list_of_security_controls

A CISO is appointed to provide cyber security leadership and guidance for their organisation.
The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation.
The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.
The CISO implements cyber security measurement metrics and key performance indicators for their organisation.
The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis.
The CISO coordinates security risk management activities between cyber security and business teams.
The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters.
The CISO is fully aware of all cyber security incidents within their organisation.
The CISO oversees their organisation’s response to cyber security incidents.
The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster.
The CISO develops and maintains a cyber security communications strategy for their organisation.
The CISO oversees cyber supply chain risk management activities for their organisation.
The CISO receives and manages a dedicated cyber security budget for their organisation.
The CISO oversees the management of cyber security personnel within their organisation.
The CISO oversees the development and operation of their organisation’s cyber security awareness training program.
Each system has a designated system owner.
System owners register each system with its authorising officer.
System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised.
System owners select security controls for each system and tailor them to achieve desired security objectives.
System owners implement security controls for each system and its operating environment.
System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended.
System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation.
System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis.
System owners report the security status of each system to its authorising officer at least annually.
An intrusion detection and prevention policy is developed and implemented.
A trusted insider program is developed and implemented.
Legal advice is sought regarding the development and implementation of a trusted insider program.
Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise.
"A cyber security incident register is maintained that covers the following:
• the date the cyber security incident occurred
• the date the cyber security incident was discovered
• a description of the cyber security incident
• any actions taken in response to the cyber security incident
• to whom the cyber security incident was reported."
When a data spill occurs, data owners are advised and access to the data is restricted.
"When malicious code is detected, the following steps are taken to handle the infection:
• the infected systems are isolated
• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary
• antivirus software is used to remove the infection from infected systems and media
• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt."
Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.
System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.
Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised.
To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage.
Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether the adversary has been successfully removed from the system.
"The integrity of evidence gathered during an investigation is maintained by investigators:
• recording all of their actions
• creating checksums for all evidence
• copying evidence onto media for archiving
• maintaining a proper chain of custody."
Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.
Service providers report cyber security incidents to their customer’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.
Service providers and their customers maintain 24x7 contact details for each other, including additional out-of-band contact details for when normal communication channels fail, in order to report cyber security incidents.
Cyber security incidents are reported to the ACSC.
Components and services relevant to the security of systems are identified and understood.
Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk.
Suppliers and service providers identified as high risk are not used.
Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices.
Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains.
A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party.
An outsourced cloud services register is maintained and regularly audited.
"An outsourced cloud services register contains the following for each outsourced cloud service:
• cloud service provider’s name
• cloud service’s name
• purpose for using the cloud service
• sensitivity or classification of data involved
• due date for the next security assessment of the cloud service
• point of contact for users of the cloud service
• point of contact for the cloud service provider."
Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months.
Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services.
Service providers provide an appropriate level of protection for any data entrusted to them or their services.
Security requirements associated with the confidentiality, integrity and availability of data entrusted to a service provider are documented in contractual arrangements.
The right to audit security controls associated with the protection of data and services is specified in contractual arrangements.
Types of data and its ownership is documented in contractual arrangements.
The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements.
Access to all logs relating to an organisation’s data and services are specified in contractual arrangements.
Data entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of data.
A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements.
An organisation’s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
If an organisation’s systems or data are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified.
A cyber security strategy is developed and implemented for the organisation.
Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.
Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.
Security documentation, including notification of subsequent changes, is communicated to all stakeholders.
Systems have a system security plan that includes a description of the system and an annex that covers both applicable security controls from this document and any additional security controls that have been identified.
"Systems have an incident response plan that covers the following:
• guidelines on what constitutes a cyber security incident
• the types of cyber security incidents likely to be encountered and the expected response to each type
• how to report cyber security incidents, internally to the organisation and externally to relevant authorities
• other parties which need to be informed in the event of a cyber security incident
• the authority, or authorities, responsible for investigating and responding to cyber security incidents
• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Cyber Security Centre or other relevant authority
• the steps necessary to ensure the integrity of evidence relating to a cyber security incident
• system contingency measures or a reference to such details if they are located in a separate document."
"Systems have a continuous monitoring plan that includes:
• conducting vulnerability scans for systems at least monthly
• conducting vulnerability assessments or penetration tests for systems at least annually
• analysing identified security vulnerabilities to determine their potential impact
• using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost."
"At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:
• the scope of the security assessment
• the system’s strengths and weaknesses
• security risks associated with the operation of the system
• the effectiveness of the implementation of security controls
• any recommended remediation actions."
At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner.
Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification.
Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their sensitivity or classification.
Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in.
Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states.
Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled.
Physical security controls are implemented to protect network devices in public areas from physical damage or unauthorised access.
An authorised RF and IR device register is maintained and regularly audited for SECRET and TOP SECRET areas.
Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.
Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas.
Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities.
ICT equipment and media are secured when not in use.
"Cyber security awareness training is undertaken annually by all personnel and covers:
• the purpose of the cyber security awareness training
• security appointments and contacts within the organisation
• authorised use of systems and their resources
• protection of systems and their resources
• reporting of cyber security incidents and suspected compromises of systems and their resources."
Tailored privileged user training is undertaken annually by all privileged users.
Personnel are advised of what suspicious contact via online services is and how to report it.
Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted.
Personnel are advised to maintain separate work and personal accounts for online services.
Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.
Personnel are advised not to send or receive files via unauthorised online services.
Access requirements for a system and its resources are documented in its system security plan.
Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources.
Personnel receive any necessary briefings before being granted access to a system and its resources.
Personnel granted access to a system and its resources are uniquely identifiable.
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.
Personnel who are contractors are identified as such.
Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality.
Requests for unprivileged access to systems, applications and data repositories are validated when first requested.
Use of unprivileged access is logged.
Unprivileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective security controls are in place to ensure such data is not accessible to them.
Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective security controls are in place to ensure such data is not accessible to them.
Requests for privileged access to systems and applications are validated when first requested.
Requests for privileged access to data repositories are validated when first requested.
Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties.
Privileged user accounts are prevented from accessing the internet, email and web services.
Privileged service accounts are prevented from accessing the internet, email and web services.
Just-in-time administration is used for administering systems and applications.
Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access.
Use of privileged access is logged.
Changes to privileged accounts and groups are logged.
Privileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
Privileged account and group change event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data.
Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data.
Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.
Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities.
Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity.
Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
Access to data repositories is automatically disabled after 45 days of inactivity.
Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.
Privileged access to data repositories is automatically disabled after 12 months unless revalidated.
"A secure record is maintained for the life of each system covering:
• all personnel authorised to access the system, and their user identification
• who provided authorisation for access
• when access was granted
• the level of access that was granted
• when access, and the level of access, was last reviewed
• when the level of access was changed, and to what extent (if applicable)
• when access was withdrawn (if applicable)."
When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only data required for them to undertake their duties.
Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information.
A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
Break glass accounts are only used when normal authentication processes cannot be used.
Break glass accounts are only used for specific authorised activities.
Use of break glass accounts is logged.
Break glass event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
Break glass account credentials are changed by the account custodian after they are accessed by any other party.
Break glass accounts are tested after credentials are changed.
Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government.
AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government.
Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority.
Fibre-optic cables are used for cabling infrastructure instead of copper cables.
A cable register is maintained and regularly audited.
"A cable register contains the following for each cable:
• cable identifier
• cable colour
• sensitivity/classification
• source
• destination
• location
• seal numbers (if applicable)."
Floor plan diagrams are maintained and regularly audited.
"Floor plan diagrams contain the following:
• cable paths (including ingress and egress points between floors)
• cable reticulation system and conduit paths
• floor concentration boxes
• wall outlet boxes
• network cabinets."
Cable labelling processes, and supporting cable labelling procedures, are developed and implemented.
Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.
Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals.
Cables for foreign systems installed in Australian facilities are labelled at inspection points.
OFFICIAL and PROTECTED cables are coloured neither salmon pink nor red.
SECRET cables colours are coloured salmon pink.
TOP SECRET cables colours are coloured red.
SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points.
Cables are inspectable at a minimum of five-metre intervals.
Cables in TOP SECRET areas are fully inspectable for their entire length.
SECRET and TOP SECRET systems belong exclusively to their own cable groups.
Cables only carry a single cable group, unless each cable group belongs to a different subunit.
Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups.
In shared facilities, cables are run in an enclosed cable reticulation system.
In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic.
In shared facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems.
In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts.
Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’.
Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit.
In shared facilities, TOP SECRET cables are not run in party walls.
Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound.
Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different systems.
Different cables groups do not share a wall outlet box.
Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier.
OFFICIAL and PROTECTED wall outlet boxes are coloured neither salmon pink nor red.
SECRET wall outlet boxes are coloured salmon pink.
TOP SECRET wall outlet boxes are coloured red.
Wall outlet box covers are clear plastic.
If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier.
Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet.
In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet.
In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet.
Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups.
TOP SECRET cables are terminated in an individual TOP SECRET cabinet.
Different cable groups do not terminate on the same patch panel.
There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications.
TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets.
"Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:
• a physical barrier in the cabinet is provided to separate patch panels
• only personnel holding a Positive Vetting security clearance have access to the cabinet
• approval from the TOP SECRET system’s authorising officer is obtained prior to installation."
When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with.
A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment.
System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
System owners deploying SECRET or TOP SECRET systems in shared facilities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
System owners deploying systems or military platforms overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment.
An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications.
ICT equipment meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility.
A telephone system usage policy is developed and implemented.
Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems.
Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.
When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made.
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.
Cordless telephone systems are not used for sensitive or classified conversations.
Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room.
Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating.
In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements.
Video conferencing and IP telephony infrastructure is hardened.
Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video-aware and/or voice-aware firewall is used.
Video conferencing and IP telephony calls are established using a secure session initiation protocol.
Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol.
An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.
Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.
Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.
"IP telephony is configured such that:
• IP phones authenticate themselves to the call controller upon registration
• auto-registration is disabled and only authorised devices are allowed to access the network
• unauthorised devices are blocked by default
• all unused and prohibited functionality is disabled."
Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations.
Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.
Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.
IP phones used in public areas do not have the ability to access data networks, voicemail and directory services.
Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.
Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.
"A denial of service response plan is developed and implemented for video conferencing and IP telephony services that includes:
• how to identify signs of a denial-of-service attack
• how to identify the source of a denial-of-service attack
• how capabilities can be maintained during a denial-of-service attack
• what actions can be taken to respond to a denial-of-service attack."
A fax machine and MFD usage policy is developed and implemented.
Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages.
When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure.
The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time.
Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network.
A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected.
MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network.
Fax machines and MFDs are located in areas where their use can be observed.
A mobile device management policy is developed and implemented.
A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices.
Mobile devices do not process, store or communicate SECRET or TOP SECRET data until approved for use by the ACSC.
Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data.
Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance and have enforced separation of work data from any personal data.
Privately-owned mobile devices do not access SECRET and TOP SECRET systems or data.
Personnel accessing systems or data using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance.
Mobile devices encrypt their internal storage and any removable media.
Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure.
Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.
Bluetooth pairing is performed using Secure Connections, preferably with Numeric Comparison if supported.
Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices.
Bluetooth pairings are removed when there is no longer a requirement for their use.
Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices.
Mobile devices prevent personnel from installing or uninstalling non-approved applications once provisioned.
Mobile devices prevent personnel from disabling or modifying security functionality once provisioned.
Security updates are applied to mobile devices as soon as they become available.
Mobile devices access the internet via a VPN connection to an organisation’s internet gateway rather than via a direct connection to the internet.
When accessing an organisation’s network via a VPN connection, split tunnelling is disabled.
A mobile device usage policy is developed and implemented.
Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.
Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.
Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed.
Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices.
Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.
Mobile devices are kept under continual direct supervision when being actively used.
Mobile devices are carried or stored in a secured state when not being actively used.
If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.
Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed and implemented.
If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures.
Personnel are advised of privacy and security risks when travelling overseas with mobile devices.
"If travelling overseas with mobile devices to high or extreme risk countries, personnel are:
• issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities
• advised on how to apply and inspect tamper seals to key areas of mobile devices
• advised to avoid taking any personal mobile devices, especially if rooted or jailbroken."
"Before travelling overseas with mobile devices, personnel take the following actions:
• record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers
• update all operating systems and applications
• remove all non-essential accounts, applications and data
• apply security configuration settings, such as lock screens
• configure remote locate and wipe functionality
• enable encryption, including for any removable media
• backup all important data and configuration settings."
"Personnel take the following precautions when travelling overseas with mobile devices:
• never leaving mobile devices or removable media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
• never storing credentials with mobile devices that they grant access to, such as in laptop bags
• never lending mobile devices or removable media to untrusted people, even if briefly
• never allowing untrusted people to connect their mobile devices or removable media, including for charging
• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
• avoiding connecting mobile devices to open or untrusted Wi-Fi networks
• using a VPN connection to encrypt all mobile device communications
• using encrypted messaging apps for communications instead of using foreign telecommunication networks
• disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
• avoiding reuse of removable media once used with other parties’ systems or mobile devices
• ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand
• never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling."
"Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:
• provide credentials to foreign government officials
• decrypt mobile devices for foreign government officials
• have mobile devices taken out of sight by foreign government officials
• have mobile devices or removable media stolen that are later returned
• lose mobile devices or removable media that are later found
• observe unusual behaviour of mobile devices."
"Upon returning from travelling overseas with mobile devices, personnel take the following actions:
• sanitise and reset mobile devices, including all removable media
• decommission any physical credentials that left their possession during their travel
• report if significant doubt exists as to the integrity of any mobile devices or removable media."
"If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:
• reset user credentials used with mobile devices, including those used for remote access to their organisation’s systems
• monitor accounts for any indicators of compromise, such as failed logon attempts."
If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation.
Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.
When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures.
Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation.
High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC.
High assurance ICT equipment is always operated in an evaluated configuration.
An ICT equipment management policy is developed and implemented.
An ICT equipment register is maintained and regularly audited.
ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment.
ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating.
ICT equipment is handled in a manner suitable for its sensitivity or classification.
The ACSC’s approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment.
Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician.
If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken.
"If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:
• is appropriately cleared and briefed
• takes due care to ensure that data is not disclosed
• takes all responsible measures to ensure the integrity of the ICT equipment
• has the authority to direct the technician
• is sufficiently familiar with the ICT equipment to understand the work being performed."
ICT equipment maintained or repaired off site is done so in accordance with the handling requirements for the sensitivity or classification of the ICT equipment.
Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place.
ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed and implemented.
ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed and implemented.
Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal.
When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety.
When disposing of high assurance ICT equipment, it is destroyed prior to its disposal.
When disposing of ICT equipment that has been designed or modified to meet emanation security standards, the ACSC is contacted for requirements relating to its disposal.
Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain.
ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ.
ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction.
At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum.
MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller.
Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen.
Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam.
When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices.
Printer ribbons in printers and MFDs are removed and destroyed.
Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time.
Televisions and computer monitors that cannot be sanitised are destroyed.
"Memory in network devices is sanitised using the following processes, in order of preference:
• following device-specific guidance provided in evaluation documentation
• following vendor sanitisation guidance
• loading a dummy configuration file, performing a factory reset and then reinstalling firmware."
The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed.
Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam.
A media management policy is developed and implemented.
A removable media usage policy is developed and implemented.
A removable media register is maintained and regularly audited.
Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification.
Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.
Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured.
Before reclassifying media to a lower sensitivity or classification, it is either sanitised or the data it stores is reclassified in consultation with data owners, and a formal administrative decision is made to reclassify the media.
Media is handled in a manner suitable for its sensitivity or classification.
All data stored on media is encrypted.
Media is sanitised before it is used for the first time.
Media is sanitised before it is reused in a different security domain.
When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured.
When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer.
Media sanitisation processes, and supporting media sanitisation procedures, are developed and implemented.
Volatile media is sanitised by removing its power for at least 10 minutes.
SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time.
Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification.
The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives.
The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten.
Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification.
Non-volatile EPROM media is sanitised by applying three times the manufacturer’s specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification.
Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification.
Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification.
Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal.
Media destruction processes, and supporting media destruction procedures, are developed and implemented.
"The following media types are destroyed prior to their disposal:
• microfiche and microfilm
• optical discs
• programmable read-only memory
• read-only memory
• other types of media that cannot be sanitised."
SCEC or ASIO approved equipment is used when destroying media.
If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used.
Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm.
Electrostatic memory devices are destroyed using either furnace/incinerator, hammer mill, disintegrator or grinder/sander destruction methods.
Magnetic floppy disks are destroyed using either furnace/incinerator, hammer mill, disintegrator, cutting or degausser destruction methods.
Magnetic hard disks are destroyed using either furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser destruction methods.
Magnetic tapes are destroyed using either furnace/incinerator, hammer mill, disintegrator, cutting or degausser destruction methods.
Optical disks are destroyed using either furnace/incinerator, hammer mill, disintegrator, grinder/sander or cutting destruction methods.
Semiconductor memory is destroyed using either furnace/incinerator, hammer mill or disintegrator destruction methods.
Media destroyed using either a hammer mill, disintegrator, grinder/sander or cutting destruction method result in media waste particles no larger than 9 mm.
The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm.
The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm.
Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation.
Any product-specific directions provided by degausser manufacturers are followed.
Following destruction of magnetic media using a degausser, it is physically damaged (such as by deforming the internal platters of hard drives) prior to its disposal.
The destruction of media is performed under the supervision of at least one person cleared to its sensitivity or classification.
Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully.
The destruction of media storing accountable material is performed under the supervision of at least two personnel cleared to its sensitivity or classification.
Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards.
When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used.
The destruction of media storing accountable material is not outsourced.
Media disposal processes, and supporting media disposal procedures, are developed and implemented.
Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal.
Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain.
SOEs are used for workstations and servers.
SOEs provided by third parties are scanned for malicious content and configurations before being used.
SOEs are reviewed and updated at least annually.
The latest release, or the previous release, of operating systems are used for workstations, servers and network devices.
When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used.
ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems.
Default operating system accounts are disabled, renamed or have their passphrase changed.
Unneeded operating system accounts, software, components, services and functionality are disabled or removed.
Automatic execution features for removable media are disabled.
Internet Explorer 11 is disabled or removed.
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems.
"Unprivileged users are prevented from running script execution engines in Microsoft Windows, including:
• Windows Script Host (cscript.exe and wscript.exe)
• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
• Command Prompt (cmd.exe)
• Windows Management Instrumentation (wmic.exe)
• Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe)."
Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used.
Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management.
Users do not have the ability to install unapproved software.
Users do not have the ability to uninstall or disable approved software.
Application control is implemented on workstations.
Application control is implemented on internet-facing servers.
Application control is implemented on non-internet-facing servers.
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
Application control restricts the execution of drivers to an organisation-approved set.
Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules.
Application control rulesets are validated on an annual or more frequent basis.
When implementing application control using publisher certificate rules, both publisher names and product names are used.
When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute.
Microsoft’s ‘recommended block rules’ are implemented.
Microsoft’s ‘recommended driver block rules’ are implemented.
All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control.
Allowed and blocked executions on workstations are logged.
Allowed and blocked executions on internet-facing servers are logged.
Allowed and blocked executions on non-internet facing servers are logged.
Application control event logs including the name of the file, the date/time stamp and the username of the user associated with the event.
Application control event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
Microsoft’s exploit protection functionality is implemented on workstations and servers.
Windows PowerShell 2.0 is disabled or removed.
PowerShell is configured to use Constrained Language Mode.
PowerShell is configured to use module logging, script block logging and transcription functionality.
PowerShell script block logs are protected by Protected Event Logging functionality.
Blocked PowerShell script executions are logged.
PowerShell event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
A HIPS is implemented on workstations.
A HIPS is implemented on high value servers such as authentication servers, Domain Name System servers, web servers, file servers and email servers.
A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections.
"Antivirus software is implemented on workstations and servers and configured with:
• signature-based detection enabled and set to a high level
• heuristic-based detection enabled and set to a high level
• ransomware protection measures enabled
• detection signatures checked for currency and updated on at least a daily basis
• automatic and regular scanning configured for all fixed disks and removable media."
Antivirus software has reputation rating functionality enabled.
Unauthorised removable media and devices are prevented from being connected to workstations and servers via the use of device access control software or by disabling external communication interfaces in operating systems.
External communication interfaces that allow DMA are disabled.
Removable media is prevented from being written to via the use of device access control software if there is no business requirement for its use.
Applications are chosen from vendors that have made a commitment to secure development and maintenance practices.
The latest releases of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used when present within SOEs.
The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs.
Web browsers do not process Java from the internet.
Web browsers do not process web advertisements from the internet.
Internet Explorer 11 does not process content from the internet.
Microsoft Office is blocked from creating child processes.
Microsoft Office is blocked from creating executable content.
Microsoft Office is blocked from injecting code into other processes.
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
PDF software is blocked from creating child processes.
ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented.
Any unrequired functionality in web browsers, Microsoft Office and PDF software is disabled.
The use of web browser, Microsoft Office and PDF software add-ons is restricted to organisation approved add-ons.
If supported, Microsoft’s Attack Surface Reduction rules are implemented.
Web browsers, Microsoft Office and PDF software security settings cannot be changed by users.
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Microsoft Office macros in files originating from the internet are blocked.
Microsoft Office macro antivirus scanning is enabled.
Microsoft Office macros are blocked from making Win32 API calls.
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
Microsoft Office macro security settings cannot be changed by users.
Allowed and blocked Microsoft Office macro executions are logged.
Microsoft Office macro event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
Users are authenticated before they are granted access to a system and its resources.
Multi-factor authentication is used to authenticate unprivileged users of systems.
Multi-factor authentication is used to authenticate privileged users of systems.
Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.
Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.
Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
Multi-factor authentication is used to authenticate users accessing important data repositories.
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
Multi-factor authentication is verifier impersonation resistant.
Passwords used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply.
Passwords used for multi-factor authentication on SECRET systems are a minimum of 8 characters.
Passwords used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.
When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system.
Successful and unsuccessful multi-factor authentications are logged.
Multi-factor authentication event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.
When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.
Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply.
Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters.
Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters.
"Passphrases used for single-factor authentication:
• are not constructed from song lyrics, movies, literature or any other publicly available material
• do not form a real sentence in a natural language
• are not a list of categorised words."
Passphrases used for single-factor authentication cannot be used to authenticate to multiple different systems.
Passwords/passphrases set or reset on users’ behalf are randomly generated.
Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account.
Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor.
Users that do not set their own initial password/passphrase are required to change it on first use.
Service accounts are created as group Managed Service Accounts.
Accounts are locked out after a maximum of five failed logon attempts.
Repeated account lockouts are investigated before reauthorising access.
Users provide sufficient evidence to verify their identity when requesting an account unlock.
Authentication methods susceptible to replay attacks are disabled.
LAN Manager and NT LAN Manager authentication methods are disabled.
Privileged accounts are members of the Protected Users security group.
Credentials for local administrator accounts and service accounts are unique, unpredictable and managed.
Credentials are stored separately from systems to which they grant access.
Credentials are obscured as they are entered into systems.
Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched.
Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled.
"Passwords/passphrases are changed if:
• they are directly compromised
• they are suspected of being compromised
• they appear in online data breach databases
• they are discovered stored in the clear on a network
• they are discovered being transferred in the clear across a network
• membership of a shared account changes
• they have not been changed in the past 12 months."
Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted.
"Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity, or if manually activated by the user
• conceals all session content on the screen
• ensures that the screen does not enter a power saving state before the session or screen lock is activated
• requires the user to reauthenticate to unlock the system
• denies users the ability to disable the session or screen locking mechanism."
Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted.
Legal advice is sought on the exact wording of logon banners.
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner.
When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism.
When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened.
When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner.
When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.
When using a software-based isolation mechanism to share a physical server’s hardware for SECRET or TOP SECRET workloads, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain.
System administration processes, and supporting system administration procedures, are developed and implemented.
Privileged users use separate privileged and unprivileged operating environments.
Privileged operating environments are not virtualised within unprivileged operating environments.
Unprivileged accounts cannot logon to privileged operating environments.
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities.
All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened.
Administrator workstations are placed into a separate network zone to user workstations.
Management traffic is only allowed to originate from network zones that are used to administer systems and applications.
Administrative activities are conducted through jump servers.
Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities.
Patch management processes, and supporting patch management procedures, are developed and implemented.
Software registers are maintained and regularly audited for workstations, servers, mobile devices, network devices and all other ICT equipment.
Software registers contain versions and patch histories of applications, drivers, operating systems and firmware.
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month.
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists.
High assurance ICT equipment is only patched or updated when approved by the ACSC using methods and timeframes prescribed by the ACSC.
A centralised and managed approach is used to patch or update applications and drivers.
An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used.
An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.
A centralised and managed approach is used to patch or update operating systems and firmware.
An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used.
An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place.
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications.
A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services.
A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.
A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in drivers and firmware.
Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Applications that are no longer supported by vendors are removed.
Operating systems that are no longer supported by vendors are replaced.
"Change management processes, and supporting change management procedures, are developed and implemented covering:
• identification and documentation of requests for change
• approval required for changes to be made
• assessment of potential security impacts
• notification of any planned disruptions or outages
• implementation and testing of approved changes
• the maintenance of system and security documentation."
A digital preservation policy is developed and implemented.
Data backup processes, and supporting data backup procedures, are developed and implemented.
Data restoration processes, and supporting data restoration procedures, are developed and implemented.
Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.
Unprivileged accounts, and privileged accounts (excluding backup administrators) cannot access other account’s backups.
Unprivileged accounts, and privileged accounts (excluding backup administrators) can’t access their own account’s backups.
Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups.
Backup administrators (excluding backup break glass accounts), are prevented from modifying or deleting backups.
Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.
An event logging policy is developed and implemented.
A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs.
An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events.
For any system requiring authentication, logon, failed logon and logoff events are logged.
"The following events are logged for operating systems:
• access to important data and processes
• application crashes and any error messages
• attempts to use special privileges
• changes to accounts
• changes to security policy
• changes to system configurations
• Domain Name System and Hypertext Transfer Protocol requests
• failed attempts to access data and system resources
• service failures and restarts
• system startup and shutdown
• transfer of data to and from external media
• user or group management
• use of special privileges."
"The following events are logged for web applications:
• attempted access that is denied
• crashes and any error messages
• search queries initiated by users."
"The following events are logged for databases:
• access to particularly important data
• addition of new users, especially privileged users
• any query containing comments
• any query containing multiple embedded queries
• any query or database alerts or failures
• attempts to elevate privileges
• attempted access that is successful or unsuccessful
• changes to the database structure
• changes to user roles or database permissions
• database administrator actions
• database logons and logoffs
• modifications to data
• use of executable commands."
For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded.
Event logs are protected from unauthorised access, modification and deletion.
Event logs are retained for a minimum of 7 years in accordance with the NAA’s Administrative Functions Disposal Authority Express Version 2 publication.
Domain Name System and proxy logs are retained for at least 18 months.
Event log auditing processes, and supporting event log auditing procedures, are developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements.
Events are correlated across event logs to prioritise audits and focus investigations.
Development, testing and production environments are segregated.
Development and modification of software only takes place in development environments.
Data in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments.
Unauthorised access to the authoritative source for software is prevented.
Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for.
A software bill of materials is produced and made available to consumers of software.
Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications.
Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment.
A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.
A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in organisations’ products and services.
Robust web application frameworks are used to aid in the development of secure web applications.
All web application content is offered exclusively using HTTPS.
Validation and/or sanitisation is performed on all input handled by a web application.
Output encoding is performed on all output produced by a web application.
Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.
The OWASP Application Security Verification Standard is followed when developing web applications.
Hard disks of database servers are encrypted using full disk encryption.
Database servers and web servers are functionally separated, physically or virtually.
Data communicated between database servers and web applications is encrypted.
Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations.
Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks.
If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface.
Test and development environments do not use the same database servers as production environments.
All temporary installation files and logs are removed after DBMS software has been installed.
DBMS software is configured according to vendor guidance.
DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed.
DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions.
The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system.
The ability of DBMS software to read local files from a server is disabled.
Default database administrator accounts are disabled, renamed or have their passphrases changed.
Database administrators have unique and identifiable accounts.
Database administrator accounts are not shared across different databases.
Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases.
Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions.
A database register is maintained and regularly audited.
File-based access controls are applied to database files.
Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm.
Databases and their contents are classified based on the sensitivity or classification of data that they contain.
Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties.
The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles.
Where concerns exist that the sum, or aggregation, of separate pieces of data from within databases could lead to a database user determining more sensitive or classified data, database views in combination with database user access roles are implemented.
Data in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment.
All queries to databases from web applications are filtered for legitimate content and correct syntax.
Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries.
Web applications are designed to provide as little error information as possible to users about database schemas.
An email usage policy is developed and implemented.
Access to non-approved webmail services is blocked.
Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments.
Protective marking tools do not automatically insert protective markings into emails.
Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate.
Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email.
Email servers are configured to block, log and report emails with inappropriate protective markings.
The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified.
Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed.
Email is routed through a centralised email gateway.
When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway.
Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway.
Email servers only relay emails destined for or originating from their domains.
Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure.
MTA-STS is enabled to prevent the transfer of unencrypted emails between complying servers.
SPF is used to specify authorised email services (or lack thereof) for all domains.
A hard fail SPF record is used when specifying email servers.
SPF is used to verify the authenticity of incoming emails.
Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients.
DKIM signing is enabled on emails originating from an organisation’s domains.
DKIM signatures on received emails are verified.
Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature.
DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks.
Email content filtering controls are implemented for email bodies and attachments.
Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway.
Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means.
Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices.
Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement.
Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.
Networks are divided into multiple functional network zones according to the sensitivity or criticality of data or services.
Organisation networks are segregated from service provider networks.
VLANs are not used to separate network traffic between organisations’ networks and public network infrastructure.
VLANs are not used to separate network traffic between networks belonging to different security domains.
Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces.
Network devices managing VLANs belonging to different security domains do not share VLAN trunks.
Network devices managing VLANs are administered from the most trusted security domain.
IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used.
IPv6 capable network security devices are used on IPv6 and dual-stack networks.
Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment.
IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries.
Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised logging facility.
Network access controls are implemented on networks to prevent the connection of unauthorised network devices.
Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes.
A network device register is maintained and regularly audited.
Default accounts for network devices are disabled, renamed or have their passphrase changed.
Unused physical ports on network devices are disabled.
Servers maintain effective functional separation with other servers allowing them to operate independently.
Servers minimise communications with other servers at both the network and file system level.
Security measures are implemented to prevent unauthorised access to network management traffic.
SNMP version 1 and 2 are not used on networks.
All default SNMP community strings on network devices are changed and have write access disabled.
NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage.
NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any data flows that contravene any rule in firewall rule sets.
When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures.
Inbound network connections from anonymity networks to internet-facing services are blocked.
Outbound network connections to anonymity networks are blocked.
All wireless devices are Wi-Fi Alliance certified.
Wireless networks provided for the general public to access are segregated from all other networks.
The administrative interface on wireless access points is disabled for wireless network connections.
The default SSID of wireless access points is changed.
The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network.
SSID broadcasting is enabled on wireless networks.
Default accounts and passphrases of wireless devices are changed.
Configuration settings for wireless devices are hardened.
Static addressing is not used for assigning IP addresses on wireless networks.
MAC address filtering is not used to restrict which devices can connect to wireless networks.
WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic.
802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers.
User identity confidentiality is used if available with EAP-TLS implementations.
Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks.
Certificates are generated using an evaluated certificate authority solution or hardware security module.
Certificates are required for both devices and users accessing wireless networks.
Certificates are protected by encryption, user authentication, and both logical and physical access controls.
The PMK caching period is not set to greater than 1440 minutes (24 hours).
The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD Approved Cryptographic Protocol.
Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security.
Wireless networks implement sufficient frequency separation from other wireless networks.
Wireless access points enable the use of the 802.11w amendment to protect management frames.
Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint.
The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on facilities in which SECRET or TOP SECRET wireless networks are used.
A cloud service provider is used for hosting online services.
Organisations are notified by cloud service providers of any change to configured regions or availability zones for online services.
Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes for online services.
Where a high availability requirement exists for online services, the services are architected to automatically transition between availability zones.
Where a requirement for high availability exists for online services, a denial of service mitigation service is used.
Organisations perform continuous real-time monitoring of the availability of online services.
Where a high availability requirement exists for website hosting, CDNs that cache websites are used.
If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network.
"Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:
• their capacity to withstand denial-of-service attacks
• any costs likely to be incurred as a result of denial-of-service attacks
• thresholds for notification of denial-of-service attacks
• thresholds for turning off online services during denial-of-service attacks
• pre-approved actions that can be undertaken during denial-of-service attacks
• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible."
The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented.
Domain names for online services are protected via registrar locking and confirming domain registration details are correct.
Availability monitoring with real-time alerting is implemented for online services to detect denial-of-service attacks and measure their impact.
Critical online services are segregated from other online services that are more likely to be targeted.
A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack.
Encryption software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data.
HACE is used when encrypting media that contains SECRET or TOP SECRET data.
Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest.
In addition to any encryption already in place, an ASD Approved Cryptographic Algorithm (AACA) is used to encrypt AUSTEO and AGAO data when at rest on a system.
Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
When a user authenticates to encryption functionality for ICT equipment or media storing encrypted data, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality.
Cryptographic equipment or encryption software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
In addition to any encryption already in place, an ASD Approved Cryptographic Protocol (AACP) is used to protect AUSTEO and AGAO data when communicated across network infrastructure.
Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software.
ECDH and ECDSA are used in preference to DH and DSA.
When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used.
When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3.
When using DSA for digital signatures, a modulus of at least 2048 bits is used.
When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4.
When using elliptic curve cryptography, a curve from FIPS 186-4 is used.
When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used.
When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used.
When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used.
When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used.
Symmetric cryptographic algorithms are not used in Electronic Codebook Mode.
AACAs used by HACE are implemented in an ASD approved configuration, with preference given to CNSA Suite algorithms and key sizes.
Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software.
Only the latest version of TLS is used.
AES in Galois Counter Mode is used for symmetric encryption.
Only server-initiated secure renegotiation is used.
DH or ECDH is used for key establishment.
When using DH or ECDH for key establishment, the ephemeral variant is used.
Anonymous DH is not used.
SHA-2-based certificates are used.
Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function.
TLS compression is disabled.
PFS is used for TLS connections.
The use of SSH version 1 is disabled.
"The SSH daemon is configured to:
• only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)
• have a suitable login banner (Banner x)
• have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)
• disable host-based authentication (HostbasedAuthentication no)
• disable rhosts-based authentication (IgnoreRhosts yes)
• disable the ability to login directly as root (PermitRootLogin no)
• disable empty passwords (PermitEmptyPasswords no)
• disable connection forwarding (AllowTCPForwarding no)
• disable gateway ports (GatewayPorts no)
• disable X11 forwarding (X11Forwarding no)."
Public key-based authentication is used for SSH connections.
SSH private keys are protected with a passphrase or a key encryption key.
"When using logins without a passphrase for automated purposes, the following are disabled:
• access from IP addresses that do not require access
• port forwarding
• agent credential forwarding
• X11 display remoting
• console access."
If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled.
When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required.
Versions of S/MIME earlier than 3.0 are not used.
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.
The ESP protocol is used for IPsec connections.
IKE is used for key exchange when establishing an IPsec connection.
If using ISAKMP in IKE version 1, aggressive mode is disabled.
A security association lifetime of less than four hours, or 14400 seconds, is used.
HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm.
The largest modulus size possible for all relevant components in the network is used when conducting a key exchange.
PFS is used for IPsec connections.
The use of XAuth is disabled for IPsec connections using IKE version 1.
Keyed cryptographic equipment is transported based on the sensitivity or classification of the keying material in it.
The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs.
Keying material is changed when compromised or suspected of being compromised.
All communications security and equipment-specific doctrine produced by the ACSC for the management and use of HACE is complied with.
Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area.
All systems are protected from systems in other security domains by one or more gateways.
All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.
"Gateways:
• are the only communications paths into and out of internal networks
• allow only explicitly authorised connections
• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
• log all physical and logical access to their components
• are configured to save logs to a secure logging facility
• have all security controls tested to verify their effectiveness after any changes to their configuration."
Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing.
"All gateways connecting networks in different security domains are operated such that they:
• log network traffic permitted through the gateway
• log network traffic attempting to leave the gateway
• are configured to save event logs to a secure logging facility
• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns."
Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones.
Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls.
Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely.
System administrators are formally trained to manage gateways.
All system administrators of gateways are cleared to access the highest level of data communicated or processed by the gateway.
All system administrators of gateways that process Australian Eyes Only or Australian Government Access Only data are Australian nationals.
Roles for the administration of gateways are separated.
For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party.
Once connectivity is established, system owners become stakeholders for all connected security domains.
Users and services accessing networks through gateways are authenticated.
Only users and services authenticated and authorised to a gateway can use the gateway.
Multi-factor authentication is used for access to gateways.
ICT equipment accessing networks through gateways is authenticated.
When connecting a SECRET or TOP SECRET network to any other network from a different security domain, a CDS is implemented.
When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with.
When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with.
A CDS implements isolated upward and downward network paths.
A CDS implements protocol breaks at each layer of the OSI model.
A CDS implements content filtering and separate independent security-enforcing components for upward and downward data flows.
All security-relevant events generated by a CDS are logged and regularly analysed.
A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains.
Users are trained on the secure use of a CDS before access to the CDS is granted.
An evaluated firewall is used between organisations’ networks and public network infrastructure.
An evaluated firewall is used between networks belonging to different security domains.
The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties.
An evaluated diode is used for controlling the data flow of a unidirectional gateway between an organisation’s network and public network infrastructure.
An evaluated diode used for controlling the data flow of a unidirectional gateway between a SECRET or TOP SECRET network and public network infrastructure completes a high assurance evaluation.
An evaluated diode is used for controlling the data flow of a unidirectional gateway between networks.
An evaluated diode used for controlling the data flow of a unidirectional gateway between a SECRET or TOP SECRET network and any other network completes a high assurance evaluation.
A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred.
A web usage policy is developed and implemented.
All web access, including that by internal servers, is conducted through a web proxy.
"A web proxy authenticates users and provides logging that includes the following details about websites accessed:
• address (uniform resource locator)
• time/date
• user
• amount of data uploaded and downloaded
• internal and external IP addresses."
A web content filter is used to filter potentially harmful web-based content.
Client-side active content, such as Java, is restricted to a list of allowed websites.
Web content filtering controls are applied to outbound web traffic where appropriate.
"For TLS traffic communicated through internet gateways, either of the following approaches are implemented:
• a solution that decrypts and inspects all TLS traffic as per content filtering security controls
• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls."
Legal advice is sought regarding the inspection of TLS traffic by internet gateways.
A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through internet gateways.
If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead.
If a list of allowed websites is not implemented, a list of blocked websites is implemented instead.
If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective.
Attempts to access a website through its IP address instead of through its domain name are blocked.
Dynamic domains and other domains where domain names can be registered anonymously for free are blocked.
When importing data into a security domain, the data is filtered by a content filter designed for that purpose.
Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed.
All suspicious, malicious and active content is blocked from entering a security domain.
Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator.
Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour.
Content validation is performed on all data passing through a content filter with content which fails content validation blocked.
Content conversion is performed for all ingress or egress data transiting a security domain boundary.
Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary.
Antivirus scanning, using multiple different scanning engines, is performed on all content.
The contents from archive/container files are extracted and subjected to content filter checks.
Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected.
Files that cannot be inspected are blocked and generate an alert or notification.
A list of allowed content types is implemented.
The integrity of content is verified where applicable and blocked if verification fails.
If data is signed, the signature is validated before the data is exported.
All encrypted content, traffic and data is decrypted and inspected to allow content filtering.
An evaluated peripheral switch is used when sharing peripherals between systems.
An evaluated peripheral switch used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably completes a high assurance evaluation.
An evaluated peripheral switch used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems completes a high assurance evaluation.
Data transfer processes, and supporting data transfer procedures, are developed and implemented.
Users transferring data to and from a system are held accountable for the data they transfer.
All data transferred from a SECRET or TOP SECRET system to any other system is reviewed and approved by a trusted source.
A trusted source signs all data authorised for export from a SECRET or TOP SECRET system.
Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by an organisation’s Chief Information Security Officer.
Data imported to a system is scanned for malicious and active content.
Data imported to a SECRET or TOP SECRET system undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns.
When exporting data from a system, protective marking checks are undertaken.
"When exporting data from a SECRET or TOP SECRET system, the following activities are undertaken:
• data format checks and logging
• monitoring to detect overuse/unusual usage patterns
• limitations on data types and sizes
• keyword searches on all textual data."
Processes, and supporting procedures, are developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems.
When exporting AUSTEO or AGAO data from a system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator.
Data transfer logs are used to record all data imports and exports from systems.
Data transfer logs for systems are partially audited at least monthly.
Data transfer logs for SECRET and TOP SECRET systems are fully audited at least monthly.