][li]console access.[\/li][\/p]"},{"index":"0488.4","name":"ISM-0488","id":"0488","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]If using remote access without the use of a passphrase for SSH connections, the \u2018forced command\u2019 option is used to specify what command is executed and parameter checking is enabled.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]If using remote access without the use of a passphrase for SSH connections, the \u2018forced command\u2019 option is used to specify what command is executed and parameter checking is enabled.[\/p]"}],"reference":""},{"title":"SSH-agent","type":"topic","context":"","qty_controls":1,"content":[{"index":"0489.5","name":"ISM-0489","id":"0489","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When SSH-agent or similar key caching programs are used, it is limited to workstations and servers with screen locks and key caches that are set to expire within four hours of inactivity.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When SSH-agent or similar key caching programs are used, it is limited to workstations and servers with screen locks and key caches that are set to expire within four hours of inactivity.[\/p]"}],"reference":""}],"reference":""},{"title":"Secure\/Multipurpose Internet Mail Extension","type":"section","context":"","qty_controls":1,"content":[{"title":"Configuring Secure\/Multipurpose Internet Mail Extension","type":"topic","context":"","qty_controls":1,"content":[{"index":"0490.4","name":"ISM-0490","id":"0490","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Versions of S\/MIME earlier than S\/MIME version 3.0 are not used for S\/MIME connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Versions of S\/MIME earlier than S\/MIME version 3.0 are not used for S\/MIME connections.[\/p]"}],"reference":""}],"reference":""},{"title":"Internet Protocol Security","type":"section","context":"","qty_controls":9,"content":[{"title":"Mode of operation","type":"topic","context":"","qty_controls":1,"content":[{"index":"0494.3","name":"ISM-0494","id":"0494","revision":3,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.[\/p]"}],"reference":""},{"title":"Protocol selection","type":"topic","context":"","qty_controls":1,"content":[{"index":"0496.5","name":"ISM-0496","id":"0496","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The ESP protocol is used for authentication and encryption of IPsec connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The ESP protocol is used for authentication and encryption of IPsec connections.[\/p]"}],"reference":""},{"title":"Key exchange","type":"topic","context":"","qty_controls":1,"content":[{"index":"1233.2","name":"ISM-1233","id":"1233","revision":2,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]IKE version 2 is used for key exchange when establishing IPsec connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]IKE version 2 is used for key exchange when establishing IPsec connections.[\/p]"}],"reference":""},{"title":"Encryption algorithms","type":"topic","context":"","qty_controls":1,"content":[{"index":"1771.0","name":"ISM-1771","id":"1771","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16.[\/p]"}],"reference":""},{"title":"Pseudorandom function algorithms","type":"topic","context":"","qty_controls":1,"content":[{"index":"1772.0","name":"ISM-1772","id":"1772","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, preferably PRF_HMAC_SHA2_512.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, preferably PRF_HMAC_SHA2_512.[\/p]"}],"reference":""},{"title":"Integrity algorithms","type":"topic","context":"","qty_controls":1,"content":[{"index":"0998.5","name":"ISM-0998","id":"0998","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is used for authenticating IPsec connections, preferably NONE.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is used for authenticating IPsec connections, preferably NONE.[\/p]"}],"reference":""},{"title":"Diffie-Hellman groups","type":"topic","context":"","qty_controls":1,"content":[{"index":"0999.6","name":"ISM-0999","id":"0999","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.[\/p]"}],"reference":""},{"title":"Security association lifetimes","type":"topic","context":"","qty_controls":1,"content":[{"index":"0498.4","name":"ISM-0498","id":"0498","revision":4,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A security association lifetime of less than four hours (14400 seconds) is used for IPsec connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A security association lifetime of less than four hours (14400 seconds) is used for IPsec connections.[\/p]"}],"reference":""},{"title":"Perfect Forward Secrecy","type":"topic","context":"","qty_controls":1,"content":[{"index":"1000.4","name":"ISM-1000","id":"1000","revision":4,"updated":"Sep-18","timestamp":1537934143,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]PFS is used for IPsec connections.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]PFS is used for IPsec connections.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Gateways","type":"guideline","qty_controls":60,"content":[{"title":"Gateways","type":"section","context":"","qty_controls":19,"content":[{"title":"Implementing gateways","type":"topic","context":"","qty_controls":5,"content":[{"index":"0628.6","name":"ISM-0628","id":"0628","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways are implemented between networks belonging to different security domains.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways are implemented between networks belonging to different security domains.[\/p]"},{"index":"0637.6","name":"ISM-0637","id":"0637","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways implement a demilitarised zone if external parties require access to an organisation\u2019s services.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways implement a demilitarised zone if external parties require access to an organisation\u2019s services.[\/p]"},{"index":"0631.7","name":"ISM-0631","id":"0631","revision":7,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways only allow explicitly authorised data flows.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways only allow explicitly authorised data flows.[\/p]"},{"index":"1192.3","name":"ISM-1192","id":"1192","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways inspect and filter data flows at the transport and above network layers.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways inspect and filter data flows at the transport and above network layers.[\/p]"},{"index":"1427.3","name":"ISM-1427","id":"1427","revision":3,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing.[\/p]"}],"reference":""},{"title":"System administrators for gateways","type":"topic","context":"","qty_controls":6,"content":[{"index":"1520.3","name":"ISM-1520","id":"1520","revision":3,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administrators for gateways undergo appropriate employment screening, and where necessary hold an appropriate security clearance, based on the sensitivity or classification of gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System administrators for gateways undergo appropriate employment screening, and where necessary hold an appropriate security clearance, based on the sensitivity or classification of gateways.[\/p]"},{"index":"0613.6","name":"ISM-0613","id":"0613","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administrators for gateways that connect to Australian Eyes Only or Releasable To networks are Australian nationals.[\/p]","classificationString":"S, TS","content":"[p]System administrators for gateways that connect to Australian Eyes Only or Releasable To networks are Australian nationals.[\/p]"},{"index":"1773.0","name":"ISM-1773","id":"1773","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administrators for gateways that connect to Australian Government Access Only networks are Australian nationals or seconded foreign nationals.[\/p]","classificationString":"S, TS","content":"[p]System administrators for gateways that connect to Australian Government Access Only networks are Australian nationals or seconded foreign nationals.[\/p]"},{"index":"0611.5","name":"ISM-0611","id":"0611","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administrators for gateways are assigned the minimum privileges required to perform their duties.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System administrators for gateways are assigned the minimum privileges required to perform their duties.[\/p]"},{"index":"0616.5","name":"ISM-0616","id":"0616","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Separation of duties is implemented in performing administrative activities for gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Separation of duties is implemented in performing administrative activities for gateways.[\/p]"},{"index":"0612.5","name":"ISM-0612","id":"0612","revision":5,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]System administrators for gateways are formally trained on the operation and management of gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]System administrators for gateways are formally trained on the operation and management of gateways.[\/p]"}],"reference":""},{"title":"System administration of gateways","type":"topic","context":"","qty_controls":2,"content":[{"index":"1774.0","name":"ISM-1774","id":"1774","revision":0,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways are managed via a secure path isolated from all connected networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways are managed via a secure path isolated from all connected networks.[\/p]"},{"index":"0629.5","name":"ISM-0629","id":"0629","revision":5,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]For gateways between networks belonging to different security domains, any shared components are managed by system administrators for the higher security domain or by system administrators from a mutually agreed upon third party.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]For gateways between networks belonging to different security domains, any shared components are managed by system administrators for the higher security domain or by system administrators from a mutually agreed upon third party.[\/p]"}],"reference":""},{"title":"Authenticating to networks accessed via gateways","type":"topic","context":"","qty_controls":2,"content":[{"index":"0619.6","name":"ISM-0619","id":"0619","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Users authenticate to other networks accessed via gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Users authenticate to other networks accessed via gateways.[\/p]"},{"index":"0622.6","name":"ISM-0622","id":"0622","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]ICT equipment authenticates to other networks accessed via gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]ICT equipment authenticates to other networks accessed via gateways.[\/p]"}],"reference":""},{"title":"Border Gateway Protocol route security","type":"topic","context":"","qty_controls":1,"content":[{"index":"1783.0","name":"ISM-1783","id":"1783","revision":0,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records.[\/p]"}],"reference":""},{"title":"Gateway event logging","type":"topic","context":"","qty_controls":1,"content":[{"index":"0634.10","name":"ISM-0634","id":"0634","revision":10,"updated":"Dec-23","timestamp":1703559343,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The following events are centrally logged for gateways:[\/p][ul][li]data packets and data flows permitted through gateways[\/li][li]data packets and data flows attempting to leave gateways[\/li][li]real-time alerts for attempted intrusions.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The following events are centrally logged for gateways:[\/p][ul][li]data packets and data flows permitted through gateways[\/li][li]data packets and data flows attempting to leave gateways[\/li][li]real-time alerts for attempted intrusions.[\/li][\/p]"}],"reference":""},{"title":"Assessment of gateways","type":"topic","context":"","qty_controls":2,"content":[{"index":"1037.6","name":"ISM-1037","id":"1037","revision":6,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations.[\/p]"},{"index":"0100.11","name":"ISM-0100","id":"0100","revision":11,"updated":"Jun-22","timestamp":1656215743,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Gateways undergo a security assessment by an IRAP assessor at least every 24 months.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Gateways undergo a security assessment by an IRAP assessor at least every 24 months.[\/p]"}],"reference":""}],"reference":""},{"title":"Cross Domain Solutions","type":"section","context":"","qty_controls":8,"content":[{"title":"Implementing Cross Domain Solutions","type":"topic","context":"","qty_controls":1,"content":[{"index":"0626.6","name":"ISM-0626","id":"0626","revision":6,"updated":"Mar-22","timestamp":1648263343,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]CDSs are implemented between SECRET or TOP SECRET networks and any other networks belonging to different security domains.[\/p]","classificationString":"S, TS","content":"[p]CDSs are implemented between SECRET or TOP SECRET networks and any other networks belonging to different security domains.[\/p]"}],"reference":""},{"title":"Consultation on Cross Domain Solutions","type":"topic","context":"","qty_controls":1,"content":[{"index":"0597.8","name":"ISM-0597","id":"0597","revision":8,"updated":"Sep-23","timestamp":1695700543,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When planning, designing, implementing or introducing additional connectivity to CDSs, ASD is consulted and any directions provided by ASD are complied with.[\/p]","classificationString":"S, TS","content":"[p]When planning, designing, implementing or introducing additional connectivity to CDSs, ASD is consulted and any directions provided by ASD are complied with.[\/p]"}],"reference":""},{"title":"Separation of data flows","type":"topic","context":"","qty_controls":3,"content":[{"index":"0635.7","name":"ISM-0635","id":"0635","revision":7,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]CDSs implement isolated upward and downward network paths.[\/p]","classificationString":"S, TS","content":"[p]CDSs implement isolated upward and downward network paths.[\/p]"},{"index":"1522.3","name":"ISM-1522","id":"1522","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]CDSs implement independent security-enforcing functions for upward and downward network paths.[\/p]","classificationString":"S, TS","content":"[p]CDSs implement independent security-enforcing functions for upward and downward network paths.[\/p]"},{"index":"1521.3","name":"ISM-1521","id":"1521","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]CDSs implement protocol breaks at each network layer.[\/p]","classificationString":"S, TS","content":"[p]CDSs implement protocol breaks at each network layer.[\/p]"}],"reference":""},{"title":"Cross Domain Solution event logging","type":"topic","context":"","qty_controls":2,"content":[{"index":"0670.6","name":"ISM-0670","id":"0670","revision":6,"updated":"Dec-23","timestamp":1703559344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All security-relevant events generated by CDSs are centrally logged.[\/p]","classificationString":"S, TS","content":"[p]All security-relevant events generated by CDSs are centrally logged.[\/p]"},{"index":"1523.1","name":"ISM-1523","id":"1523","revision":1,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A sample of security-relevant events relating to data transfer policies are taken at least every three months and assessed against security policies for CDSs to identify any operational failures.[\/p]","classificationString":"S, TS","content":"[p]A sample of security-relevant events relating to data transfer policies are taken at least every three months and assessed against security policies for CDSs to identify any operational failures.[\/p]"}],"reference":""},{"title":"User training","type":"topic","context":"","qty_controls":1,"content":[{"index":"0610.8","name":"ISM-0610","id":"0610","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Users are trained on the secure use of CDSs before access is granted.[\/p]","classificationString":"S, TS","content":"[p]Users are trained on the secure use of CDSs before access is granted.[\/p]"}],"reference":""}],"reference":""},{"title":"Firewalls","type":"section","context":"","qty_controls":2,"content":[{"title":"Using firewalls","type":"topic","context":"","qty_controls":2,"content":[{"index":"1528.3","name":"ISM-1528","id":"1528","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated firewalls are used between an organisation\u2019s networks and public network infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated firewalls are used between an organisation\u2019s networks and public network infrastructure.[\/p]"},{"index":"0639.9","name":"ISM-0639","id":"0639","revision":9,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated firewalls are used between networks belonging to different security domains.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated firewalls are used between networks belonging to different security domains.[\/p]"}],"reference":""}],"reference":""},{"title":"Diodes","type":"section","context":"","qty_controls":4,"content":[{"title":"Using diodes","type":"topic","context":"","qty_controls":4,"content":[{"index":"0643.7","name":"ISM-0643","id":"0643","revision":7,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated diodes are used for controlling the data flow of unidirectional gateways between an organisation\u2019s networks and public network infrastructure.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated diodes are used for controlling the data flow of unidirectional gateways between an organisation\u2019s networks and public network infrastructure.[\/p]"},{"index":"0645.7","name":"ISM-0645","id":"0645","revision":7,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and public network infrastructure complete a high assurance evaluation.[\/p]","classificationString":"S, TS","content":"[p]Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and public network infrastructure complete a high assurance evaluation.[\/p]"},{"index":"1157.5","name":"ISM-1157","id":"1157","revision":5,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated diodes are used for controlling the data flow of unidirectional gateways between networks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated diodes are used for controlling the data flow of unidirectional gateways between networks.[\/p]"},{"index":"1158.6","name":"ISM-1158","id":"1158","revision":6,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and any other networks complete a high assurance evaluation.[\/p]","classificationString":"S, TS","content":"[p]Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and any other networks complete a high assurance evaluation.[\/p]"}],"reference":""}],"reference":""},{"title":"Web proxies","type":"section","context":"","qty_controls":3,"content":[{"title":"Web usage policy","type":"topic","context":"","qty_controls":1,"content":[{"index":"0258.4","name":"ISM-0258","id":"0258","revision":4,"updated":"Dec-22","timestamp":1672023344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]A web usage policy is developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]A web usage policy is developed, implemented and maintained.[\/p]"}],"reference":""},{"title":"Using web proxies","type":"topic","context":"","qty_controls":1,"content":[{"index":"0260.3","name":"ISM-0260","id":"0260","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]All web access, including that by internal servers, is conducted through web proxies.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]All web access, including that by internal servers, is conducted through web proxies.[\/p]"}],"reference":""},{"title":"Web proxy event logging","type":"topic","context":"","qty_controls":1,"content":[{"index":"0261.6","name":"ISM-0261","id":"0261","revision":6,"updated":"Dec-23","timestamp":1703559344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]The following details are centrally logged for websites accessed via web proxies:[\/p][ul][li]web address[\/li][li]date and time[\/li][li]user[\/li][li]amount of data uploaded and downloaded[\/li][li]internal and external IP addresses.[\/li][\/p]","classificationString":"O, OS, P, S, TS","content":"[p]The following details are centrally logged for websites accessed via web proxies:[\/p][ul][li]web address[\/li][li]date and time[\/li][li]user[\/li][li]amount of data uploaded and downloaded[\/li][li]internal and external IP addresses.[\/li][\/p]"}],"reference":""}],"reference":""},{"title":"Web content filters","type":"section","context":"","qty_controls":7,"content":[{"title":"Using web content filters","type":"topic","context":"","qty_controls":3,"content":[{"index":"0963.7","name":"ISM-0963","id":"0963","revision":7,"updated":"Dec-22","timestamp":1672023344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web content filtering is implemented to filter potentially harmful web-based content.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web content filtering is implemented to filter potentially harmful web-based content.[\/p]"},{"index":"0961.8","name":"ISM-0961","id":"0961","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Client-side active content is restricted by web content filters to an organisation-approved list of domain names.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Client-side active content is restricted by web content filters to an organisation-approved list of domain names.[\/p]"},{"index":"1237.2","name":"ISM-1237","id":"1237","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Web content filtering is applied to outbound web traffic where appropriate.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Web content filtering is applied to outbound web traffic where appropriate.[\/p]"}],"reference":""},{"title":"Transport Layer Security filtering","type":"topic","context":"","qty_controls":1,"content":[{"index":"0263.8","name":"ISM-0263","id":"0263","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]TLS traffic communicated through gateways is decrypted and inspected.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]TLS traffic communicated through gateways is decrypted and inspected.[\/p]"}],"reference":""},{"title":"Allowing and blocking access to domain names","type":"topic","context":"","qty_controls":3,"content":[{"index":"0958.8","name":"ISM-0958","id":"0958","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways.[\/p]"},{"index":"1236.2","name":"ISM-1236","id":"1236","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters.[\/p]"},{"index":"1171.2","name":"ISM-1171","id":"1171","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Attempts to access websites through their IP addresses instead of their domain names are blocked by web content filters.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Attempts to access websites through their IP addresses instead of their domain names are blocked by web content filters.[\/p]"}],"reference":""}],"reference":""},{"title":"Content filtering","type":"section","context":"","qty_controls":14,"content":[{"title":"Performing content filtering","type":"topic","context":"","qty_controls":4,"content":[{"index":"0659.6","name":"ISM-0659","id":"0659","revision":6,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs undergo content filtering checks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs undergo content filtering checks.[\/p]"},{"index":"0651.5","name":"ISM-0651","id":"0651","revision":5,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files identified by content filtering checks as malicious, or that cannot be inspected, are blocked.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files identified by content filtering checks as malicious, or that cannot be inspected, are blocked.[\/p]"},{"index":"0652.3","name":"ISM-0652","id":"0652","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files identified by content filtering checks as suspicious are quarantined until reviewed and subsequently approved or not approved for release.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files identified by content filtering checks as suspicious are quarantined until reviewed and subsequently approved or not approved for release.[\/p]"},{"index":"1524.2","name":"ISM-1524","id":"1524","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Content filters used by CDSs undergo rigorous security testing to ensure they perform as expected and cannot be bypassed.[\/p]","classificationString":"S, TS","content":"[p]Content filters used by CDSs undergo rigorous security testing to ensure they perform as expected and cannot be bypassed.[\/p]"}],"reference":""},{"title":"Encrypted files","type":"topic","context":"","qty_controls":1,"content":[{"index":"1293.2","name":"ISM-1293","id":"1293","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Encrypted files imported or exported via gateways or CDSs are decrypted in order to undergo content filtering checks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Encrypted files imported or exported via gateways or CDSs are decrypted in order to undergo content filtering checks.[\/p]"}],"reference":""},{"title":"Archive files","type":"topic","context":"","qty_controls":2,"content":[{"index":"1289.2","name":"ISM-1289","id":"1289","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Archive files imported or exported via gateways or CDSs are unpacked in order to undergo content filtering checks.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Archive files imported or exported via gateways or CDSs are unpacked in order to undergo content filtering checks.[\/p]"},{"index":"1290.2","name":"ISM-1290","id":"1290","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Archive files are unpacked in a controlled manner to ensure content filter performance or availability is not adversely affected.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Archive files are unpacked in a controlled manner to ensure content filter performance or availability is not adversely affected.[\/p]"}],"reference":""},{"title":"Antivirus scanning","type":"topic","context":"","qty_controls":1,"content":[{"index":"1288.2","name":"ISM-1288","id":"1288","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines.[\/p]"}],"reference":""},{"title":"Automated dynamic analysis","type":"topic","context":"","qty_controls":1,"content":[{"index":"1389.2","name":"ISM-1389","id":"1389","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Executable files imported via gateways or CDSs are automatically executed in a sandbox to detect any suspicious behaviour.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Executable files imported via gateways or CDSs are automatically executed in a sandbox to detect any suspicious behaviour.[\/p]"}],"reference":""},{"title":"Allowing specific content types","type":"topic","context":"","qty_controls":1,"content":[{"index":"0649.8","name":"ISM-0649","id":"0649","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs are filtered for allowed file types.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs are filtered for allowed file types.[\/p]"}],"reference":""},{"title":"Content validation","type":"topic","context":"","qty_controls":1,"content":[{"index":"1284.3","name":"ISM-1284","id":"1284","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs undergo content validation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs undergo content validation.[\/p]"}],"reference":""},{"title":"Content conversion","type":"topic","context":"","qty_controls":1,"content":[{"index":"1286.2","name":"ISM-1286","id":"1286","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs undergo content conversion.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs undergo content conversion.[\/p]"}],"reference":""},{"title":"Content sanitisation","type":"topic","context":"","qty_controls":1,"content":[{"index":"1287.2","name":"ISM-1287","id":"1287","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs undergo content sanitisation.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs undergo content sanitisation.[\/p]"}],"reference":""},{"title":"Validating file integrity","type":"topic","context":"","qty_controls":1,"content":[{"index":"0677.7","name":"ISM-0677","id":"0677","revision":7,"updated":"Mar-23","timestamp":1679799344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Files imported or exported via gateways or CDSs that have a digital signature or cryptographic checksum are validated.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Files imported or exported via gateways or CDSs that have a digital signature or cryptographic checksum are validated.[\/p]"}],"reference":""}],"reference":""},{"title":"Peripheral switches","type":"section","context":"","qty_controls":3,"content":[{"title":"Using peripheral switches","type":"topic","context":"","qty_controls":3,"content":[{"index":"0591.8","name":"ISM-0591","id":"0591","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated peripheral switches are used when sharing peripherals between systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Evaluated peripheral switches are used when sharing peripherals between systems.[\/p]"},{"index":"1457.4","name":"ISM-1457","id":"1457","revision":4,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated peripheral switches used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably complete a high assurance evaluation.[\/p]","classificationString":"S, TS","content":"[p]Evaluated peripheral switches used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably complete a high assurance evaluation.[\/p]"},{"index":"1480.2","name":"ISM-1480","id":"1480","revision":2,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems complete a high assurance evaluation.[\/p]","classificationString":"S, TS","content":"[p]Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems complete a high assurance evaluation.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Guidelines for Data Transfers","type":"guideline","qty_controls":14,"content":[{"title":"Data transfers","type":"section","context":"","qty_controls":14,"content":[{"title":"Data transfer processes and procedures","type":"topic","context":"","qty_controls":2,"content":[{"index":"0663.7","name":"ISM-0663","id":"0663","revision":7,"updated":"Dec-22","timestamp":1672023344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained.[\/p]"},{"index":"1535.5","name":"ISM-1535","id":"1535","revision":5,"updated":"Dec-22","timestamp":1672023344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems.[\/p]","classificationString":"S, TS","content":"[p]Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems.[\/p]"}],"reference":""},{"title":"User responsibilities","type":"topic","context":"","qty_controls":1,"content":[{"index":"0661.8","name":"ISM-0661","id":"0661","revision":8,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Users transferring data to and from systems are held accountable for data transfers they perform.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Users transferring data to and from systems are held accountable for data transfers they perform.[\/p]"}],"reference":""},{"title":"Manual import of data","type":"topic","context":"","qty_controls":2,"content":[{"index":"0657.6","name":"ISM-0657","id":"0657","revision":6,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When manually importing data to systems, the data is scanned for malicious and active content.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When manually importing data to systems, the data is scanned for malicious and active content.[\/p]"},{"index":"1778.0","name":"ISM-1778","id":"1778","revision":0,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When manually importing data to systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When manually importing data to systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release.[\/p]"}],"reference":""},{"title":"Authorising export of data","type":"topic","context":"","qty_controls":3,"content":[{"index":"0664.7","name":"ISM-0664","id":"0664","revision":7,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trusted source beforehand.[\/p]","classificationString":"S, TS","content":"[p]Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trusted source beforehand.[\/p]"},{"index":"0675.6","name":"ISM-0675","id":"0675","revision":6,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trusted source.[\/p]","classificationString":"S, TS","content":"[p]Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trusted source.[\/p]"},{"index":"0665.7","name":"ISM-0665","id":"0665","revision":7,"updated":"Jun-23","timestamp":1687751744,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by the Chief Information Security Officer.[\/p]","classificationString":"S, TS","content":"[p]Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by the Chief Information Security Officer.[\/p]"}],"reference":""},{"title":"Manual export of data","type":"topic","context":"","qty_controls":3,"content":[{"index":"1187.3","name":"ISM-1187","id":"1187","revision":3,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When manually exporting data from systems, the data is checked for unsuitable protective markings.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When manually exporting data from systems, the data is checked for unsuitable protective markings.[\/p]"},{"index":"0669.6","name":"ISM-0669","id":"0669","revision":6,"updated":"Dec-22","timestamp":1672023344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data.[\/p]","classificationString":"S, TS","content":"[p]When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data.[\/p]"},{"index":"1779.0","name":"ISM-1779","id":"1779","revision":0,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]When manually exporting data from systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]When manually exporting data from systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release.[\/p]"}],"reference":""},{"title":"Monitoring data import and export","type":"topic","context":"","qty_controls":3,"content":[{"index":"1586.0","name":"ISM-1586","id":"1586","revision":0,"updated":"Aug-20","timestamp":1598414144,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data transfer logs are used to record all data imports and exports from systems.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data transfer logs are used to record all data imports and exports from systems.[\/p]"},{"index":"1294.5","name":"ISM-1294","id":"1294","revision":5,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"O":"OFFICIAL","OS":"OFFICIAL: Sensitive","P":"PROTECTED","S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data transfer logs for systems are partially verified at least monthly.[\/p]","classificationString":"O, OS, P, S, TS","content":"[p]Data transfer logs for systems are partially verified at least monthly.[\/p]"},{"index":"0660.9","name":"ISM-0660","id":"0660","revision":9,"updated":"Mar-22","timestamp":1648263344,"authority":"","compliance":"","marking":{"S":"SECRET","TS":"TOP SECRET"},"applicability":"","statement":"[p]Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly.[\/p]","classificationString":"S, TS","content":"[p]Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly.[\/p]"}],"reference":""}],"reference":""}],"reference":""},{"title":"Cyber Security Terminology","type":"structure","qty_controls":0,"content":[{"title":"Glossary of abbreviations","type":"section","context":"","qty_controls":0,"content":[],"reference":""},{"title":"Glossary of cyber security terms","type":"section","context":"","qty_controls":0,"content":[],"reference":""}],"reference":""}]}